UEM to marry security — finally — after long courtship

Machine learning will be key in evaluating whether a mobile device and its user should be allowed to connect to a corporate application or data silo, as user behavior becomes a part of overall endpoint security.

IDG Tech Spotlight  >  Security  >  UEM/unified endpoint management and security
Your Photo / Getty Images

The days of enterprise security being a separate entity from mobile and desktop endpoint management are coming to an end, which should delight infrastructure and security teams who’ll eventually have more powerful machine learning-enabled tools at their disposal — and a single console through which to control them.

Security around mobile and desktop infrastructures has traditionally depended on what's being managed; you purchase one for mobile devices and another for the rest of your endpoints, whether laptop or desktop.

While security threats are growing, particularly phishing attacks via email, SMS or hyperlinks, the amount of money companies spend on mobile security appears to be shrinking. And yet, the percentage of organizations that admit to having suffered a mobile compromise grew in 2019, according to a Verizon survey.

Two-thirds of organizations said they are less confident about the security of their mobile assets than other devices, according to Verizon's Mobile Security Index report. The 2019 survey included 700 small, medium and large companies.

Over the past year and a half, vendors have moved to more tightly integrate security with unified endpoint management (UEM), offering a more comprehensive strategy for securing all enterprise endpoints, according to Nick McQuire, a senior vice president of research at CCS Insights.

UEM involves products that provide a centralized policy engine for managing and securing corporate laptops and mobile devices from a single console. Essentially, UEM platforms represent the next generation of device management; in many ways, it’s a culmination of mobile device management (MDM), enterprise mobility management (EMM), mobile application management (MAM) and client management philosophies.

“There are products now that have, or are close, to the single-console approach to unified endpoint and security management," said Phil Hochmuth, vice president of mobile research at IDC. "For smaller firms, or organizations with lean IT staffs, this consolidation is key. For larger organizations, role-based separation and access to features and dashboards will be important."

Machine learning now in the mix

Machine learning-based security is taking access to corporate applications and data to a new level, managing not only who can log into those systems through UEM platforms but continuously monitoring what employees are doing while using corporate apps and data repositories.

“We absolutely believe the way the industry is moving forward is it shouldn’t matter what kind of device you have, you should get an appropriate security policy based on the device and other contextual variables, such as who owns the device, where in the world you’re located, what time of day you’re accessing something, or if you’re on a public W-iFi,” said Rob Smith, a research director at Gartner.

Known as a "zero-trust" framework, end users are subject to pre-determined parameters that can discern their intentions based on their roles in the company; if their actions fall outside of the boundaries for safe behavior, system access can be cut off.

“A lot of [threat detection] has to do with knowing what the device is, who the user is…, the health of the device and making sure the user is tied to their credential and that credential is tied to the device,” said Bill Harrod, federal CTO at MobileIron. “Then it’s about being able to evaluate the risk in all those places.”

In short, zero trust means being able to take proactive measures before an organization is compromised or loses a significant amount of data. While machine learning plays a part, companies also have to ensure they have trusted communication channels, meaning data is encrypted while in transit and at rest. That can help avoid common security issues, such as man-in-the-middle and ransomware attacks, Harrod said.

It also means "taking measures to quarantine [a breach] or stop continuous user authorization" because nothing can stop an employee from doing anything they want once they've input the correct credntials, Harrod said.

Zero trust relies on multifactor authentication, analytics, encryption and file system-level permissions; it includes dynamic enforcement of access rules, not only for a user's identity but also for their device and the context in which they're attempting access. The result is that users are given the minimum amount of access to accomplish a specific task.

While not a new concept, adding zero trust capabilities to UEM is at leading edge of device management, and enterprises should expect some, though not all, vendors to begin selling single-console products over the next year and a half, Smith said.

“Gartner sees a convergence of management and security, however, they will remain separate buying centers,” Smith said. “But, there will be vendors such as Microsoft, VMware and BlackBerry who’ll offer it as a single solution.”

For example, VMware last year bought Carbon Black, a cloud security vendor whose product uses artificial intelligence (AI) and machine learning to protect endpoints through behavior recognition. In October, BlackBerry announced the availability of its mobile threat defense (MTD) product combined with its Unified Endpoint Management product — the result of its acquisition in 2018 of AI/ML security vendor Cylance.

“It’s taking time for those internal silos to break down between the security side and the UEM side to come up with singular products,” Smith said. “This is something that will evolve over the next 12 to 18 months, as these vendors take their existing management products and make them work with their new security companies.”

Microsoft has essentially already merged its existing endpoint management and security products through its Office 365 E5 license, which includes ATP Defender and InTune — all under the Azure console.

Microsoft is only missing the MTD intelligence piece, according to Smith. But it's  expected to integrate with several of the mobile threat defense venders, as it has with Lookout, and place their data directly into Windows Defender ATP.

“However, the price leap from an E3 license to an E5 is quite big and really only adds security, so I don’t think the same pressure [to buy a single-pane solution] will apply here — at least, not yet,” Smith said.

How MOL Group tied security to mobile

MOL Group, an international oil and gas company based in Budapest, Hungary, supports about 4,200 employee devices for executives, office staff, truck drivers and delivery workers.

MOL currently provides corporate-owned iOS devices to its business managers, Windows phones to its office-based staff, and both Android and iOS tablets to field workers such as delivery drivers and maintenance workers. MOL also supports a BYOD deployment for employees who prefer to use their own devices at work.

Most of the company’s apps are customized by third-party developers and support a variety of business tasks such as route planning and optimization for deliveries. The apps are securely deployed to iOS and Android devices through MobileIron AppsWork, an application library that also enables updates to be pushed to devices.

MOL employees use MobileIron’s secure browser, WebWork, to access internal web resources and get approvals from their managers. And employees across the company can securely access and share files through SharePoint and internal company sites.

MOL said it has also improved mobile security by containerizing apps such as KiteWorks, WebWork, Email+, and DocsWork on mobile devices.

Before the company turned to MobileIron, employees would often save corporate documents to external hard drives to work on at home later. This put corporate data at risk because IT had no control over how documents were shared.

Mobile devices can now be configured and secured remotely, apps can also be silently installed, updated, or removed without any end-user intervention required. If an employee leaves the company, or if a device becomes compromised, IT can lock down or remotely wipe the device to ensure corporate data doesn’t fall into the wrong hands.

“Now we can identify all of the devices on our network, know who is connecting to which resources, and see which OS and app versions they are running,” said Ákos Dányi, senior expert of group office applications at MOL. “This is essential to helping us control access to back-end resources and ensure that all devices are running the most current app and OS versions."

Even industry leaders are just now rolling it out

MobileIron and BlackBerry are currently two of the leading providers of UEM zero-trust solutions, according to McQuire.

For example, in November, BlackBerry added several zero-trust software updates to its flagship Enterprise Mobility Suite.

“BlackBerry has had a security focus for some time — even before acquiring Cylance,” said Jack Gold, principal analyst for J.Gold Associates. “They are now porting those AI security features to the mobile device world from their previously PC-centric offering. They are also moving in a workspaces direction as they offer secured on-device access through secured browsers and [Office] 365 type access."

Single-console management isn’t the ultimate benefit of unifying security and endpoint management, according to IDC's Hochmuth. The biggest benefit is the integration of data and analytics between endpoint management and security, which will be transformational, he said.

When vendors add artificial intelligence to UEM, it opens up the possibility of self-fixing end-user computing environments, and automated breach and vulnerability responses.

“Beyond that, businesses can use this data to optimize and improve how employees with technology do their job. This can drive more efficiency, creativity and productivity and — ultimately — better business outcomes,” Hochmuth said.

Copyright © 2020 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon