Special Coverage Series

Network Computing

Special Coverage Series

Commentary

Kurt Marko
Kurt Marko Contributing Editor

BYOD Security: Do You Really Need MDM?

IT is being stampeded into adopting MDM to protect mobile devices. But it's not a silver bullet, and it may be overkill for many needs where conventional wireless network security best practices will suffice.

IT pros can be excused for feeling besieged by the influx of user-owned smartphones and tablets that are linking up to corporate WLANs, email systems and Web apps. But employees are only one source of IT's stress. The other is vendors. Companies large and small are stampeding IT into buying MDM software and services as the wonder app to fix all their BYOD security problems. But MDM isn't a silver bullet, nor necessarily needed for all situations, particularly at SMBs.

MDM replicates the central command and control model so dear to IT that was originally disrupted when PCs invaded the enterprise. Fast forward a couple decades and we're into the latest iteration of client chaos and IT's ongoing battle for control. Indeed, the notion that IT can install some software hooks into every employee's phone or tablet and gain unfettered command over every setting and bit of local data is seductive. But in an era where the phone or tablet is an extension of someone's personal life, this dream is not only unrealistic, it's probably unnecessary.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Mobile devices are inherently connected, meaning virtually no information is persistently stored on the device itself. Smartphones and tablets are portals to online services. Yes, there's still bits of sensitive corporate data on an employee's device, like contact lists and cached email attachments, but IT's bigger concern in this post-PC era should controlling who and what is actually on your WLAN, a job better handled by wireless intrusion prevention systems, WIPS.

As I write in the latest InformationWeek State of WLANs report, "A WIPS is an independent radio frequency overlay to existing WLANs that continuously scans the full 2.4 GHz and 5GHz spectrum range, not just defined Wi-Fi channels, for unauthorized devices -- a WLAN security guard in the ether, if you will. As intruders are detected, the WIPS can proactively block both rogue APs and endpoints."

In fact, as Kaustubh Phanse, Chief Evangelist at AirTight Networks, an innovator in WIPS technology, argues, WIPS can complement MDM. He points out that MDM doesn't provide visibility to, nor control over, the devices actually accessing your network. WIPS can enforce network access policies and can automatically direct unregistered users through a captive portal to download any necessary MDM agents or software before gaining unfettered network access.

Network Access Control (NAC) systems can also enforce network policies, but WIPS provides a superset of NAC features tailored for wireless environments. Whereas NAC works at the network (MAC) level, WIPS adds in control at the RF level. For example, NAC can't detect a rogue AP sitting behind a legitimate laptop acting as a bridge, while WIPS can. In addition to AirTight, other vendors with WIPS products include Cisco Systems, Meru Networks, and Motorola Solutions' AirDefense.

[ Join us at Interop Las Vegas for access to 125+ IT sessions and 300+ exhibiting companies. Register today! ]

But wait, doesn't MDM prevent unprotected mobile devices from spreading malware over your internal networks? In theory, yes; in reality, no. Malware of the type used for Advanced Persistent Threats (APTs) must be targeted at a specific OS, so the chances of a smartphone-infecting Trojan spreading to your servers or routers are essentially nil.

Furthermore, preventing such contagion certainly doesn't require complete control over the endpoint. Sure, mobile malware might access your contact list and location information, and some may eventually evade OS sandboxes to siphon email messages and attachment downloads, but at present, it doesn't threaten your infrastructure. So the question IT needs to ask is how much control over a relatively limited set of mobile device data do you need or can afford? For most organizations, it's probably more important to prevent unauthorized devices accessing and snooping your network than it is to worry about every bit of data on an employee's personal device.

The biggest threat to mobile data loss is lost or stolen devices, and there are plenty of cheap or free ways to nuke one of those. Any iPhone or Android owner that hasn't activated Find My iPhone, Where's my Droid, or the equivalent service is asking for heartbreak the first time their phone comes up missing. Many smaller IT departments can leverage these services as a backstop to keep sensitive data from prying eyes. For example, IT could use Apple's free iOS Configuration Utility to automatically configure employees' phones with an IT-controlled AppleID solely for use with Find My iPhone and use Device Restrictions to keep thieves from turning it off. Of course, this control must be used cautiously on personal devices since sometimes it may be false alarm; you may be erasing a phone that a VP absent-mindedly left in his second car for a few days.

Don't get me wrong: MDM is an important adjunct to IT's administrative toolbox, but it's only one piece of a security portfolio, and one that some organizations can delay in several ways, including judicious use of online services, policies and application choices that keep persistent data off of smartphones. Some employee training and the use of low-cost or even free remote wiping systems are other options. Before rushing off to lock down personal devices with MDM, it's far more important to harden the network they'll be using with both wireless-specific products like WIPS and standard network security tools such as firewalls, IPSs, UTM appliances and automated monitoring software.



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.