E-guide Mobile Security Buyer’s Guidecdn.ttgtmedia.com/searchSecurity/downloads/Mobile... ·...

E-guide

Mobile Security Buyer’s Guide Your expert guide to mobile security

Page 1 of 41

In this e-guide

Introduction to mobile device

management products

Three enterprise scenarios for

MDM products

Six questions to ask before

buying enterprise MDM

products

Comparing the best mobile

device management products

E-guide

Introduction to mobile device management products

Mathew Pascucci

Expert Matt Pascucci describes how implementing mobile device

management products can protect smartphones and tablets, as well

as enterprise networks and infrastructures.

Mobile devices have become heavily integrated into enterprise networks, and

the trend shows no signs of slowing down. As mobile devices continue to

become more powerful and push the boundaries of what a computer really is,

organizations need to better secure these systems through mobile device

management products.

By applying custom policies to smartphones and tablets through mobile device

management (MDM), an administrator can, for example, regulate these devices

to be used only in ways that an organization deems appropriate under its

security policy. This can limit the risk of lost data, stop unapproved software

installs and prevent unauthorized access to the mobile devices accessing

corporate data and networks.

Page 2 of 41

In this e-guide


management products


MDM products



products



E-guide

Mobile security, meanwhile, isn't just for large enterprises. It should be seriously

considered throughout all verticals -- no matter the size of the company.

The mobile security characteristics of MDM

When evaluating mobile device management products and vendors, these are

the features (at a minimum) to look for to form a baseline mobile security policy:

PIN enforcement. Also seen as a password to the system, admins can

manage PINs to lock individual devices.

Full disk encryption -- or containerized encryption -- of data or disks.

An MDM product should be able to enforce encryption on any device it

manages.

Remote wipe. In case of loss or theft.

Secures data at rest and in transit. Ability to stop certain data from being

copied or sent while on the device.

Jailbroken or rooted device detection. Jailbreaking poses a significant

risk because it allows users to install unapproved software and make

changes to the mobile device's operating system (OS).

Page 3 of 41

In this e-guide


management products


MDM products



products



E-guide

There are additional MDM features (e.g., GPS tracking, VPN integration,

certificate management, Wi-Fi policies, among others) that are useful, but not

for all companies. At the very least, the five bullets above should be verified

when looking at MDM products. Also verify that the selected mobile device

management products support all the smartphone and tablet platforms (iOS,

Android, Windows Phone and others) that the organization intends to manage

and secure.

While MDM does quite a bit when it comes to securing devices, there are a few

things it doesn't do. For starters, many think Web filtering is a default feature,

when in fact, most -- if not all -- MDM vendors rely on separate systems to

perform that function. Another function people assume mobile management

products perform is data backups. Mobile security vendors are not backing up

mobile devices' data. If data is lost, it's gone unless a separate backup system

has been put into place. This is usually done via third-party apps and

configuration settings, but not natively through mobile device management

products. So there may be additional mobile security software protection

needed beyond MDM.

Page 4 of 41

In this e-guide


management products


MDM products



products



E-guide

Licensing options for mobile device management products

The first, the standard one-license-per-device scenario, works well for smaller

companies without many users, or with businesses that are able to tie one

mobile device system to each user. If an organization is only applying MDM

towards smartphones, and there is no chance end users will use another mobile

device on the network, this method is a wise choice.

However, due to the need for flexibility and increased use of mobile devices --

especially due to bring your own device (BYOD) initiatives -- it may become

necessary to have multiple mobile devices (typically three) protected under a

single user license. This comes in handy when users tend to have multiple

devices (a smartphone, tablet, and the like.), but the business doesn’t want to

go through the hassle and expense of paying for a separate license for each

device.

While generally more expense than single-device licensing upfront, user-based

licensing can save a substantial amount of money over time as employees

adopt more mobile devices.

Page 5 of 41

In this e-guide


management products


MDM products



products



E-guide

Mobile management deployment options

The most common way to deploy MDM products is via a virtual image, but

almost all vendors will offer a hardware-based product if needed, and many are

increasingly providing these services over the cloud.

The virtual images are normally delivered in either OVA (Open Virtual

Appliance) or OVF (Open Virtualization Format) file formats, and are fully

contained OSes that allow organizations to import the software into existing

virtual environments (Hyper-V, VMware, and others). The virtual images allow

for quick installation of the MDM vendor's software, with resource management

owned by the customer.

There are, of course, MDM customers that either don't have a virtual

environment installed or want to have the mobile management system running

on isolated hardware for performance issues or security concerns. In those

instances, MDM vendors ship a dedicated MDM system to the customer with

detailed instructions on how to configure the hardware.

Running an MDM system on-premises can be cumbersome for customers,

however. So a number of the larger MDM vendors have started offering their

products remotely as software as a service (SaaS) in the cloud. This

deployment option is growing in popularity, especially among MDM customers

with limited resources.

Page 6 of 41

In this e-guide


management products


MDM products



products



E-guide

Rolling out MDM products

Once MDM products are installed on the network -- either by virtual image,

hardware or cloud -- administrators need to come up with an implementation

plan across all device types. A slow rollout (or enrollment) across the enterprise

is a smart choice, since there's going to be a learning curve for end users and

administrators supporting the product.

All MDM products have apps that are either in Google Play or the Apple App

Store for users to download. Once enrolled, users are sent an email or text with

installation instructions. When they download the app and it authenticates --

typically via LDAP or a one-time passphrase -- the organization's MDM policy

with the preconfigured options is installed on the mobile device.

At this point, the mobile device is under control of MDM and is able to be

appropriately managed by the IT staff.

Page 7 of 41

In this e-guide


management products


MDM products



products



E-guide

Who manages mobile security?

Depending on company size, a number of different teams may assist with the

management of mobile security. Many large enterprises have resources

dedicated to mobile security, while an SMB might have it added to an IT

administrator's growing responsibilities.

The scope of admins really depends on whether a dedicated resource is

needed to manage mobile security as a whole. It's very common in the

midmarket, for example, to see different groups managing particular sections of

an MDM system. The information security team could be responsible for

creating mobile security policy, with tech support assisting with issues or

operational incidents after the mobile device is deployed, and a telecom group

assisting with onboarding and removing the mobile security policies that have

been created.

The cost of MDM deployment

Like all IT security products, there are going to be hard and soft costs to

consider when deploying mobile security via MDM.

Page 8 of 41

In this e-guide


management products


MDM products



products



E-guide

The hard costs of implementing mobile security for the first time would include

the costs of the product itself, potential new hardware to run it, initial support

expenditures, testing and (potentially) professional management services.

The soft costs of running MDM include the additional hours of support required

for troubleshooting, installing and maintaining the system. In addition,

depending on the install base, there may need to be additional training, or even

additional employees, added to support the product.

Next article

Page 9 of 41

In this e-guide


management products


MDM products



products



E-guide

Three enterprise scenarios for MDM products

Matthew Pascucci

Expert Matt Pascucci outlines three enterprise uses cases for mobile

device management products to see how they can protect users,

devices and corporate data.

Mobile devices are essentially mandatory tools into today’s business world of

fast-moving, data-driven end users. While smartphones and tablets provide

employees with the flexibility to perform their jobs with elasticity and without

borders, they engender major concerns regarding data security and privacy

risks for organizations. Enter mobile device management (MDM) products,

which allow people to perform their jobs efficiently and effectively while assisting

IT in protecting company data and securing mobile devices from malicious

access.

There are three major scenarios to consider when deciding to implement MDM

products: the protection of data on mobile devices, defending mobile systems

themselves, and securing sessions and data in transit between

smartphones/tablets and the company network.

Page 10 of 41

In this e-guide


management products


MDM products



products



E-guide

MDM product scenario #1: Data protection

No reason for deploying MDM products is as important as securing data on

mobile devices. That's because mobile devices are in reality small computers

with powerful processors and large amounts of storage and memory that --

when used within an enterprise -- hold and have access to the same data as a

standard PC or laptop. With that in mind, organizations must extend enterprise-

grade data protection to these devices without limiting their important, elastic

roles at the company.

MDM vendors employ two methods, or ideologies, to protect data on mobile

devices: containerization vs. non-containerization.

Taking a containerized approach to MDM

A mobile security product that uses the containerized ideology will dedicate a

small partition in storage to the MDM application on the mobile device, limiting

all corporate data, apps and communication to this containerized section. With a

containerized approach, the data from a smartphone or tablet can’t be inserted

into the MDM application either (and vice versa), and these types of mobile

device security platforms normally add an extra layer of protection by requiring

users to log into MDM separately from the device itself.

Page 11 of 41

In this e-guide


management products


MDM products



products



E-guide

The pros of implementing containerized MDM is that if the mobile device is ever

lost or stolen, or someone leaves the organization, a wipe of the MDM app on

the smartphone or tablet will remove all instances of corporate data. That way

admins will never have to worry about missing something important.

The cons to containerized MDM is that end users often can't use apps that

they're accustomed to, and organizations often don't have the flexibility to

leverage custom tools or programs. This is because MDM vendors need to

partner with app creators to allow software to enter the encrypted partition. And,

while many MDM vendors do work with software developers, not every app is

natively compatible.

The non-containerized approach to MDM products

The non-containerized approach to mobile security allows users to access their

mobile devices with a native experience and offers the ability to use traditional

apps. So the non-containerized method to mobile security, unlike the

containerized approach, provides users with the flexibility to run the apps they're

used to and allows for easier access to data from third-party software than the

containerized-approach. This goes for both business and personal data. It

depends on the policy that's created by the MDM administrator, but the

configurations can also allow for the locking of company apps and/or personal

apps.

Page 12 of 41

In this e-guide


management products


MDM products



products



E-guide

This approach, while gaining in popularity over containerization due to its

flexibility for the end user, needs to be reviewed in great detail beforehand by

administrators.

Here, there are options for using data loss preventions tools on mobile systems

that aren't containerized. These allow for the inspection and protection of data

before it leaves the mobile device.

The protection of data on mobile devices is paramount. It factors heavily in the

remaining two scenarios outlined below, and should be at the forefront of the

decision-making process when looking to deploy an MDM product.

MDM product scenario #2: Device protection

Now that the data has been secured, let's review ways in which MDM can assist

with protecting mobile devices themselves. This is an important topic because if

a smartphone or tablet isn't secure, it can lead to the infection of the network

and compromised data.

Page 13 of 41

In this e-guide


management products


MDM products



products



E-guide

Jailbreaking/rooting detection

Most MDM systems can alert admins should a user attempt to jailbreak/root a

smartphone or tablet. A rooted or jailbroken mobile device allows a user to

access a mobile system to perform functions (admin access, download and

install apps from outside the app store, malware, among others) not intended by

the manufacturer or approved by IT and the organization. Sure, these aren't all

necessarily that bad, but jailbreaking opens up risks to the corporate network

that are best avoided by negating the ability for users to root their smartphones

and tablets in the first place.

PIN and passcode enforcement

The first line of defense that every mobile device requires is password

protection. Having MDM push down a policy to enforce a PIN or passcode to

smartphones and tablets (with a timeout period) is an easy way to secure

systems from unintended access by intruders that may have stolen or found a

device. Although seemingly very small and not very significant, enforcing

password security through MDM should be mandatory.

Page 14 of 41

In this e-guide


management products


MDM products



products



E-guide

Remote wipe

The option to remote wipe a smartphone or tablet is a lifesaver when it comes to

devices that are no longer in possession of their rightful owner. This assures

that anything on a smartphone or tablet is no longer accessible, as the value of

data on a smartphone or tablet is worth a whole lot more than the value of the

mobile hardware itself.

Operating system changes and apps

With a simple MDM policy, an administrator can restrict what apps are installed

-- and limit what OS changes can be performed -- by users or hackers to a

smartphone or tablet. For example, by only allowing the installation of certain

apps using a whitelist and making sure all cameras are turned off on supported

smartphones. This reassures the organization that rogue apps that could infect

its mobile devices, which can lead to data loss or worse, won't be installed. It

also keeps mobile systems in a baseline OS configuration for the network,

making them easier to manage. This level of app and system control is a must

have when it comes to distributing mobile devices to end users.

Page 15 of 41

In this e-guide


management products


MDM products



products



E-guide

Mobile device encryption

Companies should encrypt all mobile devices that contain important company

data. An MDM product can assist in this by forcing encryption on all supported

smartphones and tablets -- similar to the way full disk encryption does for

laptops and desktops. Encryption protects the mobile device itself and the data

that lives on it. It is important to enable on all mobile devices, even for

enterprises that use a containerized MDM product.

MDM product scenario #3: Protecting mobile connections

Now that MDM has protected mobile data and the mobile devices themselves,

it's time to focus on how to make sure these smartphones and tablets

communicate safely. This last scenario centers on how MDM products can help

secure the connections and sessions established between mobile devices and

company resources.

With MDM, organizations can mitigate the risk of insecure communication by

blocking third-party configurations to remove certain functions on the mobile

device and enabling certain features within a mobile management product. For

Page 16 of 41

In this e-guide


management products


MDM products



products



E-guide

the former, one area to review is the ability to enable VPN connections on

mobile devices so they communicate back to the organization securely.

In addition, there are many times when users need to access data or services

on the internal network. So, instead of letting them access these resources

insecurely, many MDM products allow admins to require VPN terminations to

the corporate site for secure data access.

Another method to secure company network access is to restrict insecure

access by limiting the service set identifiers that wireless devices can use. While

this can become somewhat restrictive, admins can create a policy to always

have mobile systems, in range of the corporate network, use secured wireless

connections as a priority, instead of an insecure wireless network that might

also be available and accessible.

Having the ability to use internal certificates pushed to mobile devices from

company servers for an extra layer of authentication is also recommended.

There are MDM options available that limit access to certain websites. Called

secure Web browsing, this technology is normally connected back to the

corporate network and allows for implementation of an additional policy to keep

users' browsing experience secure via an organization’s normal Web proxy or

Web filtering service. Since mobile devices are extensions of the corporate

network, having the same Web policy pushed to them as onsite computers

Page 17 of 41

In this e-guide


management products


MDM products



products



E-guide

allows for consistent security and user experiences when it comes to Web

access.

Lastly, certain MDM systems include a feature called geofencing that only

allows mobile devices to work within a certain geographical location. This may

be too restrictive for users that travel with their smartphones and tablets, which -

- granted -- are most. But for those mobile devices that shouldn't leave a certain

location, say mobile PoS systems, after the handheld goes beyond a pre-

determined area, it'll be deemed unusable by company policy.

Mobile devices are de facto business tools for almost everyone working today.

Due to this wave of popularity, organizations need to secure the data, systems

and connections mobile devices use and the smartphones and tablets

themselves. Now that we’ve determined the absolute need for MDM products,

we'll review ways in which mobile security is purchased in the next article in this

series.

Next article

Page 18 of 41

In this e-guide


management products


MDM products



products



E-guide

Six questions to ask before buying enterprise MDM products

Matthew Pascucci

Mobile device management can be a crucial part of enterprise

security. Expert Matt Pascucci presents the key questions to ask

when investigating MDM products.

As the mobile market continues to explode, it's become increasingly important

that organizations deploy mobile device management (MDM) to more effectively

manage smartphones and tablets, as well as better protect those mobile

devices from data loss and malicious use. Today, it's really not a matter of if

mobile device security should be deployed -- it's more a matter of when and

how quickly.

It's imperative that businesses take the time to make an educated decision

regarding which MDM platforms are right for their mobile management and

security goals, however. The majority of MDM products perform very similar

functions, but it is how they do so that must be closely reviewed and compared.

Before starting to compare and contrast MDM products, organizations should

establish a set of organizationally specific criteria to make these comparisons.

Page 19 of 41

In this e-guide


management products


MDM products



products



E-guide

This will help determine which MDM product(s) will perform up to the standards

required for their network and mobile device profiles.

To establish these criteria, enterprises should ask themselves the questions

outlined in this article. The answers will lead them toward building a

personalized feature checklist that can guide them in determining which mobile

device management products best fulfill their particular smartphone/tablet

deployment and usage characteristics.

MDM: Is BYOD a consideration?

Protecting company data on personal mobile devices can be challenging. Bring

your own device (BYOD) is something that needs to be reviewed in detail before

making a decision on which MDM vendor to go with.

Will the organization allow end users to use personal smartphones and tablets

for business? If so, will users have the potential to store company data on their

mobile devices while they're being protected and managed by an MDM

product?

When looking into MDM to use in a BYOD environment, organizations should

verify that vendors have streamlined self-service options and provide

organizations with the ability to protect company data separately from personal

information. A self-service model allows businesses to quickly on board users

Page 20 of 41

In this e-guide


management products


MDM products



products



E-guide

into the MDM product for quicker turnaround in getting mobile devices protected

with the appropriate security policies. This can be done via policy enforcement -

- by pushing software changes to the phone with company security options

integrated into it -- or by using containerization, which allows organizations to

secure all company data (and user access to that data) from within a secured

app on the mobile device.

Organizations should carefully review these capabilities (self-service options

and data protection) up front with each MDM product under consideration for a

BYOD environment.

MDM: On-premises or in the cloud?

Many IT security applications are going the software as a service (SaaS) route

these days, and MDM is no different. Before making a decision on whether to

deploy on-premises or cloud-based MDM, it is important to understand the

difference between supporting and managing the two mobile management and

security methods.

Will IT have the technical know-how, time and manpower to manage an MDM

system on-site (patching, building the infrastructure, managing the uptime of the

environment and so on)? Or will it benefit from eliminating these daily support

factors by turning to an MDM product run out of the cloud. Deploying a cloud-

based MDM system often means greater flexibility for companies (some

Page 21 of 41

In this e-guide


management products


MDM products



products



E-guide

products even allow them to set up test environments to train with and verify

settings before pushing those to production and out into the cloud).

These cloud-based MDM products are SaaS implementations that allow

administrators to no longer mange physical appliances or have the need to

make firewall changes to allow access back into their networks. They are

hosted on vendor servers, and often offer organizations the flexibility to have a

separate install of the MDM product available for administrators to train on.

Businesses could think of this as a quality assurance version of the MDM

system that administrators can play with before making changes to the

production version that's hosting live user accounts.

With cloud-based MDM, organizations need to weigh the risks of putting

company data into an environment they don't have complete control over. For

some enterprises, these risks (of having data hosted outside their network, not

being able to control the uptime of applications, reliance on a third party for data

security and so on) and desire for control do not outweigh the benefits (requiring

fewer resources to manage an MDM, no longer patching or maintaining MDM

hardware and software, the ability to have someone else secure company data,

among others) of managing and securing mobile devices from the cloud.

Those considering cloud-based MDM should be sure to perform due diligence

on the cloud provider to gauge how it secures customer data before moving

forward. It is ultimately an organization's data that will be stored in the cloud, so

it should treat the security of this data the same as it would if it was stored within

Page 22 of 41

In this e-guide


management products


MDM products



products



E-guide

its physical network. In addition, verify that segmentation, vulnerability

management and privacy are followed to corporate standards by the cloud

provider.

A good place to start is by utilizing the Consensus Assessments Initiative

Questionnaire (CAIQ) by the Cloud Security Alliance to dig deeper into each

vendor's cloud security profile. The CAIQ is a survey designed to help cloud

consumers and auditors evaluate the security capabilities of cloud providers.

What type of apps can integrate into the MDM?

Businesses are employing apps on mobile devices to enable end users to work

from anywhere nowadays. This ability to let users run CRM apps, custom apps

built internally, or just about any app organizations would like employees to use,

is an important consideration when selecting an MDM product.

The MDM products being considered by an enterprise should allow IT to

manage, integrate and push policy toward all the mobile apps the company

supports. For example, if a business is using a CRM application that all of its

sales team needs to access, it should be able to whitelist this app and push it

down to the users mobile device. This allows for more control over the device

and version of the application being used by employees.

Page 23 of 41

In this e-guide


management products


MDM products



products



E-guide

Certain MDM vendors, meanwhile, partner with app vendors to allow for greater

flexibility and security of their apps when used with their particular MDM

product. These apps are tailored toward the MDM to limit risk, or allow only

certain versions of the app to be installed on mobile devices.

There are also certain apps that organizations wouldn't want installed. The

MDM of choice should be able to report on all apps across a company's mobile

device base to create an inventory of what's installed and if there are

unapproved apps loaded that are against written policy. There should also be

the option to lock down what can be installed on mobile devices and give the

administrators the option to perform whitelisting on an MDM that can limit the

app installs to only approved software.

The mobile app is the reason smartphones and tablets have evolved so rapidly

into essential tools for business over the last few years. The integration of

business apps into MDM assists with provisioning of these apps/business tools

and allows for faster and -- even more importantly -- secure deployment and

support.

Will MDM agents be containerless or containerized?

It is important to know whether a mobile management and security product that

is under consideration is based on the ideology of containerization, or if it uses

the containerless philosophy.

Page 24 of 41

In this e-guide


management products


MDM products



products



E-guide

Containerization installs all MDM data within a dedicated agent container on

mobile devices. This means any company-owned data is stored securely within

this app without fear of leakage or theft. Nothing is able to enter the container

(or be removed from it) while it is on the mobile device. Containerless, on the

other hand, allows for a more native experience to end users because they don't

have to adhere toward using the container app to perform all job activities (i.e.,

email, file storage). These types of MDM products allow employees to use apps

already installed on their mobile devices, for example, whereas those based on

containerization only lets them use apps that are within a container for business.

There are pros and cons to both sides, so before looking at MDM vendors an

organization should understand which school of thought, containerization or

containerless, it subscribes to first.

With containerization, since all company data and applications are held in an

app that's walled off from the rest of the mobile system and can be managed at

the drop of a hat, IT can be confident that nothing related to a company is left

lingering once it removes this app from a mobile device. By contrast,

containerless MDM's maintain the native feel of mobile devices, which is a

benefit to end users, but also makes it more difficult for security teams to

manage -- as all company data and apps aren't isolated (or walled off) from

personal data and apps, as with containerized MDM.

Organizations that prefer to offer end users a more seamless mobile device

experience should consider containerless MDM first. Just be certain that the

Page 25 of 41

In this e-guide


management products


MDM products



products



E-guide

MDM products under consideration provide IT with the ability to confidently

monitor and remove company data and applications when needed. If an MDM

product can't easily let admins wipe all corporate data from a system, there's a

possibility that sensitive information will make its way out of employee (and

thereby company) hands. This needs to be seriously considered when using

containerless MDM.

What MDM profile options are available?

Besides the functionality questions described above, profile options is one of the

most important areas to focus on when reviewing potential MDM candidates. It

is here that companies will review security capabilities to determine if MDM

products have all the features required for securing not only company data, but

also the mobile device itself.

A few of these MDM security features to look for are the ability to: push

passwords/PINs, let admins remote wipe mobile devices, create VPN tunnels

back into a secure network for data and application use, enable policies to

detect rooted and jailbroken systems, verify encryption on mobile devices, use

certificates for authentication, whitelist/blacklist the installation of apps, perform

GPS reviews of mobile device locations (this can have privacy implications, but

could be a use case organizations may want to review), limit features on mobile

devices (disabling cameras, memory expansion and so on) and more.

Page 26 of 41

In this e-guide


management products


MDM products



products



E-guide

An organization's policy of what security features are required, or that could be

enabled, should to be written out before entering into conversations with MDM

vendors. Knowing how locked down an enterprise wants mobile devices to be

will assist it with asking the proper questions when procuring a mobile

management and security product.

How is the MDM product priced?

MDM products are priced out in a few different ways today. So be sure to have

all budgeting options reviewed before making a purchase. For instance, first

determine if the MDM system desired is going to be based in the cloud or on-

premises, as these types of MDM deployments will affect the organization's IT

budget in different ways. Cloud-based MDM will be an operational expenditure

(Opex), meaning that this would come from the budget that allows for licensing

and operation improvements to the business, while an on-premises MDM

deployment will mostly be a capital expenditure (Capex), meaning it will be seen

as a fixed asset (or something that will be used as improvement to the

business).

The funds for an MDM product need to be procured from the appropriate budget

(OpeEx or CapEx) before a decision is made as to which type of MDM (cloud or

on-premises) should be installed. It may be cheaper to go cloud MDM, for

example, but the OpEx budget may not be there to support that type of

Page 27 of 41

In this e-guide


management products


MDM products



products



E-guide

deployment. As a result, this could force an organization's hand toward an on-

premises product.

Also, in terms of user licensing, there are pricing models where vendors license

MDM systems either by device or by user. Depending on the organization, it

may be cheaper to go with a user-based model (where the organization pays for

one user account and puts it on as many devices as needed) or the device-

based model (where a vendor charges based off every system that its software

is installed on).

There are also times organizations can pay via a hybrid model (using user and

device licensing) to help them get the most for their money. As an example, it

would be more straightforward to purchase a device-licensed MDM product if

users are going to be issued devices via a company that controls what the

employees use. This is compared to the user option, where organizations let

end users install a license on multiple devices, not just the one that IT may have

issued to them. There's also a hybrid licensing method that can be used to allow

organizations to use device licensing for those using one device issued by the

company, and user-based licensing for those (like executives) that want multiple

devices at their disposal.

Page 28 of 41

In this e-guide


management products


MDM products



products



E-guide

Conclusion

There are many factors to consider when purchasing an MDM product for

securing and managing mobile devices. The questions outlined in this article are

designed to get readers thinking about their organization's individual MDM

needs before starting to evaluate specific MDM vendors.

The biggest decision to make is the type of MDM to install. Will it be a

containerized system or a containerless MDM? After deciding which way to go

regarding this approach, administrators should decide what security options

they want in an MDM product.

We reviewed some of the major selections above (remote wipe, password

lockdown, app whitelist, among others), but a thorough proof-of-concept should

be run to verify the product is providing the intended security it is advertising

within an organization's particular IT environment. This is important because

many times there are features, such certificate management, that need to be

tested within the current production environment before an organization can

know for sure an MDM product is a good fit.

Once this is completed, a review of where the MDM will be installed and

managed needs to be looked at. Will it be in the cloud, or will it be brought in-

house to be managed? Does the organization have the resources to manage

Page 29 of 41

In this e-guide


management products


MDM products



products



E-guide

the system in-house, or does it trust the application being installed outside its

network (in the case of cloud-based MDM)?

These decisions will vary slightly by the size of the company. Many times a

smaller company will choose the cloud with a single device license because it's

easier to manage, whereas a medium to large company may want an MDM

that's container-based with user licensing that is installed in-house because it's

worried about the loss of data across multiple user devices.

The next article in this series will present the leading MDM products and

vendors, discuss the strengths and weaknesses of each, how they meet the

criteria laid out in this article and why they might be a good choice for your

organization's needs.

Next article

Page 30 of 41

In this e-guide


management products


MDM products



products



E-guide

Comparing the best mobile device management products

Matthew Pascucci

Expert Matt Pascucci examines the top mobile device management

offerings to help readers determine which MDM products may be the

best fit for their organization.

The mobile device management (MDM) space is growing at a rapid pace, and is

widely used across the enterprise to manage and secure smartphones and

tablets. Investing in this technology allows organizations to not just secure

mobile devices themselves, but the data on them and the corporate networks

they connect to as well.

The market for MDM products is saturated now, and there are new vendors

arriving in this vertical on a consistent basis. Many of the larger names in mobile

security, meanwhile, have been buying up smaller vendors and integrating their

technology into their mobile management offerings, while others have remained

pure mobile device management companies from the beginning. So what are

the best mobile device management products available today?

Page 31 of 41

In this e-guide


management products


MDM products



products



E-guide

Since the mobile security market has become so crowded, it is harder than ever

to determine what the best mobile device management products are for an

organization's environment. To make choosing easier for readers, this article

evaluates five leading MDM companies and their products against the most

important criteria to consider when procuring and deploying mobile security in

the enterprise. This criteria includes MDM implementation, app integration,

containerization vs. non-containerization, licensing model and policy

management, while the mobile management vendors covered are Good for

Enterprise, Airwatch, MobileIron, IBM (previously FiberLink) and Citrix.

That being said, there are also niche players -- such as Blackberry -- that are

attempting to move into the broader MDM market outside of just securing and

managing their own hardware, as well as free offerings from the likes of Google

that are trying to compete with the above list of MDM vendors by providing tools

to assist in the management of Android devices. Even Microsoft has a small

amount of MDM built into its operating systems that allow for the management

of mobile devices.

Today, the vast majority of mobile devices in use (both smartphone and tablet)

run on either Apple's iOS or Google's Android OS. So while many of today's

MDM products are also capable of managing Windows phones, Blackberries

and so on, this article focuses mostly on their Apple and Android management

and security capabilities.

Page 32 of 41

In this e-guide


management products


MDM products



products



E-guide

Selecting the best mobile device management product for your organization isn't

easy. By using the criteria presented in this feature and asking the six questions

outlined in our previous article in this series on mobile security, an organization

will find it easier to procure the right mobile management and security product to

satisfy its enterprise needs. Let's get started.

Criteria #1: Implementation of MDM

Organizations should understand and plan out their mobile device deployment

and MDM requirements before looking into vendors. The installation criteria for

MDM are normally based off a few things: resources, money and hardware.

With that being said, there are two distinct installation possibilities when

deploying an MDM product.

The first is an on-premises implementation that needs dedicated resources,

both from a hardware and technical perspective, to assist with installing the

system or application in a network. Vendors like Good For Enterprise require

the installation of servers within an organization's DMZ. This will necessitate

firewall changes and operating system resources to implement. These systems

will then need to be managed appropriately to verify that they're consistently

patched, scanned for vulnerabilities among other issues. In essence, this type of

MDM deployment is treated as an additional server on an organization's

network. It's possible that a smaller business might shy away from an install of

Page 33 of 41

In this e-guide


management products


MDM products



products



E-guide

this nature due to the requirements and technical know-how it would take to get

off the ground. On the other hand, if businesses are able to manage this type of

mobile management and security product, it gives them complete ownership of

these systems and the data that's on them.

The second installation type is a cloud-based service that allows for an

installation of MDM off-premises, removing any concerns regarding

management, technical resources and hardware from becoming an issue for an

organization. Vendors like AirWatch have the ability to let customers provision

their entire MDM product in the cloud and manage the system from any Internet

connection. This is both a pro and a con: It provides companies with resource

constraints (like not having the experience or headcount) with the ability to get

an MDM product set up quickly, but it does so at the risk of having data reside

outside the complete control of these organizations -- within the cloud.

Depending on an organization's resource availability, technical experience and

risk appetite, these are the two options (on-premises and cloud) currently

available for installing MDM.

Criteria #2: App integration

Apps on a mobile device are a major reason their popularity and demand has

increased exponentially over the years. Without the ability to have apps work

Page 34 of 41

In this e-guide


management products


MDM products



products



E-guide

properly and yet securely, the power of mobile devices and the ability for users

to take full advantage of these tools becomes severely limited.

MDM companies have realized this need for functionality and security, so

they've created business grade apps that enable productivity without

compromising the integrity of mobile devices, the data on them and the

networks they connect to. Products like Citrix Xenmobile have created Worx

apps that are tied together and save data in a secure sandbox on mobile device

so users don't need to use unapproved apps to send business data to

potentially insecure apps out of an enterprise's control. The sandboxing

technology works by securing, and even at times partitioning, the MDM app

separately from the rest of the mobile OS; essentially isolating it from the rest of

the device, while allowing a user to have the ability to work securely and

efficiently.

There are also third-party apps that MDM vendors have partnered with to create

branded versions of these apps to use on their MDM. Good for Enterprise has,

for example, partnered with many large vendors to accommodate the need to

use their apps with their MDM. This integration between vendors is extremely

helpful and adds to the synergy between both vendors to allow for better

security and more productive users.

Whether you're using apps created by an MDM vendor to allow additional

security, or apps that have been developed through the collaboration of the

MDM vendor and third parties, it's important to know that most of the work on a

Page 35 of 41

In this e-guide


management products


MDM products



products



E-guide

mobile device is done via these apps, and securing the data that flows through

and is created on them is important.

Criteria #3: Container vs. non-container

There are two major operational options available when researching MDM

products; those are MDM that uses the container approach, and MDM that uses

the non-container approach. This is a major decision that needs to be made

before selecting a mobile management product, since most vendors only

subscribe toward one of these methods. This decision, whether to go with the

container or non-container method of mobile management, will guide the policy,

installation of apps on the mobile devices, BYOD plans and data security of the

mobile devices that an organization is looking for an MDM product to manage.

A containerized approach is one that keeps all the data and access to corporate

resources contained within an app that's downloaded to mobile devices. This

app will normally not allow access from data outside the mobile device into the

app and vice versa. Both Good for Enterprise and IBM (Maas 360 Fiberlink)

offer MDM products that allow customers to use a containerized approach.

Large companies tend to benefit from this approach -- as do government

agencies and financial institutions -- as is it tends to offer the highest-degree of

protection for sensitive data. Once a container is removed from a mobile device,

all organizational data is gone and the organization can be sure there was no

Page 36 of 41

In this e-guide


management products


MDM products



products



E-guide

leakage of data onto the mobile device that might be left over. This method is

used to ensure, without a doubt, that data on this device was removed and

there was no leakage of data to other areas of the device.

By contrast to the restricted tactic used by containerization, the non-container

approach allows for a more fluid and seamless user experience on mobile

devices. Companies like AirWatch and MobileIron are the leaders in this

approach, which enables security on mobile device via policy and integrated

apps. This means these systems rely on pushing policy to the native OS to rely

on controlling their mobile devices. They also support multiple integrated apps

(supplied with trusted vendors the MDM companies have partnered with) that

assist with adding an additional layer of security to their data.

Many organizations, including startups and those in retail, lean toward the non-

container approach for mobile management and security due to the speed and

native familiarity that end users already have with their mobile devices -- with

OS-bundled calendaring and mail apps, for example. However, keep in mind, in

order to completely secure all data on mobile devices, the non-container

approach requires the aforementioned tight MDM policy and integrated apps to

enforce the protection of business's data.

Page 37 of 41

In this e-guide


management products


MDM products



products



E-guide

Criteria #4: License models

The licensing model for MDMs has changed slightly in recent years. In the past,

there was only a per device license model, which means organizations were

pushed into licensing models that weren't very effective for them financially. Due

to the emergence of tablets and users carrying multiple smartphones, there

became the need to have a license model based off of the user (and not the

individual device). All the MDM products covered in this article today offer

similar, if not identical pricing models. The MDM vendors have all listened to the

call of customers, and realized that end users in this day and age don't always

have one device. Which licensing model -- per-device model and the user-

based model -- an organization chooses all depends on the inventory that a

company has in regards to their mobile devices.

The per-device model normally works well in a small company. In this model,

every user would get a device that would go toward the organization's total

license count. If a user has three devices, all of these would go toward the total

license count that the business owns. These licenses are normally cheaper per

seat, but can quickly become expensive if there are multiple devices requiring

coverage per user.

The user-based pricing model, by contrast, takes into account the need for

users to have multiple devices that all require MDM coverage. With this model,

Page 38 of 41

In this e-guide


management products


MDM products



products



E-guide

the user name is the bases of the license, and he can have multiple devices

attached to his one license. This is the reason many larger organizations lean

toward this model, or at least a hybrid approach of the two licensing models, to

account for users who have multiple mobile devices in use.

MDM criteria #5: Policy management

This is a large and important feature within mobile device management, and

one that needs to be reviewed by an organization selecting the MDM with either

an RFP or something that outlines the details of what type of mobile device

policies it requires. Mobile policies have the ability to let organizations make

granular changes to a mobile device and allow it to limit certain features

(camera, apps, among others), push wireless networks, create VPN tunnels,

whitelist apps and so on to a mobile device. This is the nuts and bolts of MDM,

and a criterion that should be reviewed heavily during the proof of concept stage

with specific vendors.

This ability to push certain features of a policy to mobile devices is certainly

required, as is the ability to wipe devices remotely if the need occurs should

they be lost or stolen. While all the MDM products covered in this article provide

the ability to remotely wipe mobile devices, in the case of Good for Enterprise

and IBM, organizations have the option to wipe mobile devices completely or

just remove the container.

Page 39 of 41

In this e-guide


management products


MDM products



products



E-guide

Also important is for MDM products to include the ability to perform options such

VPN connections, wireless network configurations and certificate installs (which

AirWatch does a great job of). These options need to be asserted in an RFP

beforehand to determine what part of the mobile device policy you're looking to

secure within mobile devices. Evaluating what policy changes can be pushed to

a mobile device, and what functions an organization might want to see within a

policy will help guide it toward making an educated decision on the best mobile

device management products for it.

Most times there will be multiple policies created that allow certain users to

receive a particular policy, while allowing someone with other needs to receive a

completely different MDM policy. This is a standard function within all MDMs,

but it should be understood that a single policy for all users is not always

plausible.

Finding the best mobile device management product for you

There are many vendors in this very saturated market, but following these five

criteria should assist organizations with narrowing the field down to find the best

mobile device management products available today. There is much overlap

between vendors, but finding the right one that secures an organization's data

Page 40 of 41

In this e-guide


management products


MDM products



products



E-guide

completely and allows full coverage with the ability to manage all the aspects

needed in a policy, are what businesses should be aiming for in MDM products.

Many large companies, especially those in the financial or government sector,

are running Good for Enterprise due to the extra layer of security it provides by

leveraging a container and integrated apps developed by vendors they partner

with. IBM Maas 360, on the other hand, offers both a container and non-

container approach to mobile security and management, which makes it

suitable to larger enterprises that require some flexibility in terms of operational

method deployment. This gives IBM Maas 360 the ability to play toward both

sides and gives them some leverage against competitors by being able to

attract customers from both mindsets.

Many midsize companies don't have to meet the level of security imposed by

large financial clients, for example, and thus aren't running toward boosting their

mobile device security. We've seen that many times compliance will bring an

extra layer of required security, however, thereby making these organizations

more conscience at times about securing data on mobile devices. Midsize to

large companies (those outside of the financial sector) tend to run Airwatch or

MobileIron MDM, due to the abilities of these mobile security platforms to keep

the native feel of mobile devices intact while being able to push custom policies

to the clients that secure the mobile devices.

As for the MDM apps and the ability to have them integrated into the offering,

Citrix is performing very well in this area with their Xenmobile Worx apps,

Page 41 of 41

In this e-guide


management products


MDM products



products



E-guide

having shown that it’s pushing the boundaries within this area. These apps are

selling points to many customers who want to integrate their data onto a mobile

device, but want the flexibility to manage the data these mobile apps are

consuming. By dispensing these approved apps to managed mobile devices

and writing policy for their data to be used on these apps, MDM products such

as Citrix's assist with adding an extra layer of data control for the company and

ease of use for the user.

In conclusion, the MDM market is expanding exponentially each year and

mobile devices have become an indispensable tool for users within a business.

With this continued growth in mobile, organizations need to be able to protect

these mobile devices and the data they hold to make sure that the growth that

they've assisted in doesn't become an organization's downfall.

About the author

Matthew Pascucci is an information security engineer for a large retail company

where he's involved with vulnerability and threat management, security

awareness and daily security operations. He’s written for various information

security publications, has spoken for many industry companies, and is heavily

involved with his local InfraGard chapter. Pascucci covers topics relating to

network security.

Date post:	17-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

E-guide Mobile Security Buyer’s Guidecdn.ttgtmedia.com/searchSecurity/downloads/Mobile... ·...

Documents