The good news for enterprises: Mobile devices are packed with power. A new iPhone is 100 times lighter, 100 times faster, and 10 times less expensive than the luggable notebooks of the early 1980s.
What's good news for enterprises is also bad news for CISOs. Mobile devices can store substantial quantities of data, the applications are powerful, and their network speeds are forever increasing. And, oh yeah, users are bringing their own devices, downloading their own apps, surfing the Web from whatever connections they choose—all with little to no direct control by the enterprise.
To help make mobile devices more manageable, enterprises are increasingly turning to mobile device management (MDM) applications and services. And MDM can help with security issues—but how much? Experts say this tool can absolutely reduce mobile risk. But they also say relying on an MDM-only mobile security program is like sitting on a one-legged stool.
According to Forrester Research, there are more than 40 vendors in the MDM market, offering software with core features such as configuration management, troubleshooting and support, inventory, remote control and reporting capabilities. The market is growing: Research firm IDC pegged the MDM market at about $265 million in 2009, growing at more than 9 percent annually. The firm expects that growth rate to rise to more than 10 percent next year.
These applications reduce risk by being able to detect and remotely wipe data, and by enforcing password and encryption policies.
"It makes sense to move to MDM and enforce security policies in a more automated way," says Pete Lindstrom, research director at Spire Security.
"With mobile device sprawl, and the value of the applications and data on the devices increasing, more enterprises are going to want to manage the configuration of the devices, what the devices are and where they're being used—many of the things one would expect in traditional asset-management capabilities," he says.
However, just as traditional asset-management applications helped create some level of security and control over notebooks and telecommuters' systems, they certainly fell short of managing everything necessary to keep those systems and data secure. MDM will be no different.
Dig Deeper Than Just the Device
"You can't just focus on the device and expect to have a high level of security," says Rafal Los, chief security evangelist at HP Software Worldwide.
"You have to look at the system holistically. That includes the infrastructure, the applications, how data is accessed and used," argues Los. "That includes looking at not only the inherent security of the applications on the device, but also the application servers and databases they connect," Los says.
Application security has been a plague since before the Web, whether the application resides on a server, desktop, notebook, website or mobile device. And it's a crucial area where MDM tools don't play much of a role beyond pushing patches out to at-risk devices. Consider the privacy flaw in Skype for Android that was discovered last spring: Skype's instant messages were not stored securely, so a malicious app or anyone with access to the device could view the messages' contents. That incident wasn't isolated, and many other mobile app vulnerabilities—including a weakness in a Citibank mobile application—have been identified since.
BYOD Changes Everything
"Mobile security is more about the data and the application than it is about the device itself. This is especially true now with the bring-your-own-device [BYOD] trend," says Lindstrom.
Brian Katz, director of mobility at global healthcare company Sanofi, agrees. "When you look at today's mobile device management applications, they were built in the shadow of, 'This is how we do IT today.' They look at device management the same way that enterprises have controlled laptops and desktops for years," says Katz.
"That means MDM works best when you own the device. When you provision it. When you can wipe the entire device. When you can decide what you want to do with it. But with BYOD, none of that applies," he says. "You don't own the device, so you can't dictate everything that is done on the device."
Because the enterprise doesn't own the device, it's more dependent on policy—and on trusting that employees will handle the phone or tablet with care. "But that's extremely hard with small devices, even corporate-owned devices," says Lindstrom. "Enterprises anticipate (and tolerate) that there will be more personal use on these devices, as they're expected to be with the employee at all times."
Which brings up another issue as a result of BYOD: privacy.
"You have to think about MDM in terms of legality. For example, a lot of MDMs provide the ability for operations teams and IT employees to track the coordinates of the phone. In some countries there are privacy laws that forbid that. The corporation may not be allowed to track you. You have to look at whether that needs to be turned on or turned off by default, and how you're handling that to make sure that you don't break privacy laws there," Katz says.
[Also see Mobile phone security dos and don'ts]
To handle those privacy concerns, and so they can focus more closely on corporate-owned applications and data, more enterprises are turning to mobile app management (MAM), which enables organizations to manage specific applications and data without having to worry about the entire device or an employee's personal data. "This approach makes it much easier to manage BYOD in an organization because you have the same features in MAM that you have in MDM, but you're approaching it on an app-by-app basis," says Katz.
That ability makes it more straightforward to wipe only enterprise-owned and -managed data and set password requirements that affect only the enterprise apps. That's why he thinks the industry will move away from MDM and toward MAM, "which will help move the security focus from the device to the data and the applications—where it belongs," says Katz.