From - Network Intelligence India Pvt. Ltd.. Managed Services ... (BYOD) devices across the...

MOBILE DEVICE MANAGEMENT –

DEPLOYMENT, RISK MITIGATION

& SOLUTIONS

From

Mobile Device Management

Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of 22

NOTICE This document contains information which is the intellectual property of Network Intelligence. This

document is received in confidence and its contents cannot be disclosed or copied without the prior

written consent of Network Intelligence.

Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied.

Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including

but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual

property or other rights of any third party or of Network Intelligence; indemnity; and all others. The

reader is advised that third parties can have intellectual property rights that can be relevant to this

document and the technologies discussed herein, and is advised to seek the advice of competent

legal counsel, without obligation of Network Intelligence.

Network Intelligence retains the right to make changes to this document at any time without notice.

Network Intelligence makes no warranty for the use of this document and assumes no responsibility

for any errors that can appear in the document nor does it make a commitment to update the

information contained herein.

Copyright

Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.

NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt.

Ltd.

Trademarks

Other product and corporate names may be trademarks of other companies and are used only for

explanation and to the owners' benefit, without intent to infringe.

NII CONTACT DETAILS Network Intelligence India Pvt. Ltd.

204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E),

Mumbai 400 069, India

Tel: +91-22-2839-2628

+91-22-4005-2628

Fax: +91-22-2837-5454

Email: [email protected]



Contents

1. Introduction .................................................................................................................................... 5

2. Typical Design of MDM solution ..................................................................................................... 7

3. Understanding BYOD and MDM ..................................................................................................... 8

a. Bring Your Own Device (BYOD) policy and MDM in an enterprise ............................................. 8

b. Are BYOD and MDM same things? ............................................................................................. 8

c. If I have a BYOD policy at my company, is MDM deployment necessary? ................................. 8

d. Okay, so how do I effectively communicate mobile security policy to employees? .................. 8

4. Adopting "Personal-liable approach" for Mobile Devices ............................................................ 10

a. Benefits in adopting "Personal-liable approach" for personal mobile devices ........................ 10

b. Security costs incurred for adopting personal-liable approach ................................................ 10

c. Questions to ask before opting for Personal-liable approach for MDM .................................. 11

5. Selecting an optimal MDM delivery methodology ....................................................................... 12

a. Premise-based ........................................................................................................................... 12

b. Software as a Service (SaaS) ..................................................................................................... 12

c. Managed Services ..................................................................................................................... 12

6. Designing BYOD policy before deploying MDM ............................................................................ 13

a. Do your Homework ................................................................................................................... 13

b. Identify user needs ................................................................................................................... 13

c. Enacting a End-User License Agreement (EULA) corporate policy ........................................... 14

d. Addressing the privacy concerns .............................................................................................. 14

e. HR and Legal concerns .............................................................................................................. 14

f. Training Users and Helpdesk Support ....................................................................................... 14

g. Addressing Authentication issues ............................................................................................. 15

h. Defining Mobile Device Security Rules ..................................................................................... 15

7. MDM Deployment ........................................................................................................................ 16

a. Policy ......................................................................................................................................... 16

b. Risk Management ..................................................................................................................... 16

c. Configuration Management ...................................................................................................... 16

d. Software Distribution ................................................................................................................ 16

e. Procurement issues ................................................................................................................... 16

f. Device policy compliance and enforcement ............................................................................. 16

g. Enterprise Activation / De-Activation ....................................................................................... 17

h. Enterprise Asset Disposition ..................................................................................................... 17

i. User Activity Logging ................................................................................................................. 17



j. Security Settings ........................................................................................................................ 17

8. Challenges during MDM implementation..................................................................................... 18

a. Hidden costs and corporate governance issues ....................................................................... 18

b. Employee unawareness about information security while using mobile endpoints................ 18

9. Picking the right MDM vendor ...................................................................................................... 19

10. MDM vendors ........................................................................................................................... 20

a. Popular MDM Vendor List......................................................................................................... 20

b. Salient Features of some of the leading MDM vendors ........................................................... 20

11. How we can help your organization? ....................................................................................... 21

a. Strong support of Solutions Team ............................................................................................ 21

b. Security Awareness Trainings ................................................................................................... 21

c. Social Engineering Exercises ..................................................................................................... 21

12. References ................................................................................................................................ 22



1. INTRODUCTION The explosive growth in the popularity of mobile devices and growth in their powerful

features has led to a sharp rise in the usage of smartphones, tablets and mobile POS

devices in the corporate world. Apart from the mobility advantage, these devices have

become more efficient to offer better business growth and increased networking

advantage to bring better employee productivity at the workplace. As the market for

these devices continues to develop at an exponential rate, concerns about the safety of

the sensitive corporate data present on mobile device, in transit or at rest also grow

proportionately as the tracking the data, relying on its integrity becomes increasingly

challenging. Further enforcing corporate governance, complying with local laws and

trans-border regulations also pose a serious challenge in this case. Hence a technical

method to secure, monitor, manage and supports mobile devices deployed across mobile

operators, service providers and enterprises is need of the hour which has led to the

development of Mobile Device Management(MDM).

What is Mobile Device Management (MDM)?[1]

Mobile Device Management (MDM) software secures monitors, manages and supports

mobile devices deployed across mobile operators, service providers and enterprises.

MDM functionality typically includes over-the-air distribution of applications, data and

configuration settings for all types of mobile devices, including mobile phones,

smartphones, tablets, mobile printers, mobile POS devices, etc. This applies to both

company-owned and employee-owned (BYOD) devices across the enterprise or mobile

devices owned by consumers.

By controlling and protecting the data and configuration settings for all mobile devices in

the network, MDM can reduce support costs and business risks. The intent of MDM is to

optimize the functionality and security of a mobile communications network while

minimizing cost and downtime.

What do you mean by "over-the-air"?

Over-the-air programming (OTA) capabilities are considered a main component of

mobile network operator and enterprise MDM software. These include the ability to

remotely configure a single mobile device; an entire fleet of mobile devices or any IT-

defined set of mobile devices; send software and OS updates; remotely lock and wipe a

device, remote troubleshooting and so on. OTA commands are sent as a binary SMS

message. MDM enables IT departments to manage many mobile devices used across the

enterprise.

What is Open Mobile Alliance (OMA)?

The Open Mobile Alliance (OMA) is a standards body which develops open standards for

the mobile phone industry. OMA Data Management specification is designed for

management of small mobile devices such as mobile phones, PDAs and palm top

computers. It supports the following typical uses:

• Provisioning – Configuration of the device (including first time use), enabling and

disabling features

• Configuration of Device – Allow changes to settings and parameters of the device



• Software Upgrades – Provide for new software and/or bug fixes to be loaded on

the device, including applications and system software.

• Fault Management – Report errors from the device, query about status of device

Since OMA DM specification is aimed at mobile devices, it is designed with sensitivity to

the following:

• Small foot-print devices: where memory and storage space may be limited

• Constrained Bandwidth of communication: Such as in wireless connectivity

• Tight security: As the devices are vulnerable to virus attacks and the like;

• Authentication and challenges: Are made part of the specifications

Why the sudden demand for managing mobile devices?

The popularity in usage of personal smartphones and tablets has created a strong

demand to use personal devices at work. Employees feel more comfortable in using their

own personal devices for work and are willing to bear the cost of liability, maintenance

and upgrades. Employee morale boost and cost savings to the employer are the major

attractive factors to opt for the employee-liable approach to use their personal devices at

workplace. Also, the obvious networking advantages offered to C-level executives,

managers and top management directors for extending the business growth and

exploring profitable avenues while on the move presents a compelling case to use mobile

devices at workplace or during travel.

However, risks associated with these devices such as sensitive corporate data going into

wrong hands and dangers of facing litigation suits due to intentional/unintentional data

breach or data losses suffered due to lost/misplaced device makes a ready case for

managing the mobile devices. There are also legal and HR related issues that need to be

ironed out if there is a case of adopting “employee-liable ownership” approach for the

accountability of the devices.

An organization will still be responsible to maintain security for these mobile devices as

per the SOX, HIPAA etc. federal mandates, but since the devices are not owned by the

organization, securing the device and the data becomes a tricky issue here as

organization may or may not own the mobile device in question at the first place. Thus

enforcing accountability becomes tricky in such cases.

Using Mobile Device Management (MDM) solutions, organizations can partially own

these devices by enforcing corporate policies and procedures to them. Hence the

importance of investing in MDM solution makes sense in these situations.



2. TYPICAL DESIGN OF MDM SOLUTION[1] Typically solutions include a server component, which sends out the management

commands to the mobile devices, and a client component, which runs on the handset,

receives and implements the management commands. Optionally, vendor may provide

both the client and the server, in others client and server will come from different

sources.

Central remote management, using commands sent over the air, is the next step. An

administrator at the mobile operator, an enterprise IT data center or a handset OEM can

use an administrative console to update or configure any one handset, group or groups of

handsets. This provides scalability benefits particularly when the fleet of managed

devices is large in size.



3. UNDERSTANDING BYOD AND MDM

a. Bring Your Own Device (BYOD) policy and MDM in an enterprise [ 1 ]

As Bring Your Own Device (BYOD) business policy is becoming more popular,

corporations can use MDM to allow employee-owned devices inside the corporate

firewall due to better device management capabilities. Employees also have more

freedom to choose the device that they like instead of being forced to use particular

brands by the IT department. Using MDM, IT departments can also manage the employee

devices over-the-air with minimal intervention in their schedules.

b. Are BYOD and MDM same things? [ 2 ]

No. BYOD (Bring your own device) is a business policy of allow employees to use their

own devices for carrying out business related work by granting access to company

resources backed by proper authentication controls. BYOD represents a policy of offering

mobility to a very broad range of organization resources typically delivered either by

robust mobile policy, or managed via implementation of MDM, DaaS (Desktop as a

Service) etc.

MDM can be thought as a subset of BYOD, which is designed to securely manage mobile

device endpoints by enforcing corporate policies over-the-air to the employees’ mobile

devices.

c. If I have a BYOD policy at my company, is MDM deployment

necessary?

If you have designed and implemented robust BYOD policy properly across your

organization then you have to evaluate your options carefully before going for MDM

solution. If the primary aim to adopt BYOD was to get rid of device ownership only, it will

not make sense to invest in MDM (esp. if your company is small or medium sized).

However, if your aim is to prevent sensitive data leakage and enforce device security

settings for employees as they access sensitive corporate resources, or if your business is

rapidly scaling up, it definitely makes sense to implement MDM. Keep in mind that a

proper mobile security policy has to be there in any case to protect vital corporate

information.

MDM helps to reduce costs and improve productivity in longer run when implemented

correctly for the organization. If implemented improperly on loosely defined security

policy, it becomes expensive to maintain and achieves little to safeguard sensitive

corporate information. Hence, proper care and precautions are needed to develop robust

mobile security policy before opting for MDM solution.

d. Okay, so how do I effectively communicate mobile security policy to

employees? [ 1 2 ]

Effective Communication means making the employees understand the policy as easily as

possible. Make it simple and direct while keeping it short, sweet and to the point. If you

can get employees to be aware of the security elements in your environment, they will be



the ones who will spot things report it immediately assuming they know what to spot and

know who to report it to. Make them aware of BYOD security policy first, not MDM.

Help your employees understand what is at risk. It comprises not just theft, loss or the

exposure of information or device, but other risks, which they face while they are mobile.

Make them aware of the risks involved in the types of environments that they encounter

while being mobile and how they should address them.



4. ADOPTING "PERSONAL-LIABLE APPROACH" FOR MOBILE

DEVICES[3]

a. Benefits in adopting "Personal-liable approach" for personal mobile

devices

Many organizations may offer their employees a fixed monthly stipend to help offset their

monthly voice and data bill. This approach results in predictable mobile expenses for the

corporation, and employees become responsible for the costs of their mobile devices and

data plans. Hence, expenses related to mobility-related asset management such as

acquisition, maintenance, processing of payment for carrier invoices and disposal of

devices can be heavily reduced or eliminated.

The organization may also position itself as flexible employer and may be able to recruit

and retain tech-savvy workers, who typically have a strong attachment to a favourite

mobility platform. Productivity can be increased as employees have more options when

working out of the office. Additionally, organizations may be able to secure reduced

monthly costs for service and premiere-level support from the carriers for their

employees.

It is generally observed that employees take better care of their personal belongings as

they are more attached to their devices because of the ownership they assume over them.

b. Security costs incurred for adopting personal-liable approach

While the personal-liable model offers benefits for both employees and employers,

addressing the important issues of security and governance become more complicated

and expensive. When sensitive corporate information is stored on a corporate-owned

device, the organization can implement and enforce strict controls on the operating

system and other features of the device, such as Wi-Fi and Bluetooth to prevent

unauthorized use of that sensitive information. But this is not the case in personal-liable

approach as the device owned by the employee is not a corporate asset but may carry

sensitive corporate data.

Security measures are required to mitigate the risks associated with employees installing

applications from app stores. These untrusted applications may expose corporate data or

infect other devices in the organization’s network. Also, the company might experience

additional expenses to support multiple mobility platforms.

Support costs may increase as more, and higher-skilled, help desk personnel are

required. Similarly, application development costs may increase. Organizations must

implement an employee agreement to address topics that include acceptable use of

personal devices and corporate access to the employee’s device. The financial

arrangements relating to stipends or reimbursement of actual expenses should also be

included in this employee agreement. Corporate counsel should carefully weigh any

record-keeping requirements for SMS text messages or call logs made from mobile

devices and evaluate potential legal consequences of capturing this information from

employee-owned devices.



Finally, employees may discover unexpected expenses associated with using their

personal device for work. While their current voice and data plans may be sufficient for

personal use, usage may expand dramatically when used for work calls and applications.

The cost increase may be sharp; especially for employees who travel internationally,

where roaming charges are make the costs very expensive. If the organization

reimburses for actual costs, an employee may find that they spend several hours a month

separating their personal costs prior to submitting the bill for reimbursement.

c. Questions to ask before opting for Personal-liable approach for

MDM

• Are there any specific concerns that would preclude the use of employee-owned

devices?

• Is the organization willing to implement additional security controls to allow a

broader range of devices?

• Is the corporation willing to accept a short-term increase in risk to allow newer

platforms access to data while the device’s management and security tools

mature?

• How will the organization respond to inappropriate material on a personally-

owned device? Who decides what is inappropriate?

• Under what conditions the organization could examine the personal property of

an employee?

• What are the laws in your jurisdiction? Do laws differ whether the employee uses

the device for their own convenience?

• If the risks associated with personal-liable approach are too high, is there a subset

of employees with a lower overall risk profile that might qualify for personally-

owned devices?



5. SELECTING OPTIMAL MDM DELIVERY METHODOLOGY[9] Three MDM Delivery mechanisms are available which you can choose depending on your

staff expertise and investment you are willing to make for deploying MDM in your

organization.

a. Premise-based

If you want to maintain a high degree of control and also have reliable IT skills and

resources, then would likely select a premise-based solution. This is ideal if you prefer to

directly control the system’s security and administration. A premised-based MDM

solution requires a larger up-front investment.

b. Software as a Service (SaaS)

If you don’t want to maintain servers at your site(s) but still want the management and

administration to be in your hands, then you should consider an on-demand offering.

Customers can negate or minimize the up-front cost and instead pay a monthly or annual

fee for the system.

c. Managed Services

If your IT department is over-extended or lacks required expertise, you can consider

managed services offering. This option allows you to turn the management function over

to experts who handle it for you. This proactive management service provides support

without draining internal resources and still provides regular status reports so that you

are aware of specific items like roll-outs, software/hardware updates and

asset/inventory control.

Consider each method carefully. Enquire the vendor to look for one that can support all of

the deployment options to best serve you now and into the future.



6. DESIGNING BYOD POLICY BEFORE DEPLOYING MDM[5] A successful MDM implementation cannot be completed without proper planning of

BYOD business policy and procedures. While BYOD policies establish a common ground

of communication between the employer and the employee and defines the boundaries of

data ownership present of the personal mobile devices, MDM offer the employer and

organization a peace of mind if any unwanted incident is reported. The security of the

data can be then be managed via remote wipe, encryption, self wipe etc.

a. Do your Homework

• Work with Legal and HR dept. to define personal device policy aligning with

organization information policy

• Use Social Media to engage the dialogue with employees to get a feel of their work

style and support needs

• Develop new authentication methods and device management policies that help

safeguard corporate information and intellectual property.

• Provide employee trainings for information security and IT Service Desk

personnel about personal device policy.

By applying safeguards to protect information and intellectual property, employees can

select the tools that suit their personal work styles and facilitate their job duties. This

improves their productivity and job satisfaction.

Identify minimum security specifications such as,

• Make Two- factor authentication mandatory to push e-mail

• Secure Storage using encryption

• Security policy setting and restrictions

• Secure informational transmittal

• Remote Wipe capability

• Ability to check viruses from server side

• Patch management and enforcement software for rules

• IDS capabilities on server side of connection

b. Identify user needs

Construct blog/online poll or questionnaire to find out the needs of the user. Take user

feedback on questions such as such as:

• Why do you want to use your own device(s) for work?

• What would you give up to use your device for work?

• What does your personal device do to help you work?

• Would you increase security habits for more device freedom?

By analyzing the responses with close collaboration with HR and Legal Team, you can

make informed decisions about going forward for forming the policy on usage of mobile

devices.



c. Enacting a End-User License Agreement (EULA) corporate policy

The EULA provides the employees very clear instructions of what they can or can't do

with a device. Stress has to be placed for managing and protecting the corporate data

stored on the device. Also, emphasis has to be placed not to share the un-locked device

with non-corporate user including friends or family etc. If any company's data resides on

their devices, they should be backed up to company owned device by default. Types of

devices allowed such as tablets, smartphones etc. must be stated clearly in policy. The

EULA policy must be generic enough to cover all the allowed devices sufficiently.

EULA must be reviewed preferably each quarter to ensure as the technology and user

demand change, legal protection provided by the policy remains up to date. Users must

re-sign the updated EULA when they move to new technology. Finally, it should be made

clear that employees who refuse to sign EULA can't use personal devices to access

corporate information.

d. Addressing the privacy concerns

For addressing the privacy concerns, policy must clearly define the following terms:

• Corporate-own data: Business Data or intellectual property owned by company.

• Employee-owned data: Data owned by employee, such as task list, notes, family

photos.

• Personal data: Data controlled by privacy legislation such as medical records,

home address.

In cases where there is a cross-over between personal and corporate-owned data such as

calendar records, the policy should state clearly that during investigation, the confiscated

device's personal data may be viewed during forensic analysis.

e. HR and Legal concerns

HR policy must state clearly under what circumstances the employees will be subjected

to be compensated outside their working hours. Time sheets must adequately reflect

those activities. Legal policy must state that in case of legal hold or eDiscovery, the

employee must immediately surrender his/her device on request after which all files may

be copied and relevant ones may be used to pursue legal matter. Employees who are

subjected to legal hold might have certain restrictions for device usage and should obey

to continue work under those restrictions.

f . Training Users and Helpdesk Support

Stating the policy is the easy part. The hard part is to train users about what policy means

and how to protect information on their devices as the BYOD trend and MDM

implementation is relatively young and not well understood by users. Users must be

made aware of the risks/penalties that will result if sensitive corporate information is

leaked out by accident/intention. Sharing the device with family and friends should be

discouraged and employees must be made aware of the risks that might emerge in advent

of such behaviour. Violation of these rules must attract appropriate disciplinary controls



as defined by the policy. It is crucial for employees to understand that the helpdesk is to

be contacted first in case of lost/stolen device. Once the incident is reported, helpdesk

can quickly issue a data wipe on device over carrier wave. Many employees in a wave of

panic might inform carrier service about the device lost/stolen first. In such cases, data

wipe can't be issued as the carrier service has already been shut down on request of

employee. Any charges incurred such as fraudulent calls etc may be reimbursed by

company later.

Apart from employees, helpdesk and support staff must undergo mandatory training to

reduce any chances of miscommunication for any query raised by the employees. Care

must be taken they don't accidently invalidate EULA policy by supplying incorrect

answers. Here, extensive mock drills must be conducted after every policy review or

revision to minimize such incidents from taking place. FAQ's manuals must be made

available online to everyone for ready reference.

g. Addressing Authentication issues

For better security, two-factor authentication is used for accessing the corporate

information. But since the device is unknown in this case, challenge lies how to achieve it.

For this, a random text message is sent to predefined phone number. Thus, the text

message sent by server is "must-know" factor and phone number is the "must-have"

factor which enables 2-factor authentication.

h. Defining Mobile Device Security Rules [ 1 2 ]

A device used for accessing corporate data must have the following pre-requisites

• The device user must have signed company's EULA policy.

• It must have personal identification number (PIN)

• It has to support a code lock

• It has to have an auto lockout feature

• It has to support encryption

• It has to support remote wipe.

Further, Security Policies must be enforced via MDM such as:

• User-defined lock code of minimum length as defined in policy.

• Auto-Lockout period set as per policy

• Issuing Data Wipe if user reports the device to be stolen

• Automated Data Wipe issued (for corporate-data only or both) after “x” no of

incorrect tries to open lock-screen.

• All corporate data is encrypted with a strong key



7. MDM DEPLOYMENT[8] Essential components of MDM to consider during deployment phase are:

a. Policy

A well defined policy provides management direction and support for IT and information

security and is the foundation for solid framework implementation.

b. Risk Management

Periodic assessment of risk should be done. For high risk cases, additional controls may

be implemented to reduce risk to an acceptable level. Similarly for low or non-existent

risks, minimal controls may suffice.

c. Configuration Management

This involves automatic configuration of device settings like password policy, email, Wi-

Fi, VPN. This aids in elimination of user errors and minimizes vulnerabilities caused by

misconfiguration. This also includes configuration lockdown as per user's role based

permissions to enforce corporate IT mobility policies.

d. Software Distribution

This includes over-the-air updates/patches for OSs, applications, synchronization, fixes

etc. Backup and restore operations become vital in situations of device crash and

replacement in case of any intentional/unintentional wipe-out. When aligned with

corporate mobile policies, it is ensured that only trusted mobile applications are

distributed. Together with Configuration management, software distribution enables

white-listing/black-listing of applications on mobile devices. For maximum efficiency, it

is recommended to test the mobile applications separately to check for their

trustworthiness before distributing them over-the-air via MDM.

e. Procurement issues

It is important to coordinate with the HR and Legal teams to define certain terms and

conditions in policy and employee agreements. Liability for all parties must be clearly

defined in these agreements. This should include private usage of corporate services,

expense compensations, employee privacy policy, shared responsibilities for device and

content security, misuse, secure wipe of device including personal data in case of device

lost/theft etc.

f . Device policy compliance and enforcement

This is involved in device supply, control and tracking. Asset based inventory assessment

are critical prerequisites for policy enforcement to comply with corporate/regulatory

mandates around policies, jail-broken/rooted device detection, encryption, privacy based

separation of corporate content vs. personal content etc. It is also concerned about the

alerts and notifications for asset reporting about devices, users and apps. Overall, it

provides an effective governing control over mobile end point devices which can be

easily tested against ISMS standards such as ISO 27001 making it easier for audit

activities also.



g. Enterprise Activation / De-Activation

Proper implementation of this functionality to connect mobile devices to enterprise

network reduces the administrative burden of provisioning and re-provisioning at IT-

department. Details exchanged with the server typically include OS, Device Identifier,

IMEI number etc. After activation, some configuration settings might be changed such as

enable encryption, password settings, application restrictions etc.

h. Enterprise Asset Disposition

This involves removal of physical devices by de-commission; releasing to BYOD owner in

case of device exchange, upgrade or permanent de-commissioning. Follow-up procedures

include notifying inventory management, generating user receipt and accepting user

acknowledgement etc. If decommissioning is permanent, secure wipe of corporate data

must be done and it should be handed over to employee along with his private data

untouched.

i. User Activity Logging

Logging must be done carefully in accordance of various privacy laws, rules and

regulations of the country in which company operates its business. Professional legal

counsel must be approached before defining the policies governing the user activity

logging.

j. Security Settings

These can be categorized to user security and data security. Data security consists of

wiping corporate data/personal data in case of device lost/theft. They also extend to role

based user permissions enforced via MDM solutions. User security consists of

encryption, authentication on enterprise portal login; lock code and selective wipe in case

remote wipe is issued. Selective wipe leaves personal data as it is and only erases

corporate data residing in mobile device. It also covers certificate based authentication.



8. CHALLENGES DURING MDM IMPLEMENTATION[6]

a. Hidden costs and corporate governance issues

Enterprises typically see the MDM implementation as a measure to save costs and

manage mobile endpoints effectively in this process. Often MDM is seen as a

complementary practice exercise in tandem with BYOD policy. But the reality is that if

your BYOD business policy is not properly defined or effectively enforced, having a MDM

solution will be patchy at its best and grow cost prohibitive at its worst.

Also, mobile OSs are natively run in sandboxed environment and hence unless

rooted/jail-broken will pose great difficulty to enforce corporate policies. But as mobile

OS system themselves evolve over time, many MDM like features will be provided

natively by them.

Corporate governance becomes complex as mobile endpoints are added in asset

inventory which may or may not be owned by the enterprise. If your mobile device policy

or BYOD policy is not properly defined, MDM may report false positives or large no of

false negatives if not properly implemented. This will lower down employee morale and

cause confusion and mayhem at workplace. Cost escalation might be the direct

consequence of bad implementation on MDM solution.

b. Employee unawareness about information security while using

mobile endpoints

Employees may freely share their devices with their co-workers, family members or

friends, which can increase the chances of accidental data breaches of corporate

information. Identity theft may result in extreme cases and if some unwanted or

intentional damage is caused by that, the blame squarely rests on employee and he might

have to suffer the consequences such as job dismissal in case of fraud done by "his

(enemy) friend". Using social engineering, competitors can fool the employee into

revealing the details by handling over his mobile device for "few minutes" gathering

valuable information for corporate espionage.

To counteract these threats and associated risk, information security awareness

programs and trainings must be conducted on mandatory attendance basis to equip

employees to counter such attacks.



9. PICKING THE RIGHT MDM VENDOR[4] Observing closely, security features such as remote wipe, encryption, enforce password

requirement are pretty standard and are provided by almost all the vendors. So, look at

the other areas where you could address your business needs better.

Key factors to consider while shopping for MDM solution:

• Deployments: Assess how efficiently the MDM agent can be deployed on a new

device. Deploying new phones isn't a one-time job; it's never-ending.

• White-list and blacklist filters: You'll have apps that every employee must install

some that are banned and some apps that you insist are updated to at least a

certain version.

• Custom Appstore: Is there a feature offered by MDM vendor for installing custom,

unapproved apps and setting up a company app store experience?

• Application Security: Does the MDM vendor offer built-in support for malicious

application scanning?

• Browser security: Filtered Mobile Web browsing can lower the risk of attack on a

device. Is the MDM provider implementing this level of security?

• Encryption levels: Do you have to encrypt the entire device, or the MDM provider

lets you encrypt company specific or selected files and folders?

• Data wiping: Is there is a support for Selective wipe which erases only corporate

data in case a remote wipe is issued?

• Auto-provisioning of devices: Is there any option for Automatic device

provisioning?

• Architecture: Examine the vendor's approach to MDM solution such as sandbox,

virtualization or integrated approach. This is important in understanding the

vendor's technology and your future road map planning.

• Location capabilities and network access restrictions: Do you want to let

employees use their device's camera for personal use but not at the office? Look

whether the MDM solution supports such policies. How robust are the policies?

• Inventory management: Is it easy to search, custom filter and modify individual

mobile endpoints for hundreds of managed mobile devices? What are the filtering

capabilities provided?

• Reports: Is there built-in reporting for new devices provisioned, apps out of

compliance and devices that haven't checked in for a day or a week?



10. MDM VENDORS

a. Popular MDM Vendor List

• MobileIron

• AirWatch

• Zenprise

• Good Technology

• FiberLink

• BoxTone

b. Salient Features of some of the leading MDM vendors [ 1 1 ]

MobileIron:

• Healthy mix of partnership relations with distribution channels and OEMs such as

AT&T, Vodafone, Apple, Google, Microsoft, RIM, Cisco HP and IBM

• Demonstrates life cycle management, including usage monitoring, cost control,

application deployment and version control.

• Offers strong support for corporate and personal devices.

• Strong reporting and dashboard capabilities.

• Supports text messaging archiving for devices connected to corporate email

AirWatch:

• Has a strong security focus, with enterprise integration services that encrypt

traffic between enterprise's servers and its cloud system.

• Offers Web-based as well as agent-based enrolment.

• Strong capability to profile, with detailed and easy-to-use policy settings.

• Has strong administrative interface which is easy to use and manage.

• Easily scalable and can support large numbers of users across multiple areas.

Zenprise:

• Zenprise Mobile DLP provides innovative secure container solutions to operate

local mobile devices, as well as to be accessed in the cloud.

• Application-blacklisting technique works across Apple iOS and Google Android

devices.

• Offers its own secure Web gateway and can also integrate with Blue Coat Systems

and Palo Alto Networks.

Good Technology:

• Large installed base in regulated sectors, such as financial services, government,

defense, public sector, healthcare and professional services.

• Good Technology has the strongest implementation of containerization,

• Have strong security capabilities, including FIPS 140-2 crypto libraries, end-to-

end 192-bit encryption, multiple-factor authentication and multiple certifications.



11. HOW WE CAN HELP YOUR ORGANIZATION?

a. Strong support of Solutions Team

NII has been working in close association with leading MDM solution products. Our

solution team is well trained and qualified to handle any support related queries you may

have.

Currently we have actively associated our MDM partnership with MobileIron. Our team

consists of certified MobileIron experts who understand each and every module of the

solution and have extensive hands on experience.

b. Security Awareness Trainings

We conduct numerous security trainings for our clients and help them to understand the

risks faced by carrying corporate data on their mobile devices. We put forward the

precautions and industry best practices they need to follow for securing the sensitive

information.

c. Social Engineering Exercises

We also conduct live sessions on social engineering exercises which demonstrate by

practical examples how even a reasonably well informed person about security can be

easily tipped off by cleverly crafted social engineering attacks. Having knowledge of these

kind of attacks makes sure your corporate data is secure in hands of your employees.



12. REFERENCES

1. http://en.wikipedia.org/wiki/Mobile_device_management

2. http://en.wikipedia.org/wiki/Bring_your_own_device

3. http://www.secureworks.com/resources/whitepapers-shortcut/74568

4. http://www.informationweek.com/global-cio/interviews/byod-why-mobile-

device-management-isnt-e/240142450

5. http://www.intel.in/content/dam/www/public/us/en/documents/best-

practices/enabling-employee-owned-smart-phones-in-the-enterprise.pdf

6. http://software.intel.com/sites/billboard/sites/default/files/Maintaining_Info_Se

curity_Allowing_Personal_Hand_Held_Devices_Enterprise.pdf

7. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance

_v1.pdf

8. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Device_M

anagement_Key_Components.pdf

9. http://www.wavelink.com/whitepapers/avalanche-delivery-whitepaper.pdf

10. http://i.dell.com/sites/content/business/solutions/whitepapers/en/Documents/

unlocking-power-mobile-device-management.pdf

11. https://dell.symantec.com/system/files/Magic_Quadrant_for_Mobile_Device_Man

agement_Software.pdf

12. http://searchsecurity.techtarget.com/news/2240148521/BYOD-security-policy-

not-MDM-at-heart-of-smartphone-security

13. http://boxtone.com/white-paper-lp/enterprise-iphone-ipad-ciso-security-wp-

web.aspx

14. http://info.desktone.com/whitepaper-byod-implications-for-it-virtual-

desktops.html

Date post:	26-May-2018
Category:	Documents
Upload:	dangtuyen
View:	213 times
Download:	0 times