Security Manager's Journal: Siccing MDM on personal mobile devices
Their use has gotten out of control. And mobile device management will play well with newly deployed NAC.
Computerworld - We looked into mobile device management (MDM) in 2012, but the time didn't seem right. Now, some 18 months later, things have changed, and MDM is looking more like a good fit for us.
There's no question that we need better control over the plethora of personally owned mobile devices connecting to our corporate network and accessing applications that contain sensitive company data. Naturally, we have policies that forbid users from connecting a personally owned device to the corporate network, but they aren't enforced. As a result, we have too many personal iPhones, iPads, Androids and PCs on our network.
Back in 2012, we didn't feel that the MDM market was mature enough to fork over up to $300,000 per year to solve a problem that was somewhat mitigated by existing technology and processes. The mitigation came in part from the fact that users need a domain account to connect to our corporate wireless access points. We don't advertise the SSID and we have a strong password that enables encryption. But the "security by obscurity" approach only goes so far, and it didn't take long for employees to spread the word about how to connect personally owned devices to the corporate Wi-Fi network.
Moreover, we were using Microsoft ActiveSync to force a security policy to devices that were synchronized to obtain email. That served us well for several years, but in the current age, when mobile devices are being used to store and process ever more sensitive data, ActiveSync just doesn't scale or meet the heightened security requirements.
As I said, the MDM market just wasn't mature a year and a half ago. There was talk of buyouts, compatibility issues and a lack of features. We couldn't find enough satisfied customers to make the investment seem worthwhile.
Much Has Changed
Today, though, prices have dropped, and the market has matured. What's more, our recent deployment of network access control (NAC) technology should complement an MDM deployment.
NAC is aimed at the desktops on our network. We're still working out the kinks, trying to eliminate false positives and establish a process for exempting certain devices. When we do turn on enforcement and start blocking non-corporate devices, we want to use MDM as the control point for the identification of registered mobile devices.
MDM will help us enforce our current mobile device policy: We can set it to accept only "strong" passwords and to initiate device lock after a defined period of inactivity. We can also use it to wipe devices that go missing.
Even better, though, MDM will let us extend our policy to identify unlocked or jailbroken devices and require compartmentalization of data. (Compartmentalization involves the separation of personal and corporate data; it will provide some flexibility, so that when an employee leaves the company, we can wipe only our company's data and not any of the employee's personal data.) We can also create a corporate application store, which means that when an employee leaves, we can just wipe the data associated with those corporate apps, leaving personal apps alone.
So here's the vision: Once NAC and MDM are in place, we will be able to easily identify any unregistered devices and bar them from the network. If users want to register any of those banned devices, they will have to comply with the security policy in exchange for seamless access to our network and to certain applications.
I'll let you know how close we get to achieving that vision.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
Read more about Security in Computerworld's Security Topic Center.
- The State of Video Conferencing Security Video conferencing equipment, found in almost every boardroom around the world, may be opening up companies to serious security breaches. This paper explains...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- What are the desktop virtualization market trends and how can you successfully deploy your solution? You've probably heard about desktop virtualization -- and some of its benefits -- things like tighter security, streamlined management and lower costs. But...
- The Value of Symantec NetBackup Appliances In this video, Symantec's Shelley Schmokel, Principal Product Manager for NetBackup Appliances, talks about the NetBackup Integrated Appliances and how they deliver enterprise-class... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!