One of the major challenges facing every enterprise in the Bring Your Own Device (BYOD) age is how to maintain control of the devices used to access proprietary data. In this post, the second in our four-part series on BYOD and the changing mobile landscape, we’ll take a look at this issue in more detail.
It’s difficult to overstate the challenge. As organizations enable broader access to more and more information – including highly valuable and sensitive intelligence and intellectual property – they need to ensure that the devices used to access that information are secure, that the devices can be remotely managed and de-authorized, and that information on those devices can be destroyed or disposed of securely. But at the same time, the rise of BYOD means giving up a large measure of control over those devices because they are no longer owned by the organization but rather by individuals who maintain full control and authority over them.
In just a few short years, we’ve moved from uniform, company-owned desktops tethered to the office to diverse, individually-owned mobile devices that can literally be taken – and lost – anywhere in the world. This mobile revolution has enabled an entirely new kind of workforce and unprecedented productivity and business opportunities, but it has also created a concomitant surge in risk. Addressing this risk has become an organizational imperative, which is why Mobile Device Management (MDM) has become a high priority at most enterprises.
A Plethora of Platforms
When you consider all the moving pieces that are involved in mobile computing – multiple hardware device types and manufacturers, operating systems, applications, telecommunications carriers, and supporting back-end infrastructures – the challenge of securing your mobile devices can seem all the more daunting.
Most enterprises would consider securing the platform vendors, hardware providers and telecommunication carriers to be “out-of-scope” due to the sheer volume of platform vendors and the telecommunication carriers that provide the backbone service to users across continents. It is far more practical to control and enforce restrictions on the individual devices.
In the early days of mobile computing, organizations could select a single platform to support (e.g. Blackberry), which made the job far more manageable. The adoption of BYOD, however, means you’ll need to support a wide variety of platforms, including Google Android, Apple iOS, Microsoft Windows and Blackberry, the four primary players at the moment.
There is no right or wrong platform when it comes to addressing security and MDM. Each platform comes with its own set of features, benefits and associated risks:
- Blackberry : The Blackberry has enjoyed tremendous popularity among IT organizations. The Blackberry software provides enterprises with servers and software that offer unparalleled remote management capabilities, but it comes at a cost. Blackberry has also recently lost significant market share to competitors, and many are questioning its survival.
- Apple iOS: Many consider the iPhone and iPad to be the most innovative products when it comes to revolutionizing the mobile industry. Unfortunately, many also consider iOS to be one of the weakest platforms when it comes device management. While the ability to deploy and distribute apps is a breeze, managing these devices remotely could prove to be a quite a challenge. Apple has responded to this criticism with a new OS version and hardware with improved security and integrated MDM features.
- Google Android: Android is by far the most popular platform as measured by market share. However, it is also known for its notorious variety of devices and flavors of operating environments. Even with the diverse array of OS options available, some Android devices come with enterprise grade software services that enable remote management (although some do not).
- Microsoft Windows: Microsoft is a well known player in the mobility space, but the reliance on third party toolsets, systems and servers to manage devices by leveraging the vendor published device management protocol make it a complex deployment.
Despite the pros and cons, organizations today must be ready to support any and all of these platforms without compromising the organization’s security. Securing the devices, the application and the data that these devices hold goes way beyond simple authentication platforms that are currently in place. There is also the need for compliance enforcement to ensure that each of these devices are secured and do not in any way become a pathway for exploits and intrusions into larger systems that form part of an enterprise’s proprietary infrastructure.
Past, Present and Future
As device adoption changes over time, it is crucial to be prepared to address these evolving changes as they occur. An oversized platform may reduce in size as time rolls by. Your organization might currently have predominantly iOS and Android devices, but could change to a predominantly Windows based service as time evolves, or vice versa. It is important to acknowledge these evolving patterns and gear up for an ever evolving device adoption strategy.
The current market adoption of the various platforms has Android at 61%, iOS at 20.5%, Windows at 5.2%, Blackberry at 6% and Other devices at 7.3%.
However, there is a huge difference between the overall market share and enterprise use, where Blackberry – despite its fall from grace with consumers – continues to be a dominant player. BlackBerry still has a market share of about 38% among businesses with more than 10,000 employees, as well as more than a 33% share in government and financial institutions . But this appears to be changing rapidly.
This is exactly the kind of situation where a good MDM strategy would enable organizations to traverse any change in market dominance that may occur over time. Adoption and market share also tend to vary by geographic region. For example, Android adoption could be very high in Asia Pacific while relatively low in North America. Therefore it is necessary to also look at an organization’s geographic employee dispersion ratio while building a strong MDM strategy.
By 2015, it’s projected there will be 7.5 billion mobile devices globally. By 2016, it is estimated that global mobile device usage will grow by 20% in the Android space, 10% in the iOS space, 30% in Windows phones, and 3% more Blackberry users. According to a recent Forrester Research Report, mobility and BYOD programs in use by North American based information workers are expected to triple by 2014. Also, the use of tablets at work is rising at an exponential rate. Today there are 50% more tablets being used in the enterprise than just a year ago.
The bottom line is that the future could hold anything. It could be an exponential increase of one of the aforesaid platforms or an emergence of a new platform altogether. You must be ready in any case.
An Effective MDM Strategy
Building an effective MDM strategy is of great value to any enterprise. We believe there are three key criteria when chosing or developing an MDM solution:
1) Develop a single, unified solution with the flexibility to address virtually any device or platform.
Given the rapidly shifting market shares and already large and rapidly growing number of mobile devices, it would be a Sisyphean task to maintain one device management tool per device. A better strategy is one that has a broader focus on converging technologies that power a variety of devices.
Having a unified MDM service allows for global policy enforcements. It also allows for rapidly provisioning and de-provisioning devices onto the network with split liability – where individuals agree to cede some control over their personal device, often in exchange for a stipend or sharing of expenses with the enterprise.
Such a unified MDM service gives employees more control over which devices they are allowed to bring in. It also gives employers more control over what these devices can do when on the corporate network.
2) Cover the complete lifecycle – especially in between the two endpoints.
Your MDM solution shouldn’t be limited to the provisioning and deprovisioning aspects of a BYOD program but should focus more on the period in between those two endpoints, including the ability to:
- Control what runs on the device when connected to the corporate network
- Determine whether security protocols have been adhered to
- Do an over-the-air (OTA) update of an applications, configurations or device firmware
- Support audit requirements
- Track the location of the devices themselves
3) Look to the cloud
Organizations embracing “cloud computing” have been steadily increasing, which comes
as no surprise with the increased growth in the mobility space. Cloud
based Mobile Device Management solutions have emerged as well, which
organizations can leverage in tandem with their internal cloud
Prioritizing investments in effective
strategies not only allows for on-boarding a new MDM platform at a much
rapid pace, but also helps ensure the security and integrity of systems
that the organization exposes to the cloud in addition to the devices
that are now onboarded into the organization’s network.
MDM Best Practices
At Simeio Solutions [http://www.simeiosolutions.com/], we’ve established a set of best practices to help our clients implement a successful enterprise MDM strategy. These include:
- Enablement for a multi-platform, vendor-agnostic device on-boarding. Even so, enterprises should allow only the mobile devices that have the best possible control and security built in.
- A strong security policy. Enterprises must strive to employ a good encryption methodology, which is a key to building a strong security policy. Device encryption methods can help encrypt the local storage, but enterprises must ensure that it covers all the risk areas including the internal and external systems as well.
- Maintain a device registry. Take a periodic inventory of all the devices connected to the corporate network.
- Remote over-the-air updates. It is essential to Identify unusual situations such as jail breaks, lost devices, device theft, number of repeated failed login attempts or failure to connect to the network for lengthy periods (e.g. more than a month), and enabling those mobile devices for remote wiping, automatic padlocking and account locks.
- Maintain an application white-list. Tentative white-listing of applications allows only authorized software to be installed on the mobile devices and prevents the malicious software from entering the corporate network.
- SSL and VPN Connectivity. Enterprises should employ VPN access to enjoy the benefits of shared networks without any security concerns in transmitting sensitive data over the internet, since VPNs encrypt the data in transit.
- Regular security updates and patches. Enterprises need to ensure that the mobile devices connected to their corporate network are installed with regular security updates along with updates of new upgrades and patches for the mobile operating systems (iOS, Android OS, Blackberry OS, etc).
- Deploy intrusion detection and prevention systems (IPS/IDS). IPS helps to proactively respond to security threats initiated on the corporate network by smartphones and tablets. Enterprises could extend their existing IPS systems to monitor mobile devices and help deter risks associated with remote attacks.
MDM and Security
Addressing security is a critical component of an effective MDM strategy. Inevitably, you’ll have a laundry list of security issues that must be considered and addressed. You may need to look at security from many perspectives, including how to secure the data on the device, or the security around how a device or use is authenticated prior to enabling access to information or resources, and even how the data being transmitted is secured from tampering and ensuring confidentiality.
Security as it pertains to MDM involves encryption algorithms such as RSA, MD5, and AES. It also involves token services like HOTP, OATH, TOTP. You will need to pay attention to protocols such as HTTPS, LDAPS, and other secure means of transmission. There are also session handlers, Two Factor authentication services, secure delete, and device management capabilities including remote wipe, remote lock, and remote install.
The three major component of a strong MDM security framework are:
- Data Access Security Mechanisms
- User and Device authentication
- Authorization and policy enforcement
Data Storage Security Mechanisms
- Integration with other token services that leverages existing identity management infrastructure services to access services such as Salesforce.com or Box.net
- Encrypt data at rest, both on the device as well as on the server side applications and service components
Data Transmission Security Mechanisms
- Secure delete and the ability to overwrite existing data
- Protection of keys credentials and tokens used to decrypt data and make the data available for use
- Establishing a secure connection between the device and the company’s infrastructure
- Creating and managing sessions for required set of transactions
- Handling HTTP requests in the appropriate manner
- Encryption of data transmitted over the channel
Bring it all together
Scaling to support all of the possible mobility enabled devices could incur significant hardware costs and create management complexity. Even though scalability may seem like a distant concern for some enterprises, the proliferation of mobile devices and applications growing at the current rate will make that concern a reality sooner than later. Enterprises will do well to incorporate long-term scalability requirements into their plans early on.
Luckily, a variety of solutions have emerged to help organizations meet this challenge. Oracle, for example, has a suite of tools that can make it easier for organization to deploy a strong MDM solution. They can even make it easy for employees to onboard their own devices to the corporate infrastructure in split liability mode.
Oracle Beehive is one such tool. It provides an integrated set of communication and collaboration services built on a single scalable, secure, enterprise-class platform. Beehive allows users to access their collaborative information through familiar tools while enabling IT to consolidate infrastructure and implement a centrally managed, secure and compliant collaboration environment built on Oracle technology.
Oracle Utilities for Operational Device Management is another example. It was developed by Oracle solely for the purpose of meeting the needs of asset management for “smart devices.” The software manages devices such as meters, access points or communication relays and communication components attached to various devices that are too complex for traditional asset management systems. It handles critical functions, such as managing and tracking updates and patches, as well as supporting governance and regulatory audits and smart grid Network Operations Center (NOC) processes.
Oracle Platform Security provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate mobile app developers from security and identity management implementation details. With OPSS, developers don’t need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. Thanks to OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same, uniform security, identity management, and audit services across the enterprise.
These are just a few examples of the tools available that can help you design and deploy an effective MDM solution. In our next post, we’ll take a look at Mobile Access Management, another key aspect of managing mobile devices in the BYOD age.
About the Author:
Rohan Pinto is a Senior IAM Architect at Simeio Solutions who is responsible for architecting, implementing and deploying large-scale Identity Management, Authentication and Authorization (RBAC, ABAC, RiskBAC, TrustBAC) infrastructures with specific emphasis in Security.