Networking

07:45 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

BYOD Security: Do You Really Need MDM?

IT is being stampeded into adopting MDM to protect mobile devices. But it's not a silver bullet, and it may be overkill for many needs where conventional wireless network security best practices will suffice.

IT pros can be excused for feeling besieged by the influx of user-owned smartphones and tablets that are linking up to corporate WLANs, email systems and Web apps. But employees are only one source of IT's stress. The other is vendors. Companies large and small are stampeding IT into buying MDM software and services as the wonder app to fix all their BYOD security problems. But MDM isn't a silver bullet, nor necessarily needed for all situations, particularly at SMBs.

MDM replicates the central command and control model so dear to IT that was originally disrupted when PCs invaded the enterprise. Fast forward a couple decades and we're into the latest iteration of client chaos and IT's ongoing battle for control. Indeed, the notion that IT can install some software hooks into every employee's phone or tablet and gain unfettered command over every setting and bit of local data is seductive. But in an era where the phone or tablet is an extension of someone's personal life, this dream is not only unrealistic, it's probably unnecessary.

Mobile devices are inherently connected, meaning virtually no information is persistently stored on the device itself. Smartphones and tablets are portals to online services. Yes, there's still bits of sensitive corporate data on an employee's device, like contact lists and cached email attachments, but IT's bigger concern in this post-PC era should controlling who and what is actually on your WLAN, a job better handled by wireless intrusion prevention systems, WIPS.

As I write in the latest InformationWeek State of WLANs report, "A WIPS is an independent radio frequency overlay to existing WLANs that continuously scans the full 2.4 GHz and 5GHz spectrum range, not just defined Wi-Fi channels, for unauthorized devices -- a WLAN security guard in the ether, if you will. As intruders are detected, the WIPS can proactively block both rogue APs and endpoints."

In fact, as Kaustubh Phanse, Chief Evangelist at AirTight Networks, an innovator in WIPS technology, argues, WIPS can complement MDM. He points out that MDM doesn't provide visibility to, nor control over, the devices actually accessing your network. WIPS can enforce network access policies and can automatically direct unregistered users through a captive portal to download any necessary MDM agents or software before gaining unfettered network access.

Network Access Control (NAC) systems can also enforce network policies, but WIPS provides a superset of NAC features tailored for wireless environments. Whereas NAC works at the network (MAC) level, WIPS adds in control at the RF level. For example, NAC can't detect a rogue AP sitting behind a legitimate laptop acting as a bridge, while WIPS can. In addition to AirTight, other vendors with WIPS products include Cisco Systems, Meru Networks, and Motorola Solutions' AirDefense.

[ Join us at Interop Las Vegas for access to 125+ IT sessions and 300+ exhibiting companies. Register today! ]

But wait, doesn't MDM prevent unprotected mobile devices from spreading malware over your internal networks? In theory, yes; in reality, no. Malware of the type used for Advanced Persistent Threats (APTs) must be targeted at a specific OS, so the chances of a smartphone-infecting Trojan spreading to your servers or routers are essentially nil.

Furthermore, preventing such contagion certainly doesn't require complete control over the endpoint. Sure, mobile malware might access your contact list and location information, and some may eventually evade OS sandboxes to siphon email messages and attachment downloads, but at present, it doesn't threaten your infrastructure. So the question IT needs to ask is how much control over a relatively limited set of mobile device data do you need or can afford? For most organizations, it's probably more important to prevent unauthorized devices accessing and snooping your network than it is to worry about every bit of data on an employee's personal device.

The biggest threat to mobile data loss is lost or stolen devices, and there are plenty of cheap or free ways to nuke one of those. Any iPhone or Android owner that hasn't activated Find My iPhone, Where's my Droid, or the equivalent service is asking for heartbreak the first time their phone comes up missing. Many smaller IT departments can leverage these services as a backstop to keep sensitive data from prying eyes. For example, IT could use Apple's free iOS Configuration Utility to automatically configure employees' phones with an IT-controlled AppleID solely for use with Find My iPhone and use Device Restrictions to keep thieves from turning it off. Of course, this control must be used cautiously on personal devices since sometimes it may be false alarm; you may be erasing a phone that a VP absent-mindedly left in his second car for a few days.

Don't get me wrong: MDM is an important adjunct to IT's administrative toolbox, but it's only one piece of a security portfolio, and one that some organizations can delay in several ways, including judicious use of online services, policies and application choices that keep persistent data off of smartphones. Some employee training and the use of low-cost or even free remote wiping systems are other options. Before rushing off to lock down personal devices with MDM, it's far more important to harden the network they'll be using with both wireless-specific products like WIPS and standard network security tools such as firewalls, IPSs, UTM appliances and automated monitoring software.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kmarko
50%
50%
kmarko,
User Rank: Apprentice
3/12/2013 | 7:12:42 PM
re: BYOD Security: Do You Really Need MDM?
We're onto the concept of mobile device virtualization and app compartmentalization; indeed I have a report for IW Reports that should be published in the next couple weeks diving into this technology. Keep an eye peeled.
Adam2IT
50%
50%
Adam2IT,
User Rank: Apprentice
3/12/2013 | 5:26:48 PM
re: BYOD Security: Do You Really Need MDM?
Another approach to minimizing the security risks and support challenges of BYOD is to separate the data and applications from the personal devices. This can be achieved by using virtualization and cloud technologies to publish corporate Windows applications or virtual desktops and accessing them from a browser.

One solution that facilitates this approach is Ericom AccessNow. AccessNow is an HTML5 RDP client that enables any device (including iPads, iPhones and Android devices) with an HTML5-compatible browser to access Windows applications and virtual desktops.

There's nothing to install on the end user device. Users simply click on a URL and run their applications and desktops inside a browser tab. This improves security by keeping sensitive applications and data in the data center, while reducing support issues, as IT staff don't need to worry about device compatibility with corporate applications.

This white paper - "BYOD is Here to Stay, But Organizations Must Adapt" - discusses additional strategies for addressing some of the challenges of BYOD:
http://www.ericom.com/wp-byod....

Please note that I work for Ericom
lgarey@techweb.com
50%
50%
lgarey@techweb.com,
User Rank: Apprentice
3/12/2013 | 4:41:38 PM
re: BYOD Security: Do You Really Need MDM?
I sometimes get a sneaking suspicion that IT departments that impose Draconian requirements before they let employees even get email (we now own your phone) are actually not all that interested in supporting BYOD and would just as soon have people say, "oh hell no." Then, when management asks why they're not seeing savings from carriers and phone hardware or boosts in productivity, they can point to the pesky user who refuse to give IT the right to nuke their vacation pics. Lorna Garey, IW Reports
More Blogs from Commentary
Infrastructure Challenge: Build Your Community
Network Computing provides the platform; help us make it your community.
Edge Devices Are The Brains Of The Network
In any type of network, the edge is where all the action takes place. Think of the edge as the brains of the network, while the core is just the dumb muscle.
Fight Software Piracy With SaaS
SaaS makes application deployment easy and effective. It could eliminate software piracy once and for all.
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
Hot Topics
3
IT Certification Exam Success In 4 Steps
Amy Arnold, CCNP/DP/Voice,  4/22/2014
3
Edge Devices Are The Brains Of The Network
Orhan Ergun, Network Architect,  4/23/2014
1
Heartbleed Flaw Exploited In VPN Attack
Mathew J. Schwartz 4/21/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed