A Mobile Device Management (MDM) solution is a single security tool that must work in concert with many other IT operations to achieve information security. Choosing the right MDM requires significant forethought. Implementing all the controls correctly for all end-users requires cooperation with system owners. Maintaining secure configurations and accurate device information requires ongoing support. Choosing, implementing, and maintaining your MDM are each complex tasks with their own inherent risks. Without attention to each link in the chain, vulnerabilities to organization security are inevitable.
The strengths of most MDM solutions include central oversight and device policy management capabilities, personal and corporate data segregation capabilities, and lost/stolen device protections. The use of a centrally managed “app store”? is also a practical and commonly used approach to “whitelist” applications (limiting availability to only approved applications for end-users) as well as offering user access authentication and controls per application.
However when mobile devices are offline, MDM solutions can falter. At this point, the device can be wiped or located by the MDM. But these methods only work if 1) the attacker hasn’t enabled “Airport”? mode, as is now possible from the home screen by default on iOS and 2) the SIM card remains in the device. Both of these vulnerabilities are well known to thieves and hackers. While many MDM solutions offer encryption, not all include the service in the cost of the MDM, a detail managers and executives alike should be aware of. Encryption is an important consideration, especially in healthcare with the increasing risks of PHI data breach.
The capability of the MDM solution to interface with several other security tools will also be crucial and must be considered prior to making any investment decision. Security systems such as anti-malware tools will be required on mobile devices just as with workstations. Intrusion Detection and/or Intrusion Prevention Systems may or may not be setup to work with mobile devices. SIM/SEM, border or entry-point firewalls may each have an important interface with the MDM. Using an additional service to further segregate business and personal data may also be a key consideration in your MDM search.
Each of these peripheral security systems will likely require additional configuration and ongoing maintenance for secure mobile device use, requiring personnel work time and training. Provisioning and collecting devices may require staff time, if you should choose to issue devices. Collecting and reviewing audit logs and responding to incidents also requires additional support time and effort. By centralizing controls, MDM can automate configuration and block unauthenticated devices and reduce the workload on IT but additional management activities are also created that may offset productivity gains.
Most of the current industry leaders including Airwatch, Good Technology, MobileIron, Citrix XenMobile have come to the forefront because of their flexible approach, designed to fit the custom needs of each organization. These firms offer a similar suite of controls and options, but are differentiated by their interfaces and varying approaches to securing mobile data. After reviewing the available options against your introductory criteria however, a more narrow field of options should emerge. Keep in mind though that this is rapidly changing terrain. Give some thought to what your organization’s mobile use may look like two years from now.
Redspin recommends conducting a mobile device security risk assessment before the final decision is made on an MDM. You want to weigh the costs and capabilities of each MDM against the known threats, vulnerabilities, and risks to the organization that stem from mobile use. The overhead and degree of difficulty of managing the MDM, using a cloud-based or locally-hosted solution, and capability to integrate with other related security systems, will also be key considerations. Even after the software has been purchased, achieving information security with the MDM solution depends on proper implementation and regular maintenance. Perhaps most importantly, it will require a strong, clear, and enforceable mobile device policy and well-educated end-users.
– David Carlino