Mobile management: Making sense of your options

There are known, proven approaches to reduce mobile security risks without disabling the benefit of consumerization

Smartphones, tablets, social networks, and cloud services are all popular, incredibly useful — and a security risk. These days, the security focus is on mobile devices, as they tend to be used a lot to work with corporate information, but the variety of platforms, the fact many are employee-owned, and uneven security capabilities mean it’s a real challenge — sometimes an impossible challenge — to manage them in the same way as the corporate PC.

The issue is not so much hacking; outside of malware easily available in the Android's Google Play store, mobile devices are safer than PCs from hackers. Instead, the issue is inappropriate information usage, where employees inadvertently spill the beans about contacts, embarrass people, violate any number of privacy regulations, and neglect compliance obligations. Most people do it inadvertently, some people do it deliberately — but what matters is that they do it.

That puts organizations in an uncomfortable position. Survey after survey shows that technologically empowered users are happier and more productive, so businesses want to tap into that benefit. But they also have to safeguard their secrets and comply with regulations. The good news is that although the methods and tools are still new, there are known, proven approaches to reduce those risks without disabling the benefit of consumerization.

For mobile devices, these tools fall into several categories: data loss prevention, mobile data management, and mobile application management.

Data loss prevention

Many organizations have already invested millions of dollars in data loss prevention (DLP) tools, which classify data access rights through text analysis and metatagging, then monitor information flow (such as contents in email) to look for problematic data types (such as Social Security numbers or files tagged as corporate secrets). DLP tools are usually set to alert IT or users as to possible issues, but can also be programmed to block information first and ask questions later.

DLP tools require significant effort in creating the information policy rules (usually associated to user roles) and then tagging information across the enterprise, and DLP requires shunting all information flow through DLP servers to ensure it is analyzed.

DLP tools are not new, but their use in mobile information flow is. There are several approaches to mobile DLP:

  • Routing all mobile traffic through a corporate DLP server, as Symantec offers.
  • Providing a mobile app for access to corporate information repositories such as SharePoint; that app honors the permissions set for files in those repositories. Citrix Systems offers such a tool for SharePoint, and of course many cloud storage providers (such as Accellion, Box, Dropbox, and YouSendIt) offer IT-manageable cloud storage services.
  • Baking content management into apps themselves by adopting APIs from companies such as Good Technology, MobileIron, and SAP Sybase. A related technology area called mobile application management typically also reaches into content management.

Mobile device management

If 2010 was the year that the bring-your-own-device (BYOD) phenomenon became legitimate, 2011 was the year that mobile device management (MDM) tools became accepted as the tool to allow safe BYOD. So it’s no surprise that today dozens of vendors now offer MDM tools.

Today, MDM tools are deployed in financial services, defense, government, and medical environments — the very environments most concerned about information security. But MDM is not new; enterprises have been using it for years in the form of the BlackBerry Enterprise Server (BES), to manage the access rights and device permissions of BlackBerry messaging devices. Microsoft Exchange, the most-used email server, also supports a modest set of policies through its Exchange ActiveSync (EAS) protocol.

EAS policies can require a device be encrypted, have a complex password, or disable its camera. IT manages those policies in Exchange/Office 365, Microsoft’s System Center 2012, or the corporate version of Google Apps, as well as in MDM tools. That email server ties into a corporate identity server (usually Microsoft’s Active Directory) to determine which policies apply to which user. If a device doesn’t comply with the rules associated to its user, that device is denied some or all access.

These servers also let IT remotely lock or wipe the contents of a lost or stolen device.

Apple’s iOS, recent versions of Google’s Android, Windpws Phone 8.x, and BlackBerry OS 10 support a substantial number of EAS policies, as does Microsoft’s Outlook email client for Windows PCs and Macs and Apple’s Mail client for Mac OS X. By contrast, Microsoft’s Windows Phone 7, pre 3.0 versions of Google’s Android, and Hewlett-Packard’s defunct WebOS mobile platforms support a very limited set of EAS policies.

Most MDM vendors’ products go beyond what Exchange and other email servers provide, adding access to non-EAS policies that a mobile operating system might support. For example, Apple’s iOS has a policy that lets IT disable its iCloud file-syncing service.

Some MDM vendors go further than exploiting the extra policies in various mobile platforms, such as to detect a modified (“jailbroken”) version of the operating system. To do so, users run their mobile app and the applications within it. Anything in that app “container” can have all that MDM vendor’s special policies applied, giving IT a safe zone on a user’s device. (These apps can be set to not share information outside the safe zone, essentially separating the corporate information from the rest of the device.) Some MDM vendors also provide capabilities to enable help desk support for mobile users and to control telecom spend, such as to alert employees when they are roaming internationally.

The challenge for MDM vendors and IT alike is that because different mobile platforms have different capabilities, it’s impossible to have a uniform management approach to all devices. The MDM vendors handle the hard work of keeping up with all the platforms’ capabilities as they change, but IT still has to face the reality that it may need to be somewhat flexible in its policy requirements to support at least the most popular business-class devices. And there’s the wrinkle that comes with supporting iOS devices: Apple requires businesses to get their own Apple Push Notification Service (APNS) credential from Apple to enable MDM management; this certificate gives the MDM tool permission to access iOS devices through Apple’s notification servers on your behalf.

Mobile application management

The least established area for managing mobile information access is mobile application management (MAM), which currently comprises several types of services:

  • App distribution, such as through corporate app stores. These typically focus on homegrown Web and native apps, but can also link to public app stores.
  • Secure app development, to add security and permissions control for homegrown apps’ content and access to corporate network resources. There’s typically a management console for IT to use to act on those embedded controls.
  • App content management, such as to restrict apps’ abilities to share authorized content with other apps. These too are focused on homegrown apps, though can in some cases also be used by commercial app developers with a management tool. One vendor in this category, Nukona (part of Symantec now), takes an unusual approach of wrapping permissions around apps, rather than requiring the apps’ internal code to implement policies — it’s sort of a DLP-wrapper approach. The other providers rely on policies being specified within the apps’ code.
  • Secure app containers, which create a separate partition, app container, or virtual machine to segregate at least some corporate apps and data from personal apps and data. This approach allows freer use of content across apps in a container than techniques that secure data within just specific apps. This approach differs from the use of virtual desktop infrastructure (VDI) to present a remote application in a window; such applications (Citrix Receiver and VMware View are examples) have little to no access to information or capabilities on the mobile device itself, beyond keyboard and emulated mouse access.

The difficulty in current MAM approaches is that they are usually application-specific. That favors their use for apps developed in-house. But a variety of vendors are working with commercial developers to embed their technology. The various MAM APIs are also tied to specific mobile management tools, so to work broadly, all the apps that IT cares about managing would need to implement the same APIs, and IT would need to commit to a specific management tool.

Over time we may see more and more of the apps that users install on their own to work with business data supporting such app and content management capabilities, for access via an MDM or other tool the business already has in place or can connect to such an existing management tool.

This article, "Mobile management: Making sense of your options," was originally published at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.