The Chairman of one of our favorite partners, Mobile Active Defense aka MAD, speaks on mobile security and how just using MDM does not provide your enterprise with the security you need. Great job, Winn!!
MDM is not mobile security
I admit it, after almost thirty years in security, I guess I get a little finicky when I see terminology misused, misapplied and all too often, used to mislead.
I am a security guy, and I like engineering-style precision, especially in rapidly emerging security disciplines such as the Perfect Storm of Mobility. I am not going to criticize specific companies; rather I hope to offer clarification and a much needed more accurate alternative term – MDSM – Mobile Device Security Management.
First of all, MDM, in both iOS and Android, offers a compact set of tools for a fairly basic level of device management. However, despite the repeated erroneous claims to the contrary, MDM is a not a mobile security solution. If it were, your laptop security posture would be limited to the following:
–Password length, complexity & duration controls
–Block adult materials
–Block browser and a small handful of Browser controls
–Erase laptop within 24-72 hrs using native Active Sync
That’s it. That’s all you get with MDM.
Thus the crying need for MDSM in the BYOD environment.
What I argue is that the industry should explicitly refer to comprehensive mobile security as MDSM, Mobile Device Security Management, wholly independent of and distinct from MDM. At last count there were something like 80 MDM-only vendors, some of whom, more so than others, position MDM as an adequate mobile security solution.
Ask yourself a simple question: Would you (or your security sensitive organization) ever deploy laptops with the anemic list of capabilities above and call it security? Of course not. MDM is not security.
Many organizations, initially under the belief MDM tools alone would meet their security needs, are now discovering the cost and pain of dismantling their inadequate MDM approach in favor of deploying more comprehensive mobile MDSM suites.
Who today would deploy corporate laptops without at least some of the following controls in place?
–Anti-virus, anti-malware detection for email and downloads.
–Wireless and company communications over an iPSec VPN the user cannot bypass.
–Force all, or some defined subset, of traffic over corporate resources.
–IPS and hostile activity detection and remediation.
–Firewalls with highly granular controls.
–Hidden IP address of the device
–Corporate DLP and SIEM enforcement
All of the above are crucial components of MDSM, Mobile Device Security Management.
Of course the native MDM controls are one piece of a total mobile enterprise security architecture. But as many companies have discovered, MDM alone is not up to the task. As you examine MDSM in your shop, let me add some additional food for thought that should be considered in all mobile device deployment plans.
–Should your mobile population be secured with the same amount of care and diligence you take in your fixed enterprise?
–Does your existing policy sufficiently address mobile security and the added risks they present?
–Should a mobile device be treated as a ‘dumb terminal’?
–How do data in transit and data at rest on mobile devices differ and affect your organization’s ability to maintain compliance?
–Are you going to attempt to work out an acceptable security-functionality balance for a BYOD (Bring Your Own Device) policy?
–Or, will you only allow devices under company control to touch your networks, much as you do with BlackBerry today.
Admittedly, proper Mobile Device Security Management is not easy. Yet because MDSM includes many specialized security controls and processes, vastly different than MDM, MDSM is deserved of independent recognition and identity – wholly separate from MDM.