MDM is not security, warns mobile security expert Eric Green

Mobile device management (MDM) is not about security, says US security expert Eric Green from Mobile Active Defense Partners

Mobile device management (MDM) is not about security, according to Eric Green, senior vice-president of business development at security firm Mobile Active Defense Partners.

“There is no security in MDM; its ability to secure a device is nowhere near what it needs to be," Eric Green told attendees of the 2012 (ISC)2 Security Congress in Philadelphia.

About a year ago, there was a rush to MDM solutions and organisations thought they were secure, said Green. But now those organisations are realising that simple MDM does not address the wider security issues.

In the light of this realisation, MDM suppliers and organisations are trying to cobble together multiple point solutions to meet security and compliance requirements, but that creates complexity, which is bad for security and it often breaks, said Green.

“Another problem is that when things go wrong, no-one agrees whose responsibility it is because of so many products being involved,” Green said.

The security situation is exacerbated by implementation bring-your-own-device (BYOD) programmes, said Green.

BYOD is not a great idea but everyone is doing it, he said, which means information security professionals are faced with the challenge of finding a way to enable BYOD as securely as possible.

This is no easy task in the face of malicious apps, infected websites, spam, operating system hacking, Trojans and viruses.

“It all boils down to risk, and there will always be risk left over that someone will have to sign off,” said Green, adding that it is important that person fully understands the extent of the risk.

10 requirements for effective mobile security

According to Green, there are 10 requirements for an effective mobile security system. It must:

  1. Treat desktops, laptops, smartphones and tablets the same way. All the standards and safeguards used for desktops and laptops should be applied to newer devices as a bare minimum.
  2. Work for both corporate and personal devices.
  3. Provide blacklisting and remediation for bad applications.
  4. Have the ability to clean or block personal email.
  5. Ensure that the user cannot remove or disrupt the security protections.
  6. Offer jailbreak and rogue behavior detection and remediation.
  7. Support multiple platforms via a single console.
  8. Encrypt and force all traffic through a VPN when required. IPSEC is critical as it is much more secure than SSL.
  9. Offer both cloud-based and appliance-based versions for maximum flexibility.
  10. Offer the same level of security as found on laptops, including content filtering for all browsers.

Green predicts that application inspection and monitoring will become a big market in future and that it is likely to have cloud-based scanning at its core.

Six basic elements for effective mobile security

Beyond that, he said it is important for any organisations planning mobile device roll-outs to get the basics right. These include:

  1. Proper planning.
  2. Buy-in from executives, information security and IT.
  3. Across-silo requirement setting.
  4. Proper evaluation and testing of suppliers.
  5. Input from the legal department.
  6. Evaluation and acceptance of the risk.

The key is to start small with a small number of devices and only one or two platforms, otherwise things are likely to go wrong, said Green.

“It is better to start small and assess your network’s ability to cope with the new traffic before rolling out mobile devices across the whole organisation,” he said.

Read more on Privacy and data protection