Security Manager's Journal: Siccing MDM on personal mobile devices
Their use has gotten out of control. And mobile device management will play well with newly deployed NAC.
Computerworld - We looked into mobile device management (MDM) in 2012, but the time didn't seem right. Now, some 18 months later, things have changed, and MDM is looking more like a good fit for us.
There's no question that we need better control over the plethora of personally owned mobile devices connecting to our corporate network and accessing applications that contain sensitive company data. Naturally, we have policies that forbid users from connecting a personally owned device to the corporate network, but they aren't enforced. As a result, we have too many personal iPhones, iPads, Androids and PCs on our network.
Back in 2012, we didn't feel that the MDM market was mature enough to fork over up to $300,000 per year to solve a problem that was somewhat mitigated by existing technology and processes. The mitigation came in part from the fact that users need a domain account to connect to our corporate wireless access points. We don't advertise the SSID and we have a strong password that enables encryption. But the "security by obscurity" approach only goes so far, and it didn't take long for employees to spread the word about how to connect personally owned devices to the corporate Wi-Fi network.
Moreover, we were using Microsoft ActiveSync to force a security policy to devices that were synchronized to obtain email. That served us well for several years, but in the current age, when mobile devices are being used to store and process ever more sensitive data, ActiveSync just doesn't scale or meet the heightened security requirements.
As I said, the MDM market just wasn't mature a year and a half ago. There was talk of buyouts, compatibility issues and a lack of features. We couldn't find enough satisfied customers to make the investment seem worthwhile.
Much Has Changed
Today, though, prices have dropped, and the market has matured. What's more, our recent deployment of network access control (NAC) technology should complement an MDM deployment.
NAC is aimed at the desktops on our network. We're still working out the kinks, trying to eliminate false positives and establish a process for exempting certain devices. When we do turn on enforcement and start blocking non-corporate devices, we want to use MDM as the control point for the identification of registered mobile devices.
MDM will help us enforce our current mobile device policy: We can set it to accept only "strong" passwords and to initiate device lock after a defined period of inactivity. We can also use it to wipe devices that go missing.
Even better, though, MDM will let us extend our policy to identify unlocked or jailbroken devices and require compartmentalization of data. (Compartmentalization involves the separation of personal and corporate data; it will provide some flexibility, so that when an employee leaves the company, we can wipe only our company's data and not any of the employee's personal data.) We can also create a corporate application store, which means that when an employee leaves, we can just wipe the data associated with those corporate apps, leaving personal apps alone.
So here's the vision: Once NAC and MDM are in place, we will be able to easily identify any unregistered devices and bar them from the network. If users want to register any of those banned devices, they will have to comply with the security policy in exchange for seamless access to our network and to certain applications.
I'll let you know how close we get to achieving that vision.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts