Mobile device management and containerization
By David Geer (Part of the FMIT special report Making BYOD work)
Enterprises use mobile device management to identify devices, limit makes, models and operating system versions that can access the network, and report network events, tying them to devices and users.
"MDM also provides transparency into apps installed across devices, enabling the enterprise to collect usage-based trending data," says Christian Kane, analyst for enterprise mobility, infrastructure and operations at Forrester Research. MDM typically deploys software agents onto devices to enable monitoring.
MAKO Surgical, a medical equipment company, monitors device usage through its MDM, which places corporate applications in a wrapper in a secure work space, giving the company visibility into how employees use them, says Ernie Wittyngham, senior director of information technology at MAKO Surgical.
Napa County, California, monitors BYOD with a tool that enables the county to monitor authentications and network events initiated by devices and users, says Gary Coverdale, chief information security officer for Napa County.
MDM Manages BYOD
Unlimited numbers and types of devices would demand increasing bandwidth, putting a strain on network resources.
By managing approved devices, MAKO Surgical can ensure it maintains sufficient bandwidth for all.
"Standardizing on a single MDM solution reduces complexity and cost while enabling us to see iOS, Android and Blackberry devices. We control what devices gain access. Employees have to use this MDM solution or they don't get in with their own devices," says Wittyngham. This helps ensure that the MAKO Surgical divvies up bandwidth only among authorized devices.
E-office, a Netherlands mobile digital working environment company says its MDM allows it to enable alerts about the BlackBerry, Android and iOS devices it manages, says Bob Hillesum, mobility consultant at e-office.
MDM Supports BYOD
Some MDM tools use a consolidated management platform. This allows CIOs to manage everything from the same platform, says Wittyngham.
To avoid BYOD becoming a support issue for Napa County, policies state that because these are personal devices, the county cannot support anything outside the sandboxed container on the device that houses corporate data.
"We can't support anything outside of that. We would consider it a gift of public funds. It would be no different than me asking public works to build a deck in my backyard," says Coverdale.
MDM Secures BYOD – with some caveats
MDM solutions differ in their security approaches. Some use SSL or VPNs to secure an enterprise application back to the network.
"The phone does not store corporate data, which remains inside the enterprise," says Bob Egan, analyst, chief executive and founder of The Sepharim Group.
A second approach wraps data in a secure container on the device.
Still another method splits the device OS into two partitions, one housing work data and the other housing personal data.
A final method uses VDI, or virtual desktop infrastructure.
"You log in with a secure connection back to an application server to see the presentation of the data," says Egan. The system secures the data itself behind a firewall in the enterprise. MDM secures BYOD by using software agents installed on the devices to make security decisions based on policies. "Policy decisions set on the MDM server can allow approved applications while blocking unapproved applications," says Egan.
When there is a security update for an application, the policy can specify that the user must apply the update before using the application again. The software agent can enforce policies based on employee roles as well, permitting users with certain responsibilities the capabilities they need to fulfill their duties. MDM solutions further give enterprises the ability to detect jail-broken devices, to set up passwords, to establish some form of authentication, and to perform device integrity checks, according to Kane.
Napa County must address BYOD security in adherence not only to regulations such as HIPAA but also to HITECH, which the federal government appended to HIPAA to ensure that all healthcare entities that touch sensitive data have the same responsibilities as the data owners. Before Napa County could permit hundreds of users to move from county-owned devices to their Apple iPhones and iPads, it had to find a secure MDM solution to ensure against data breaches and associated financial losses.
The county selected an MDM that uses secure, encrypted containers on the BYOD devices to house private, county data. The county also requires employees to use at least two passwords.
"One password is for the device itself and the other is for the container/sandbox, which is an encrypted password," says Coverdale. By using these, Napa County meets the data security requirements of HIPAA and HITECH.
E-office uses MDM to secure BYOD by ensuring there are no open inbound ports on the firewall.
"All data connections are initiated from inside the firewall outside to the devices," says Hillesum. E-office publishes the applications and data they allow the employees to use to the secure container on the device.
Cons of MDM as a BYOD solution
Depending on the MDM solution the enterprise uses to manage BYOD, one con is that the company may have to wipe the entire device to remove corporate data. The organization does this in order to keep the data out of the hands of people who the company has not authorized to access it. The concern is that, in the process, the enterprise deletes the employee's personal data as well.
"It really depends on the MDM solution the enterprise uses," says Egan. "Several solutions provide mechanisms for selective data wiping."
These are typically solutions that use wrappers to wrap the apps, containers to cordon off a group of enterprise apps, separating them from personal apps and data or partitions to separate the interface into work and non-work areas or "personalities," according to Egan.
The fact that MDM does not mitigate all the security concerns the enterprise has is another detractor that deters companies from using it as a BYOD solution. "This is a big issue from a security standpoint," says Egan.
The enterprise should always start with the assumption that all BYOD devices are completely hostile even if an MDM solution is in place, explains Egan.
"Protecting the device is never the issue; it is only one tiny piece of the puzzle. Protecting the data and the apps is the important piece; MDM does not do this," Egan says.
Some solutions use mobile workspace management or containerization in an approach to manage BYOD--housing corporate data inside the protective encrypted container while personal data remains outside. Mobile workspace management is actually one of a new generation of BYOD approaches.
This new approach configures corporate applications to run data within the container. The solution enables the enterprise to set up preferred security controls for the container and its applications and content. This approach enables the enterprise to remove the container with the apps and data upon the employee's departure without touching the employee's personal data.
Companies with strict data security requirements due to regulations or a need to protect intellectual property will find containerization appealing, according to Kane. That is because it completely separates corporate data from personal data and applications, protecting applications and data with layered security including encryption.
This is a big pro for organizations that will not go near BYOD without a separate area on the device for corporate use, explains Kane.
There are cons to containerization, too. "When you have a full-on container for mobile, you change the user experience and move from one that the person is comfortable with to something new they have to learn," says Kane.
Users also want to customize their mobile experience on the device from time to time to suit their changing needs. "That requires flexibility. Having to switch back and forth between containerized work areas and personal areas introduces another step for employees who could meet that with frustration," Kane says.
Next in this special report: Formulating BYOD policies and user agreements