Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
When members of the audience at the American Society for Association Executive's (ASAE) Technology Conference & Expo were asked how they created their mobile device management (MDM) policy, "We Googled it" was the primary answer, and this is not uncommon. Using a template and altering it for an organization's specific purpose is an increasingly standard practice for small and large companies alike that are taking the "why reinvent the wheel?" approach.
But Renato Sogueco, CIO of the Society of American Florists, chose a different path when creating his company's mobile device management policy.
"I wrote [our policy] from scratch. I listened to what we needed and created a policy that fit those needs. Before we had it, I felt powerless. These devices were invading our security. All of these small, shiny things. But guess what happens to small, shiny things that can do a lot? Aside from internal threats, these devices can get lost and stolen. We needed a way to reach out and physically touch a device if we needed."
Policy creation was essential for more than just allowing his organization's IT team to be able to "hit the nuke button," though, Sogueco said during his panel presentation, "Key Issues in Considering Mobile Device Policy and Implementation," during the ASAE conference last week in Washington, D.C.
Guess what happens to small, shiny things that can do a lot? Aside from internal threats, these devices can get lost and stolen. We needed a way to reach out and physically touch a device if we needed.
CIO, Society of American Florists
"What made me develop a policy was change," he said. "It felt like I was continually taking punches with all of these new devices. First it was BlackBerry, then the iPhone and Android, then tablets. So I decided to proactively go on the offense. Doing nothing was no longer an option."
Framing the MDM policy and system
A mobile device management policy is only as good as the sum of its parts, though, and even more important as a component of a larger mobile device management framework.
Larry Covert, director of IT for ASAE, spoke about the evolving scope of MDM, highlighting the need to also focus on mobile content management and mobile application management.
"The MDM scope is growing all the time, and if these devices are on your network, you must look at them now, or it could end up costing you a whole lot more in the future." Covert also added that MDM is "beyond data loss considerations. You need to look at brand and organizational reputation."
The panelists also touched on the necessary considerations when developing a bring your own device (BYOD) policy. While there are many benefits to the proliferation of employee-owned devices in the workplace, there are also many security, privacy and IT support factors to consider (see Figure 1). When faced with employee resistance to ultimate IT administrative control over a personal device in the workplace, Sogueco said that "these are the rules of the game. If they don't want to adhere to them, then don't bring [your devices]."
Even though 86% of organizations cited data security as a top concern, according to a 2012 survey on employee-owned device management strategies from SoftwareAdvice.com, and most had a mobile device management policy in place, using a specific MDM system is far less common, with lack of resources and mobile framework immaturity being chief among the reasons.
"It felt like I was continually taking punches with all of these new devices. First it was BlackBerry, then the iPhone and Android, then tablets. So I decided to proactively go on the offense.
What does an MDM system do, exactly? The panel defined it as "software that secures, monitors, manages and supports mobile devices deployed across enterprises for both company-owned and employee-owned devices." Why is it important? Security maintenance is the critical overlay, but MDM systems are beneficial and a growing necessity for many reasons, as the panel highlighted:
- Increase the scale of mobile deployments
- Gain real-time visibility into a mobile environment
- Administer consistent policies across devices
- Enforce enterprise security and compliance
- Protect data transmitted to and from devices
- Complete enterprise data loss prevention (DLP)
- Automate processes and issue resolution
- Analyze and report critical device information
While MDM systems comprise a few key elements, there is by no means a one-size-fits-all solution." All robust MDM systems need a few core features, but it's really a matter of what you want to turn on, and what you want to pay for," according to Patrick McGugan, director of business management services at ARG Inc. McGugan also noted that each of these elements must be built for the management and protection of content, a necessary underlying consideration when evaluating and choosing an MDM system. (See Figure 2.)
Another critical component of a comprehensive MDM policy framework is an acceptable use policy that includes safety measures that shield against employer liability. The panelists highlighted a few typical elements included here based on their experiences:
- Employees are not allowed to use cell phones for work-related business while operating any vehicle.
- Before placing a cell phone call, employee must be stopped and using a hands-free headset.
- Employees are required to attend mandatory cell phone training and sign a contract showing that they understand the policy.
- Employees that disobey the policy will be disciplined.