Handcuffing the mobile octopus | DigitalMunition

MDM strategies: An embarrassment of niches

It is Christmas Day at 2 a.m. and a new mobile device just
connected to your network. Your servers are configured to send a text message
to alert you when new devices connect, so you immediately know that something
has happened. But you have no policy that requires that new devices be
configured with mobile device management (MDM) software before they are allowed
to connect so you don’t know if this is an employee playing with their new
smart phone or an actual attack. Do you get up and troubleshoot the alert or go
back to sleep? This scenario plays out all day every day for security
professionals and it is only getting worse.

With mobile and cloud growth soaring and new requirements
such as the European Union’s General Data Protection Regulation (GDPR) forcing
CISOs to better control access to data, regardless of the physical location of
the data or company, mobile device management (MDM) has never been more
essential. In some cases, however, it is too popular, with some enterprises
housing a dozen or more MDMs, which itself creates new security holes.

Having too many MDMs is only one of the implementation
problems that cause anxiety for mobile security experts. Other concerns include
wearables being ignored, a lack of consistency and implementation processes
that simply make life more complicated than is needed for CISOs, and the
practical problems with a bring-your-own-device (BYOD) environment, which
itself will force changes to IT’s favorite after-the-fact defense of a mobile
remote wipe. And then there are questions about whether CISOs are focusing too
much on devices and ignoring the more crucial data and applications. Sometimes
CEOs like to weigh in on MDM policies, which is rarely a good thing.

Rob Smith, a London-based research director for Gartner, argues that the biggest concern he has about how Fortune 1000 CISOs uses MDM is that they think through their needs insufficiently, preferring to purchase whatever top-rated software they can find and hope it does the job.

“The number one thing they are getting wrong is buying
products without knowing what they are using it for, without knowing their use
case,” Smith says. “They buy one product and expect it to do everything.”

Smith counsels CISOs to focus on four areas before exploring
MDM options:

• Who is the user and what is their role?

• What is the device and who owns it?

• What kinds of apps and data do they   need to access?

• Where in the world are they located?

Different regions have different rules about data
protection, Smith says, above and beyond GDPR. “Data for England and Wales can
only be stored in England and Wales,” Smith says, adding that even the much-beloved
mobile remote wipe might have to be rethought.

The issue with mobile remote wipe is the question of device
and data ownership in a BYOD situation. A common kneejerk response to a missing
device that is suspected of being stolen is to wipe everything right away. Sort
of a “destroy first, ask questions later” approach. But does IT have the right
to wipe clean all of that personal information? “Even if IT thinks they have
the right because of [an employee agreeing to such wipes due to a form with] a
click through, click throughs never hold up in court. [IT] needs a physical
release form,” Smith says.

Even physical release forms might not always do the trick,
as European courts often insist on a knowing agreement that is non-coerced.
Insisting that an employee sign such a form to get access to essential
databases might not be considered a true choice in the eyes of the court.

On remote wipe, Forrester Research Analyst Andrew Hewitt
adds that companies need to partition off corporate content and use MDMs that
support full-device as well as selective wipe, allowing them, in theory, to
obliterate only corporate content. That should avoid the legal complications of
destroying employee personal data.

But Gartner’s Smith also says that he is very concerned with
how many MDMs enterprises have these days. In Gartner surveys of the Fortune
500, Smith says they found that “29 percent had three or more and one guy had
10 different products in production. How do you get to three — forget 10?”

He says there are quite a few reasons a company can
accumulate more than 10 MDMs. First, there are inherited software licenses from
acquisitions. Second, companies will purchase different MDMs for different
operating systems (getting an Apple-specific MDM, for example, is common) along
with some for different geographies and different kinds of apps. CISOs seem to
be burdening their MDM strategies with an embarrassment of niches. Smith argues
that any number of MDMs greater than three is a problem.

Forrester’s Hewitt says that he sees most companies with
about four to five MDMs and he also says he would strongly prefer an enterprise
to use no more than three. “I don’t think they really need [more than three].
The technology has advanced quite a bit,” Hewitt says. “The best enterprises
are doing this with one and maybe two MDMs.”

Avery Chipka, the chief security officer at the Circle
Technology Collective International in Rutland, Vt., is willing to tolerate
clients having far more MDMs, although he does have a ceiling. “I start having
concerns when the number is above 10. When it’s more than 15, something needs
to be done about it,” Chipka says. He stressed that having so many MDMs can
cause confusion and make it far more difficult to track users.

Sometimes an employee will have “one profile as an
executive, another for creative, [and] another if they are doing sales. An
individual can only serve so many roles. Does each person really need a
separate account for every email account?” Chipka asks. “During an acquisition,
MDM profiles are one of the first things IT should be looking at. How many
people didn’t make it through the acquisition?” he asks, adding that removing
those accounts should be a priority. This is even more important given that
some of those who are let go might be quite unhappy about it.

Forrester’s Hewitt sees the plethora of MDMs as its own
risk. “It is a security hole because they don’t have a coordinated way to look
at that employee so they can get that one view of an employee,” Hewitt says.

Ajay Gupta is the program chair for computer networks and
cybersecurity at the University of Maryland and he sees a different security
hole from an overabundance of MDMs: Attackers leveraging the fact that many
MDMs don’t communicate with each other. “It is possible in that situation that
a device could sneak in,” he says. This can happen because each MDM knows that
it is not alone. Therefore, it might not necessarily block an unrecognized
mobile device, as it can legitimately assume that it is authorized via a
different MDM.

Each MDM “has to respect them all. They can’t reject because
it’s not recognized because the apps don’t talk with each other,” notes Gupta,
who also serves as president and CEO of HSR Inc., a non-profit data security
organization in the healthcare industry. “The default is usually to allow
access. This is the problem with centralization versus decentralization. This
is why standardizing on a smaller subset of vendor tools is just a good idea.”

Chipka says that companies can have multiple MDMs but it
must address how they are to coordinate, assuming they can. “Which one takes
priority? What happens when you have two platforms and one says allow and one
says deny? Each platform has a different way of handling it. For some, ‘deny’
is the overwhelming factor.”

Another MDM concern from Gartner’s Smith is internet of
things (IoT). “You put a monitor in a conference room and it happens to be
running Android firmware. That’s the kind of device that will completely bypass
IT. There are so many proprietary solutions, which is a big part of the IoT
problem,” Smith says. “That conference room TV running Android should have [a]
mobile threat defense. Then you’re stuck with a coffee maker. IT has to be
involved because devices often have external communications, a built-in radio.
It could be sending data without your knowledge.”

Part of the IT MDM problem, Smith says, is a lack of
training and, as always, budget. “IT is trailing whenever you bring in new
technologies. Every IT staff is overworked, but that time [and budget] has to
be allocated.  [Corporate] is not
budgeting to keep up with new technology. They’re not accurately predicting the
operational expenses that will be required. Mobile is chaos, a perpetual rate
of change. Don’t be surprised when Apple puts out an iOS update that breaks the
system or Google makes a change how data is stored on the cloud. You have to
ride the chaos.”

Gupta has a suggestion for perhaps using the MDM BYOD problem
to shake loose a few more IT dollars. He argues that “this whole mobile
management bring your own device” trend is solely “to escape the costs of
buying devices. CIOs should ask for that [savings] numbers and use that [for
example] $15 million to move into the IT budget,” Gupta says. “Otherwise, the
CIO should tell management to post an invitation to every hacker in the world
to come into our network because that’s what we’re doing by opening up your
network to devices that you don’t own and that you don’t know.”

Gupta says another major MDM problem is the lack of CISO
follow-through. “They buy the [MDM] product with a set of expectations that are
sometimes unreasonable” and then “no one does training for its actual
capability. Maybe you should hire the [MDM vendor] to send their engineers to
your facility for a week of training. Real engineers, not sales engineers. If
you care about security, you may have to spend the [training] money.”

Chipka points to the ability to identify and track
unrecognized mobile devices as a key hole in some MDM systems. He describes one
offering that paired MDM tracking with digital security cameras. “Security
cameras, when paired with access points and known devices, can be used to
identify and record unknown devices’ presence in a building, allowing for the
security cameras to intelligently track those signals that it is not able to
identify. This is just one of many cutting edge impacts that MDM can have on
our future,” Chipka says.

Another concern Chipka has is that some systems default to
allowing the user to delete their own profile. Although this would make some
access from the phone more difficult, it also gets around legitimate security
restrictions that IT wants to impose.

“A good portion of end-users know how to configure their own
email. I’ve seen profiles deleted because the person was trying to get around
the restrictions we put in place. Most [IT and security staff] don’t bother to
prevent removal of the profile devices.” Chipka argues that they need to
prohibit any changes that are not done using the administrative panel.

On the flip side, Chipka also complains that IT sometimes
will impose too many MDM restrictions, thinking that “because the setting
option is there, I have to use it. Just because you can do something doesn’t
necessarily mean you should.” As an example of overreach, he points to some MDM
systems that control which screen saver the user can select.

Forrester’s Hewitt agrees that some CISOs overreach when
making setting selections through MDM. Many are “building way too heavy-handed
policies on MDM profiles,” he says, specifying “annoying security practices
such as ‘every three months, we are going to change your 6-digit phone
password.’”

ABI Research Analyst Stephanie Lawrence says one of her top
MDM concerns involves wearables. “Businesses often overlook wearables and
forget to add wearables to their EMM (enterprise mobility management)/ MDM
plans, particularly as the devices are added after the EMM/MDM is in place, so
it is important that these devices are more strongly considered,” Lawrence
says.

Today, many wearables have no authentication capabilities,
such as the ability to key in a PIN/password or to perform biometric
authentication. That should limit those devices from being able to get into a
network on their own, analysts warn. But as wearable devices get a larger
market share and as their capabilities expand, they almost certainly will
ultimately be able to access restricted networks. By that time, it will be too
late to go back and generate profiles for all such devices retroactively.
Therefore, it is not a bad idea to start adding wearable devices today.

Forrester’s Hewitt sees another MDM problem being an excessive focus on the hardware at the cost of paying too little attention to apps and data, which is more likely where the bigger dangers lurk. “A lot of enterprises believe that MDM is the only thing they need to use for mobile security. They focus way too much on the device side,” Hewitt says. “Let’s say a [registered] phone is jailbroken. There nothing that is protecting them from [a cyber thief] getting that data out.”

Hewitt also says that he is seeing fewer companies using
mobile VPNs due to the VPN’s well-earned reputation of slowing down devices.
Using cloud security gateways and “traffic inspection are doing [security] in a
much faster way” than a traditional VPN could, he says.

A concern of some MDM specialists is a lack of simplicity
with deployments. “One of the biggest mistakes we’re seeing in MDM deployments
is that they are overcomplicated. Many organizations are rolling out mobile app
management or containerization when only mobile device management and
monitoring is needed,” says John Sprunger, a senior technical architect with
consulting firm West Monroe Partners.

“Another mistake is overbearing deployments,” he continues.
“Tech leaders need to ensure that security policies are aligned based on data
sensitivity and apps used, not using separate policies for BYOD versus
corporate devices. Half-hearted deployments are another issue, as some
organizations enforce device enrollment but don’t fully implement or enforce
security policies or don’t enforce device enrollment at all, thus allowing a
bypass of security policies.”

Peter Meuser is a Munich-based independent IT consultant at
iTlab Consulting who also expresses frustration at companies having too many
MDMs. Meuser offered tips for determining if your company has too many MDMs.

“You know that you have to reduce the number of MDM
instances in your enterprise if you have to carry multiple mobile devices
because you do not have the necessary access to all corporate assets from your
single device,” he says. “Only one MDM can be the master of your device and
control access to backend services. You do not want to build multiple channels
into the same datacenter just to support multiple MDMs. Avoid data silos.”

Other indications that a company has too many MDMs,
according to Meuser, include, “your operations and support teams are not able
to develop the necessary deep skills to drive your mobile workforce at the edge
of innovation because they spent most of their time trying to organize external
vendor support they depend on for all these different MDM solutions. These
days, qualified MDM engineers are a rare species. Or you are doing the same
thing with different tools?”

Why should you manage thousands of iOS devices with multiple
MDMs, Meuser asks rhetorically. Choose the best one for your situation and then
unify across all subsidiaries. But remember, not every MDM is the right product
for every use case. For example, he says, there is a story about Microsoft
integrating Jamf, a management application for Apple products, with Microsoft’s
own Intune for macOS management. Apparently, he notes, Microsoft had no other
thirdparty macOS MDM product to integrate into Intune so that was the company’s
only option. Ultimately, Meuser says, JAMF dropped its Android support to focus
only on Apple’s operating system.

There are other examples where niche MDM products gained a
foothold because of their specialized capabilities, he notes.

Meuser’s also suggests that you need to reduce your number
of MDMs when “all of your bigger subsidiaries run their own MDM system because
the products are not able to carry the combined load or does not offer the
necessary separated administration.”

Meuser also complains of CEO involvement, which can
undermine MDM goals. “Stories like this often begin with: ‘Why can’t I have
these Office apps on my corporate iPad? Even my son is able to install them on
my private device. Why is our IT not able to do this and why is security
blocking all innovations?’

“It’s not all about installing just a small app but
introducing a whole service to the IT infrastructure,” Meuser says. “The mobile
device is what your boss sees, MDM is the middleware to connect the device to
the backend services. If the backend services are not well implemented and
integrated, MDM can’t fix what’s broken.”

If the middleware is not implemented to meet the IT
department’s security requirements, it could create security vulnerabilities in
the network, and it is exactly these vulnerabilities in the apps the potential
attackers see. Just because an Office application can be installed on an iPad,
for example, that does not mean that it should be.

“I also see CISOs still relying on security policies that
are not built for the mobility age. They go back in times where firewalls,
virus scanner and smart cards ruled corporate security,” he continues. “These
times are gone with cloud services and corporate devices that are also enabled
for personal use. Enforcing outdated security policies for MDM not only impacts
user experience, but also lowers security in many cases,” Meuser says.

“Products will not be integrated as they are designed and
the resulting solution gets so complex that operations is challenged to
maintain the system and keep it updated. Times are over where an IT system is
introduced and not changed for years. Progress in mobile development and
security threads requires an agile management of all components,” he notes.

Ultimately, the choice of which and how many MDM systems is
as much a personnel management consideration as it is a technical
consideration. If companies make managing personal devices too cumbersome and
intrusive on employees, the company’s security team might not have the user
buy-in to be secure. As Forrester’s Hewitt notes, “There’s a limit to how many
employees are going to get MDM enrolled. Some would rather not have access on
mobile, rather than go through” too many security hurdles.

Comments are closed.