Tablets

A radical idea for Mobile Device Management: Don’t bother

Patrick Gray explains how you can save yourself the headache of trying to apply 1980's device management to increasingly prolific, mobile, and personal end-user devices.

Tablets MDM

As tablets and mobile devices began to flood the enterprise, IT vendors and management took a predictable approach. Much like the desktops and laptops already connected to the corporate network, IT regarded the tablet as another “asset” to be tracked, managed, updated, and logged. A whole crop of software tools has emerged that attempt to bring desktop- and laptop-like management to these highly mobile and often disconnected devices, creating frustration for the IT staff who are told to manage these devices and for the users who are trying to accomplish various tasks.

Services, not hardware

The concept of device management seemed sensible during the dawn of IT, when most IT departments were part of or offshoots of finance, and early desktop computers and associated peripherals were very expensive. This hardware was truly an asset to the company, requiring careful tracking, oversight, and depreciation. Data were also generally localized to the devices, making theft of the device an even more pressing concern.

Now, devices are increasingly playing the conceptual role of dumb terminals, with application software and data stored outside the device. This might come in the form of a modern cloud application or enterprise data that are captured in ERP, CRM, and other transactional systems. Many devices access the enterprise services that store and manipulate data rather than performing those tasks locally.

This is even more common with mobile devices, where limited storage and processing power often necessitate lightweight applications that access the computing power of an enterprise backend or cloud. In the extreme, yet not uncommon case, application and desktop virtualization truly renders the device a "dumb terminal” that does nothing more than present a screen.

A $1,500 solution to a $300 problem?

If sensitive enterprise data are stored externally to a device, and tablets are now cheaper than a boardroom chair or piece of artwork (assets that are tracked with far less rigor than tablets in many organizations), why are we spending so much time and money attempting to manage them?

Arguably, there are still data on these devices, such as local copies of corporate email that might contain sensitive information. However, does the risk of unauthorized access to the average user’s email account and the loss of a $300 piece of hardware necessitate specialized technologies and a cadre of staff to implement and monitor them? Most security people would argue that there’s a far greater risk of an employee giving away passwords to an authoritative voice on the other end of a phone than a carefully orchestrated theft of a mobile device.

MDM as a Band-Aid

In some ways, Mobile Device Management (MDM) represents a Band-Aid solution to consumer tablets and mobile devices entering the enterprise. The “old way” at most IT shops assumes the endpoint as a trusted and secured component of the IT infrastructure, and they believe that maintaining the integrity of the endpoint is a battle worth fighting. In the new world, endpoints are merely terminals that are accessing services -- they require authentication and good application and data design but assume and requiring nothing from the endpoint itself.

Rather than frantically trying to gain control of a doubling or even quadrupling of endpoints (if most of your users acquire a smartphone, tablet, or both), assume endpoints are an unknown and untrusted commodity and that the services your enterprise provides should act accordingly. With this mindset, your company’s applications will be ready for any type of endpoint, be it a tablet or a partner interface, and you’ll save yourself the headache of trying to apply 1980’s device management to increasingly prolific, mobile, and personal end-user devices.

 

About

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

25 comments
jp-dutch
jp-dutch

I do work at a Bank and this "laissez faire" attitude is totally unacceptable because of compliancy regulations. The HW cost is negligible in comparison to image damage to our company for revealing of corporate strategic or somebodies personal financial information.

Very bad advise.

Thomas Kuhlmann
Thomas Kuhlmann

I've read this article now twice - and I am still a bit shocked. I do agree that a 300$ piece of hardware is not necessarily a high value device that needs to be monitored. But content and access do. At the moment most IT departments still have a very simple responsibility - they provide and secure the infrastructure an organisation needs to perform its business.


And yes, in an ideal world IT would just be a business partner, an advisor that maintains the enterprise architecture and educates people on how to handle company information responsibly. And of course all centralised and cloud systems would be secure, all permissions perfectly managed and the users would ensure that they use complex passwords and encrypt their devices. But that is simply just not the case!


At the moment IT is still being held accountable for data loss and security breaches. In light of this, not securing a device that contains company information and could potentially open up access to the entire organisational network is just plain reckless. And yes, I do agree that there is probably little company espionage going on in the majority of cases. If a device gets stolen, the thief is probably more interested in selling the gadget than figuring out how to use the information it contains. 


But MDM is a bit like an insurance policy. Or a disaster recovery plan. Everybody hopes it will never be needed. But it is good to have it in place in case something does happen. 



Thomas Kuhlmann

www.aquarterit.com



ATG4
ATG4

You are correct that cloud computing reduces the need for device management, whether it's for BYOD or corporate-owned devices.  By hosting applications and data in a secure cloud environment, they are kept off employees' devices.  In addition, IT staff don't need to bother with installing corporate applications on different types of devices.  They just give the users a URL to connect to.

One solution that facilitates this approach is Ericom AccessNow, an HTML5 RDP client that allows users of any device with an HTML5-compatible browser (including iPads, iPhones and Android devices) to connect to hosted Windows applications or VDI virtual desktops and run them in a browser tab.  There's nothing to install on the end user devices, which reduces IT support headaches.

For an online, interactive demo visit: http://www.ericom.com/demo_AccessNow.asp?URL_ID=708

Please note that I work for Ericom

DT2
DT2

The ramifications go well beyond the possible theft of a $300 device.  A "boardroom chair or piece of artwork" does not have the capability of compromising an entire corporate enterprise network.

peter.gregory
peter.gregory

If mobile devices truly were just terminals, maybe this story would have a chance. However, smartphones are more than just terminals.

I agree that it's prudent to measure the cost of protection against the value of assets - nothing new   here.

rickv
rickv

I don't see anyone mentioning complaince... some of us don't have a choice.  If there is data on the device (e-mail etc...), some industries have regulatory complaince standards to uphold.  HIPPA for Healthcare, SOX for Finance, FIPS/FISMA for FED, and very similar policies within each SLED organization dictate the management of data assets to meet and expand upon the basic standards set forth within the Privacy Act. MDM is as necessary as any other data asset management program in place within organizations with regulatory compliance requirements.

kchandley
kchandley

I think this article is naive. It may apply for say a dog walking business, but does not apply to business such as health care, finance, or any business that accepts credit cards because of HIPAA and PCI compliance.  MDM was not as challenging when Blackberry was the only enterprise solution. But the overwhelming demand for users to use consumer iPhones for business have created the MDM market because iPhones and Android were not designed with security in mind or as default.

Take for example a Dr. at an HIV treatment clinic. He doesn't store documents or contacts on his phone. But he does have his calender synchronized to his phone. If his phone is lost or stolen, his calender information has leaked PHI, a complete violation of HIPAA. If he has a high enough number of patients, his clinic is required by law to alert the media.  That's a disaster that can be mitigated by MDM forcing password locking and administrative remote wipe functionality.

Example two: A client emails an employee some financial information. Most Email apps, like calenders have offline storage. If the phone is lost or stolen, the company now has a PCI violation, unless the firm can show an MDM log verifying that the phone had a password lock enforcement policy and was wiped after it was lost.

Is it worth it? Like expensive back up systems, it might not seem worth it until you need it. It's much cheaper to be compliant with the regulations than it is to pay the fines for not being compliant, not to mention the risk to your business after a breach.

Dennis Cagan
Dennis Cagan

Definitely an interesting perspective. Worth considering. However, for goodness sake, we are talking about SOFTWARE here, not precious metal. I believe the ultimate solution is not in abandoning best practices that transcend the latest gadgets over time, but rather in using the leverage of today's software advances to deliver less expensive cost effective solutions. IMHO there is no reason you could not do the job right for a buck a month per device.

tedz98
tedz98

I would agree with the desire to reduce or even eliminate the need to manage mobile devices - which definitionaly I shall limit to tablets and phones not laptops (which have too much data storage capacity/capability to be left un-managed).  The explosive growth of mobile devices and BYOD creates a daunting challenge to corporate IT in terms of managing the increasingly large number of devices and supporting the ease of use and access users are demanding.


The only way you could reasonably defer actively managing mobile devices is if there is no data on the device, all data is transient and it is presumed the device will always have internet connectivity.  The moment any of these assumptions is violated you need to have security and device management enabled on the local device. 

As others have said the loss of the physical asset is not the issue, but loss of data or credentials is the true battle.  However, I dont foresee in the near term mobile devices functioning purely as terminal-like devices accessing data in the cloud.  It seems, at least in the current technology envelope, that there will always be a need to store data locally - or at a minimum an inability to guarantee that there will never be sensitive data stored on the mobile device.

M.R.
M.R.

Another inflammatory article...  1980s style management?  If you mean the concept of delivering stable, usable and secure devices/applications in a timely manner old fashioned then I guess you're right.

There is an extreme push to forget all of the best practices we've learned throughout the years.  In truth, many of them do cost us money to implement and may never be a benefit (as long as there isn't an incident).  You're right, the device isn't worth tracking.  The loss of data is.  So is the ability to manage a device to enable delivering of applications and configuration changes that will keep the device running and useful.  We are all being pushed towards the dumb terminal - centralized computing environment and some of it is amazing but a little dose of common sense about the risks involved might be more appropriate.  MDM isn't the end all of securing your mobile devices and if not well implemented may be totally worthless but it does offer value to some scenarios.

Anyway, I don't have time for this - I have to find out if I was one of the 2 million accounts that they announced were hacked yesterday in several of the wonderful and secure centralized cloud services ; ^)

alex
alex

It's about the data, or the credentials. Many cloud apps allow you prevent storage of data locally, which is a good first step. Encryption, remote wiping, and the ability to de-authorize devices are key capabilities too. But two other key things are preventing apps from retaining passwords, and guarding against malware infection, particularly keystroke loggers. The biggest risk is the time between a device being stolen and having that theft discovered, because during that time it can be used as if by the legitimate user. GPS correlation with another device carried by the user could be used to de-authorize a device that strayed too far from it's authorized user. Again, it's not the device that's valuable, it's what it can do.

kylemarks
kylemarks

Any device that could potentially contain sensitive data must be assumed to contained sensitive data. There must be convincing evidence for every mobile asset showing it could not contain recoverable data. 

To ensure adequate safeguards are in place, data controllers should consider treating each mobile device as if it were an inevitable security incident. The data controller has the burden of proof to demonstrate that an item does not contain sensitive data. 

A data security incident is a situation that results in protected data potentially being viewed, used, or stolen by an unauthorized individual. When an incident occurs, a subsequent investigation is undertaken to determine whether or not there was a breach. The investigation determines if there was or was not a release of protected information to an untrusted environment. Of course, not all security incidents rise to the level of breach. However, compliance requires all data security incidents be investigated. 

There must be convincing evidence for every mobile asset showing it could not contain recoverable data. Ignoring this obligation is negligence.

@RetireIT

jjustice
jjustice

Yup... it's called a "walled garden" approach. Keep the data off the mobike endpoint.

patrickarchibald
patrickarchibald

The loss of a device carrying sensitive data is not a '$300 problem' when that exposes you to a six figure fine for a breach of the Data Protection Act.

cfleshner
cfleshner

In the patent application, Automatic Periodic Centralized Backups of User Environments, It was already suggested that "public endpoints" were not where it was at in device management, regardless of what "device" you were managing, mobile or not.  That was back in 2007.  This concept or container as is now recognized, was already identified as the "User Environment", and globally as the "Environment Storage Area".  1980's concepts as you put it, still can apply, when you factor in mainframe technology, before the advent of mobile computing, and even the PC era.  That is because TCP/IP, on a non-routable scope, in a closed static environment (LAN), can automate and emulate the authentication processes, using standard https.  "Where endpoints are known or unknown". 

Re-inventing the wheel for the authenticaion processes because of a perceived "managability issue", is only relevant if a global integrative solution is otherwise not known, implemented and/or adapted. 

Also, your entire device world (TCP/IP), and the ability to managing anything on the internet, is built on 1980's, and before technology, and that isn't likely to change. 

Kevin Loughrey
Kevin Loughrey

I have a military background.  The comments I make here regarding mobile devices are therefore heavily influenced by that experience.

There was the statement, "Now, devices are increasingly playing the conceptual role of dumb terminals, with application software and data stored outside the device."  Whilst I agree that this is increasingly becoming the case, I don't agree it is the right way to go.

Connected with this was the statement that mobile devices could contain sensitive information, the implication being that this is a potential problem should the device be lost (or in my world, captured).

I suggest that, if the drive on the device is heavily encrypted, then we should be more worried the operator will be captured than the device.  Which leads me on to the matter of centralisation.

I have a concern about centralisation of data. My concern is based in the belief that, in my life's experience, we have a greater vulnerability from a disloyal member within our organisation than from an enemy breaking in from outside; though the latter instance is still a real possibility and centralisation of data means that should that happen the consequences are really, really bad.  Worse, should information be leaked or unlawfully accessed, unless the person has a point to make, as was the case with Bradley Manning or Edward Snowden, it is highly likely that the compromise and its extent would never be known.  Neither is it an easy task to determine who exactly was responsible.

I'd like to, at this point, add another thought..  Of all the computer systems I have specified and built and all the systems I have been forced to use in Defence, the small systems cost the least (by up to a thousand times!) but delivered the most in terms of increased productivity in the workplace.  The large centralised systems have cost billions but saved little and, in many instances, have actually adversely impacted on operational effectiveness.

So I'd like to posit that mobile devices should be developed to be the means by which we get everything done in the workplace.  They should, as much as is practical, hold all data necessary for independent operation for an extended time.  Not only does this provide a highly responsive interface, far more responsive than is possible even with gold-plated communications when operating a web-interface, it also means that you can still deliver a service when all comms have been disrupted either by accident, by weather or on purpose .  

The information on these mobile devices should only be shared and synchronised on an opportunistic basis over secure links with those who have a need to know and will suffer the consequences should that information be compromised. 

You may think that what I am proposing is impossible.  I can tell you from experience it is not.

Centralisation favours big companies and big bureaucracies.  It does not favour users.  For most of the years I have been involved with computer systems, the users have been the losers.

n.gurr
n.gurr

Ok, lets get this straight, the reason to control your assets is not the device value.  Forget this argument.  It's damage limitation, I will only look at the financial penalties not those to reputation.  

Brighton and Hove NHS Trust sold some hdd which got to the public.  These could have been lost, these could have been tablets.  There was some personal data.  The fine was £325,000.  If they had a proper track of these assest they would have known that they had not been blanked or were being sold.  This issue for them really is not about the sub £100 hdds value.  

Then if electrical equipment is dumped there is the fine issue.  At least one case in the UK has lead to fines in the region of £100,000.  While the odd mobile device is not a big issue habitual lack of policy enforcement would lead to a major corp getting hit with huge fines.  

Lastly a device that someone leaves with can be re-used often so that a new / replacement staff member can have a device without a purchase cost, probably as easily as a factory reset can be applied.  

Dirk Klassen
Dirk Klassen

Well, modern MDM solutions do not bother with the device and all its security issues, but simply provide a container app which holds the enterprise data and apps. A kind of terminal service, so to say. The device itself can be left as it is. The only thing to worry about is the security of the container, which can be controlled easily and in the same way for all devices, so nothing to worry about in the end. And all this is completely independent of the device the container runs on. As an enterprise you only have to chose a MDM solution that delivers containers which run on the usual mobile platforms - iOS, Android, possibly WinMobile.

logan
logan

Some MDM solutions grasp this idea - that it's really the data that needs to be managed, rather than the device. There are solutions that provide good controls for limiting access to corporate data and locking it down when it's outside the corporate firewall. That's definitely worth doing.

cfleshner
cfleshner

That is assuming the data resides on the device.

minstrelmike
minstrelmike

@Kevin Loughrey I agree--we are trying to solve the wrong problem. From a _personal_ perspective, individual users are at risk of having identity theft occur if they give up their personal credentials. But businesses are not at risk of that. The business risk is entirely different and frankly, the largest data thefts occur from hacking poorly secured web sites, not from individual users having their passwords or devices stolen.

Keeping data separated is a first step. No one but HR ought to have access to socialsec and salary info. No one but engineers should have access to drawings and patent applications. No one but execs should have access to central strategy documents.

However, in real business environments with egotistical managers in charge, every VP _needs_ (sarcasm) access to every piece of data on the network.

There are different risks for business than for individuals but I don't see any difference in security stances or advice.

minstrelmike
minstrelmike

@n.gurr Sounds to me like one way to manage the issue is costly device management. Another way to manage the issue is user training and data management. I go with number two because it works better for less money. A poorly trained user (think VP or manager) with unlimited access to all company data is more of a risk than a lost device with little to no info on it.

mark1408
mark1408

@Dirk Klassen We don't have enough use of mobile devices to warrant MDM but if the data is really the key maybe we should redefine MDM to mean Mobile Data Management :-)

At present, for us, it's corporate email on devices (as Patrick refers to) which is the main data risk. If other apps (such as ERP or CRM) don't store data locally why would you need to "manage" it?

Aikon53
Aikon53

@logan Those MDM players who feel that Locking down the devices is the best solution will be gone in the next few years. Back in the beginning we had MDM / secure corp email solutions all competing with BES, and basing everything on their own proprietary code, and fighting who invented this technology. Then people started to wake up and look at secure containers for email based on ActiveSync,  and Secure containers for Apps, Secure browsers, Secure VPNs. The best solutions will be the ones who take all of this and combine it into one secure container App that can be managed thru a portal for admins and users. 

Pure MDM which was the new buzz word for iOS & Android devices was nothing more then stop gap ( band aid)  The unfortunate problem today is to many people don't understand the change going on or are forced into solutions that are out dated and are told that locking down the devices is the best solution. I say BYOD should be what it means, I bring it in and you load your corporate secure app on it and manage that and that only. But I do see the option of pure MDM wipe reset for a BYOD user who loses it or has it stolen to send a Wipe command from and terminal of other phone and or request and Admin at their company do it for them so both corporate and personal data is removed. 

email
email

@minstrelmike  A SOTI perpetual licence costs $66USD for  minimum of 10 devices. So one SOTI trained IT guy can manage the estate. Compare that to the cost of training users and data management, and I think it'll work out being much cheaper. I think the comment of a $1500 solution is way off the mark.