Taking control of smartphone proliferation while avoiding user anarchy

With smartphone proliferation raging through companies, IT teams are turning to MDMs to keep corporate data safe. Are current MDMs up to the task?

This article can also be found in the Premium Editorial Download: IT in Europe: Taking control of smartphones: Are MDMs up to the task?

Many companies will start the year with even more users demanding to attach their new smartphones and tablets to the corporate network. Some companies will welcome this tablet and smartphone proliferation, seeing it as a sign of employees wanting to improve their productivity and work long hours. Others see the trend as an unwelcome addition to network complexity and a potential security risk.

According to a survey carried out at the end of 2011by Berkshire-based Star Technology Services of UK, firms with 100 to 1,000 employees found acceptance of user-owned devices is still low. Only one in four workplaces surveyed allowed more than a tenth of workers to use their own devices for work. The BlackBerry was still seen as the safest and easiest to integrate, followed by Apple’s iPhone and iPad devices, while Android trailed behind, with Windows Mobile bringing up the rear.

But are companies right to be so cautious about what are undoubtedly becoming the users’ devices of choice over the traditional Windows laptop?

Security risks of mobile devices
The virus threat to new mobile devices is still small. Kaspersky Lab has seen just two viruses aimed at Apple’s iOS, and although the total number of viruses targeted at Android has now reached 1,000, that is a drop in the ocean against the vast flood of Windows-based malware.

You often 
have security of one or two years ago on your phone.

Axelle Aprville

So the worry is not about malware, not yet anyway. The bigger concern for most companies grappling with mobile devices is data loss. What if a device containing confidential information is left in a taxi or in a bar? Or what if an employee leaves the company with all that data on their personal property? What rights does the company have to remove the information, and how would the company enforce its rights?

Furthermore, how does the IT department control which apps users download on to their phone or tablet? Apps are fairly well regulated on the Apple App Store, but the Android Market is currently a free-for-all; unregulated apps can perform all kinds of unforeseen tasks, such as calling premium-rate numbers and racking up huge call charges, or installing spyware that can exfiltrate information to a remote server.

For hard-pressed IT administrators, the sheer variety and complexity of the new technical landscape, with its different hardware and operating systems, may be just too hard to support. Fortunately, new tools are now becoming available to help them manage the task, and in some cases allow the users to support themselves.

Mobile device management tools
If a device is being used for work purposes, the IT team will want to ensure corporate data on the device is correctly handled. This usually means setting some ground rules, often by some kind of contract with the user, underpinned by the use of technology to enforce those rules.

Some more cautious companies have chosen to implement a virtual desktop on the mobile device, in effect turning the device into a Windows terminal. But while that delivers security and can prevent any corporate data from being stored on the device, it means the look and feel of the iPad or Android tablet is lost. So that method may not be popular with users.

At the moment, if you have a username and password, you can bring any device on to the network. There may be no firewall or AV on it, but the company would not know.

Roger Hockaday
Aruba Networks

It is more likely that companies will choose from the growing range of mobile device management (MDM) systems to help enforce their policies. MDM features vary from vendor to vendor (and are developing fast in line with the market), but they will generally perform a couple of important functions: enforcing encryption by the use of strong passwords, and enabling the ability to remotely lock or wipe devices.

Using an MDM can ensure that if a phone or tablet goes missing, nobody can read its contents without the password. If necessary, the IT team can wipe the data remotely and disable the device.

However, if the company decides to give users freedom of choice, then it will have to deal with a range of device platforms, and this can make the job of managing them (and securing them) more challenging. Apple’s iOS is markedly different from Android, and implementations of Android vary between handset manufacturers, so any MDM product must be able to cope with them all.

Tablet and smartphone proliferation
Although Google is constantly improving Android and adding new enterprise-friendly features, it can take a long time for the features to be implemented by the handset manufacturers, and sometimes even longer for the telecommunications provider to send down the updates to the device itself. Considering, the company could be supporting multiple versions of multiple operation systems at the same time, including older versions that do not support encryption.

“All these different devices and operating systems make the situation very complicated for IT, because they have no idea if the user has encryption or not,” said Ojas Rege, vice president of products for Calif.-based MDM vendor MobileIron. “And they don’t have the time or resources to figure that out. So it is very confusing, which tends to slow deployment.”

Axelle Apvrille, a malware researcher with network security vendor Fortinet in France, has also observed that updates of mobile device software can take a while to reach users.

“The operating system has to be implemented by the handset manufacturers, and that can take time,” Aprville said. “Then the operators don’t send the new firmware to their customers. It’s a complicated process. You often have security of one or two years ago on your phone.”

MobileIron has come up with a solution to the problem of multiple devices and operating systems with version MobileIron 4.5, which it says provides a single management platform for all flavours of Android, as well as Apple, Windows Mobile and BlackBerry smartphones, so that mobile policies can be centrally managed.

Another MDM vendor, Good Technology, goes one step further and allows the company to create a secure encrypted partition – or “container,” as Good Technology calls it – on the user’s mobile device. According to Andy Jacques, the company’s general manager for EMEA, Good for Enterprise allows a company to protect its data on the user’s phone without interfering with the “personal” part of the phone or tablet. “Within the container, business and security rules apply; outside the container, users can do what they want, within reason.”

Good has also worked with suppliers of cloud-based storage services, such as DropBox, to produce a secure version of the Good app that will sit in the container.

“The biggest security risk comes from the well-intentioned user,” Jacques said. “Cloud storage apps are popular because they allow users to store data easily in the cloud and then pick it up at home. It’s great for the well-intentioned user, but a nightmare for the CISO. It’s outside his control.”

According to Jacques, the Good Technology product allows users to continue using their favourite cloud service to store files, but now the cloud storage process comes under overall corporate control. This means, for example, if a user saves an Excel file with corporate data to the cloud, Good's technology ensures it is saved using the secure version of the cloud service app, such as DropBox.

Oxford-based security vendor Sophos has also entered the market with Sophos Mobile Control that, as well as doing basic MDM functions, allows companies to set up an Enterprise App Store. The aim is to create a self-service model for users, under company control.

The company’s head of data protection product management, Matthias Pankert, said Sophos has decided against the containerisation approach.

“You can do containerisation on the Android or Apple device, so all corporate information is contained in the sandbox,” Pankert said, “but users want the same look and feel as the rest of their applications, with interaction between the phone book and apps, and between email and making phone calls.”

In any case, Pankert said Apple’s latest iOS 5 operating system supports a “dual persona” approach on a single device, with enterprise apps, enterprise email, and VPN connections all under the control of the company. If the company wants to withdraw access for any reason, it doesn’t have to wipe the entire device. It can just withdraw the company certificate and the company’s data becomes unusable. Those same features, however, are not yet available for Android.

Bring your own device (BYOD) or company-owned?
Many experts believe mobile computers (including smartphone and tablets) will go the same way as the company car: What was once a valuable perk of the job is now largely superseded by a car allowance that allows the employee to choose their own mode of transport.

The BYOD trend has already become mainstream in the US. A study by Good Technology indicated 60% of its US customers support BYOD programmes. That trend looks set to follow the same way here, with companies bumping up the monthly pay packet by £20 or £30 and leaving the choice of computer to the user.

For most companies, it makes a lot of sense unless your data is vitally sensitive. As Sophos’s Pankert points out, “MDM doesn’t give you military- or government-grade security. But in those circumstances, you’d probably still have two machines, one for work and the other for personal.”

By contributing to the user’s costs, the employer earns the right to demand a certain level of behaviour on behalf of the users when handling corporate data, and this will need to be written into some form of contract and security policy.

This is likely to focus on the company’s right to protect or destroy corporate data if the device is lost or stolen, or if an employee leaves the company. If the MDM allows selective wiping, it should not be a problem, but if the system can only do a complete data wipe, then the employees should be made aware of that at the outset.

Added load on the network
Finally, it is worth remembering that mobile devices are not only used when out on the road, but are also increasingly popular within the office environment and could soon be putting the corporate wireless network under strain.

Employees who, a year or two ago, carried just a corporate laptop for some limited applications, may now carry two or even three devices. The tablets and smartphones will be on all the time, even when the user is moving around the office, and their multimedia applications, such as FaceTime, will often require much higher bandwidth.

“You may have 1,000 employees, but you have to plan for 2,000 to 3,000 devices,” said Roger Hockaday, director of marketing, EMEA, for Aruba Networks in Hertfordshire. “The number of corporate laptops stays the same, but we now have more tablets and phones to support. The way people use these devices is very different. With a laptop, you sit at a desk. With an iPad, you wander around using it, with relatively high bandwidth applications.”

He believes it is also necessary to analyse network traffic more closely. For example, if a user tries to log into the corporate Wi-Fi network with his or her mobile device, but using the credentials created for laptop authentication, would the network spot the difference? Hockaday thinks not: “At the moment, if you have a username and password, you can bring any device on to the network. There may be no firewall or AV on it, but the company would not know.”

Companies therefore have to put in place network control, as well as device control, Hockaday concluded, in order to identify and manage the devices, track where they go, and also manage the applications they run over the corporate network.

Read more on Endpoint security