Though often marketed as security solutions, Mobile Device Management tools have too narrow a focus. The issue is that most MDM products are concerned with the wrong “D.” They’re focused on managing devices, when the real challenge for IT security is Data.
Managing a device and securing it are different activities, and you need to be aware of their differences. MDM functions such as provisioning and controlling profiles are important, and profiles do contain some security settings. That doesn’t mean they’re comprehensive security tools, nor does it mean MDM is a suitable way to secure your data. To understand why, one first needs to understand a few things about MDM.
What is MDM?
On most platforms, Mobile Device Management allows the owner of a mobile device (or some authority to whom the owner has ceded control) to push specific configuration settings known as profiles to that device. The settings available vary from device to device and OS to OS. Apple’s iOS “Configuration Profile Reference,” for example, says that the list of features the administrator can enforce includes:
- Restrictions on device features
- Wi-Fi settings
- VPN settings
- Email server settings
- Exchange settings
- LDAP directory service settings
- CalDAV calendar service settings
- Web clips
- Credentials and keys
Certainly, some of these features look like they might be helpful for security – the ability to configure a VPN or distribute keys and certificates in particular. Modern versions of iOS even have the ability to separate applications between “enterprise” and “personal” to restrict the movement of files between the two sides. Unfortunately, while some of these can be a piece of an overall security solution, none of this adds up to real security on their own.
Restricting Features Equates to Restricting Usefulness
If your goal is to deploy a tablet as a kiosk device or as a shared device used only for a single function (i.e. for field/healthcare workers), then the ability to disable device features is just what’s needed. MDM makes a great deal of sense for such use cases. In a “Bring Your Own Device” (BYOD) or “Corporate Owned, Personally Enabled” (COPE) scenario, however, it is clearly unacceptable to shut off access to a host of services that are valuable to the user, even in the interest of protecting corporate data.
In practice, most enterprise users need more flexibility in order to engage in productive workflows.
Here, MDM controls don’t “secure” workflows as much as they shut them down. Feature restrictions can negatively impact the usability of the device and productivity with it. They also fail to address many of the real sources of device insecurity such as user error, unsecured third-party apps, a lack of encryption, and poor data visibility.
Do You Know Who’s Using Your Data?
One MDM setting commonly assumed to be useful for security is the ability to force a device-wide, complex passcode. Strong authentication is necessary when dealing with sensitive data, and enterprises are right to demand authorization for users seeking access. At the same time, a blanket approach to this authentication is not the way to go about it.
Device-wide passcodes aren’t really about the data. They’re about the device. And to assume otherwise causes two separate problems.
Firstly, if an enterprise forces a complex passcode on the whole device, that complexity is forced on personal data as well as the corporate data – employees will have to enter a passcode to make a phone call, check social media, or even browse the Internet. This is a huge inconvenience, and a large imposition on the user’s personal life. Many users may even reject this, particularly for a personally-owned device, causing the enterprise to lose out on the reason they adopted mobility or BYOD in the first place.
Furthermore, such approaches can have questionable benefits, at best. By putting the barrier around the entire device and not simply around sensitive data, you actually expose your data to greater risk. Hands up for anyone who’s ever let someone else use their device.
Have your kids ever played a game on your phone? Has a spouse ever borrowed that phone to make a call? Has a friend ever Googled something on your tablet?
Not only do whole device MDM passcode policies get in the way of the user’s personal life, they potentially allow corporate data to be accessed by people outside the company – friends and family members who have reason to use the device, but no reason to access the company’s data.
Why A Single Passcode Isn’t the Way to Enforce Access Control
Closely related to the passcode issue is how access control is actually enforced. If a device is lost or stolen, sensitive data should ideally be encrypted in such a way that an attacker cannot get to it. When a single passcode is the only thing protecting the device, all encryption keys lead back to it.
And if that passcode walls off personal data as well as corporate, the user of that device will likely have defaulted to a 4-digit numeric passcode. They quite reasonably don’t want to enter in a string of complex characters just to make a phone call or play a game. Their code can thus usually be cracked in a matter of seconds, at which point all data on the device is exposed – from corporate credentials to critical content to sensitive configurations.
By protecting corporate data with a separate passcode, you’ll be able to use a much stronger encryption key for enterprise information while maintaining better usability for the device as a whole.
How Do You Deal with Multiple Data Owners?
When you cede control of a device to a single authority, which authority should that be? BYO and COPE devices both have a mix of data. Much of the data on my device will belong to my employer, and they’ve a right to control it. However, there might also be data belonging to a partner company – should that company be able to control the device, too?
What about data from a medical professional which they’ve a legal obligation to protect? Should my doctor control the device too, or should I let my employer have access to my medical records? What about my bank, or my insurance company, or my lawyer, or anyone else with whom I interact and who has a duty of care regarding the information that we share?
The concept of device management as a security tool swiftly breaks down when more than one entity owns the data on a device. Very real privacy concerns quickly rise to the surface in its place.
The Real Solution For Data Security
MDM controls are important device management tools, and have their place in enterprise. However, they should not be misconstrued as security solutions. It’s both valuable and convenient to be able to automatically configure some settings on behalf of the user, but it is naïve to think such controls alone will protect your data.
That’s why thousands of organizations large and small (including 100% of the Fortune commercial banks, aerospace and defense companies in the FORTUNE® 100, and dozens of governments around the world) deploy application-level data containerization. This preserves the end-user experience of mixing personal and corporate apps without unnatural corporate personas, intrusive whole device passcodes or geo location tracking. Many also use MDM, but for what it is designed for: device management.
When it comes to the other D, they rely on BlackBerry.