Dom Hume, VP of Product and Technical Services at Becrypt, outlines four themes that are important for organisations to consider when implementing a mobile device management strategy.
Many organisations are continually challenged by the risks associated with managing an ever growing device estate. Successfully managing the complexity of multiple software and hardware mobile platforms
necessitates a practical, secure and cost-effective way to manage, monitor and track devices.
This is best achieved through implementing an end-to-end mobile device management (MDM) strategy that can sometimes require consideration of the entire software and hardware stack, to ensure valuable time and resources are used effectively in securing and monitoring mobile devices that accesses business-critical data.
Here are four themes I believe are important for organisations to consider when implementing a robust MDM strategy, much of which is based on work we have undertaken with UK government.
Choose a manufacturer committed to security patching
Android and iOS have fundamentally different approaches to the phone ecosystem. Apple has a closed eco-system, whereas Android is an open platform, and phone manufacturers are supported to build their own devices using Android. Google releases updates and patches to its Pixel phones, at the same time as it releases patches to the wider Android community. It inevitably takes time for the individual manufacturers to integrate, test and release the patch to their handsets. This can result in a period of time where publicly-known vulnerabilities exist that may be exploited.
Plan your application lifecycle management
From an application provisioning platform perspective, the Apple App Store and Google Play Store perform the same functions. Since its inception, the App Store has implemented a quality and compliance gateway process for apps. Developers can still sign their own apps and push them to devices via some MDMs, however, if a developer’s certificate is revoked, the apps will no longer work.
A safer method is to submit the app to the actual App Store, where it will be vetted to ensure they don’t affect device functionality or security. Apple created the Volume Purchase Program for businesses, allowing them to submit apps for specific customers. All iOS devices have the App Store function built in; this can be switched off from an MDM server. Organisations can also push mandated apps and updates from the MDM server.
Google also has a vetting process for apps, subject to a review process that can be somewhat slow. While there is no dedicated business-only Play Store, Google offers a ‘Private Apps’ concept, allowing the user to differentiate between work and personal apps.
Consider a ‘split proxy’ architecture
Many organisations have become increasingly concerned about the consequences of an MDM server compromise. Attackers that breach an MDM server can easily locate and unlock a device.
The data security challenges associated with managing mobile devices result from the characteristics imposed by the smartphone ecosystem. Such concerns apply regardless of whether the firm’s MDM is on premise or in the cloud. MDM servers have complex communication protocols that interact with several internet-based services, such as push notification systems and online app stores. Usually, these channels are authenticated and encrypted end-to-end, preventing them from being inspected for threats. Therefore, an organisation or its service provider can either open its firewall ports to an MDM server hosted in their most trusted network segment or host the MDM server in a less trusted segment – a ‘DMZ’ of sorts.
Ultimately, this equates to either compromising a secure network, or sacrificing the MDM server.
One way to mitigate the risks of such a compromise is to choose a solution that employs a ‘split-proxy’ architecture. Utilising a series of proxy servers residing in a DMZ, these fulfil the range of encrypted communications with the smartphone ecosystem.
Consider the business objectives before implementation
Companies that prioritise data and employee protection as part of their MDM strategy should assess what they need from their mobile devices, and how they intend to be used.
Regardless of whether a firm is operating in a high or low-threat environment, it needs an MDM solution that is resilient enough to protect its data from increasingly sophisticated threat actors.
Read the latest edition of PCR’s monthly magazine below: