Denys Rudyi - Fotolia
With each device introduced into an enterprise network comes new security concerns that span from the simple to the complex and everywhere in between. What if the device is lost? Is it possible to ensure that users only access approved applications?
Mobile device management, mobile application management and mobile information management represent the evolution of mobile governance and enterprise mobility security. An evolution that looks to balance the control IT needs to protect the enterprise and the experience users demand when using mobile devices. Check out our previous article to find out how to get started on your mobility program.
Mobility terminology and technology
If you have spent much time assessing mobility technology, you have no doubt encountered an alphabet soup of acronyms, of which BYOD, or bring your own device, is just the first.
IT pros should understand the multifaceted nature of mobile computing before developing mobility policies and procedures. Consider devices, applications and data and how they’re connected. Mobile device management is an attempt to exert controls over endpoints, mobile application management focuses on software, and mobile information management concerns data access and security.
BYOD shares responsibility
BYOD has become one of the most recognizable acronyms around mobility management as usage evolved from corporate-owned laptops and notebooks to personal smartphones and tablets. The latter devices are now ubiquitous, as employees quickly found the advantages of continuous and easy access to work. Enterprise mobility management entails understanding the risks of BYOD and deploying the appropriate technologies and practices to protect enterprise information assets.
A defining characteristic of BYOD is the shared responsibility. Mobile device users expect a certain degree of freedom and privacy, but they must also understand the need to protect enterprise data, apps and networks. Educating users about clear and enforceable policies is key. Organizations in heavily regulated industries, such as finance or health care, are especially mindful of threats to sensitive data.
MDM, MAM and MIM are all closely related technologies designed to help achieve the balance between freedom and security by focusing on different facets of enterprise mobility.
MDM policies are secure but restrictive
Mobile device management (MDM) was the earliest form of mobility management. It allows IT administrators to set the following kinds of policies for devices:
- Encryption requirements on a device
- Restrictions on the use of particular apps
- Control over the use of device features, such as Bluetooth and cameras
- Requisites for password protection
MDM has evolved beyond BlackBerry devices and their related management system. Today, enterprises have a number of third-party options for managing Apple, Android and Windows devices.
There are many parallels between MDM applications and desktop management systems, particularly with regard to remote management features. These include pushing out updates, modifying access controls and deleting data on the managed device.
While MDM has much to offer, management tools that give a business full control over personal devices are never going to achieve an acceptable balance between device owner and enterprise needs.
Employees can reasonably assume that a business can and should exercise control over the security of company-issued smartphones and tablets. However, when employees use personally owned devices, they reasonably expect to have control over their devices. Actually, many companies may not want extensive control over personally owned devices, but they still want to protect enterprise data.
MAM separates spheres of control
One way to balance the competing needs and interests of employees and companies is to implement separate spheres of control. Device owners should be able to use their smartphones and tablets for personal use without interference or monitoring by their employer.
At the same time, companies should have control over where their data goes, how long it stays on personally owned devices, if it should be encrypted on those devices and what happens to the data once it lands on a mobile device.
Mobile application management (MAM) is one approach that shifts the focus away from controlling devices to controlling applications on those devices. Instead of allowing their employers to have root access to their personal devices, employees allow the business to determine which apps and data they may use on them.
This can work well when applications are limited to email, file-sharing and other commonly used apps. Application vendors and MAM vendors have incentives to provide secure versions of these applications, but secured versions typically have fewer features than other software versions.
Working with custom apps introduces another set of issues. For example, if a company wants to deliver a custom business intelligence reporting system to its managers, it may need to wrap the application using a MAM-vendor provided package. Wrapped applications execute MAM code during startup and shutdown. They can also alter the way an app functions. A wrapper may block network communications unless it is over a virtual private network.
In addition, app developers may choose a MAM-specific application programming interface (API) to implement security controls. This will likely add to the development, test and maintenance overhead for a project. As mobile operating systems include more support for sandboxing and other security measures, there will be less need for application wrapping and MAM-specific APIs.
Focusing on application management enables other useful controls. For example, policies that prevent one application from accessing data can be easily circumvented if a user can cut and paste from an authorized app.
MAM products can prevent copying and pasting from approved apps to non-approved apps. They may also support listing approved and prohibited URLs to mitigate the risk of visiting websites that steal data or facilitate downloads of malware.
As organizations continue to adopt SaaS as a delivery model for applications, there will be more emphasis on controlling information and less focus on devices or installed apps.
Focus shifts to data with MIM
In an ideal world, those responsible for securing information assets would be able to focus on data and not applications or devices; but apps and devices can be conduits for leaking data or allowing malicious content into an enterprise network. In addition to standard malware prevention, detection and deletion, mobile information management (MIM) is another development in mobility management.
MIM controls the movement of enterprise data and the rules governing the applications that can access it. It also includes encryption policies. MIM practices are especially important with the increasing use of cloud storage services such as Dropbox, Box and OneDrive. MIM is also relevant to mobility management and the role of synchronizing data across devices.
Although MIM focuses on data, the policies must be enforced by applications, operating systems and devices. This requires substantial coordination and standardization across layers of the application stack.
In the next article, we'll look at enterprise mobility management as a whole and elements of BYOD policies.
Get started with a mobility program
Take mobility management beyond BYOD