While the market seeks device security in enterprise mobility management, mobile app-centric security might be the future.
Multiple analyst and vendor studies now point to the need for mobile security to shift away from the device and more towards mobile apps. More insidiously, the attack vectors against corporate owned and Bring Your Own Device (BYOD) devices are evolving and changing to keep pace with mobile technology advancements. Last month, I spoke with Alan Murray, senior vice president of product for Apperian, a leading mobile application management (MAM) vendor and discussed the intersection of mobile device and application security.
A reason, I keep returning to the enterprise mobility management (EMM)/mobile device management (MDM) market because there are many vendors stepping over one another at times. When I told him some criticisms I have about MDM/EMM marketing, Murray came back with that he wasn't sure many companies were doing things wrong, rather he thinks it's the industry that's doing things wrong.
Murray said, "I think enterprises came out pretty loud and clear at first and said 'We see mobility as something that can be potentially revolutionary to us and the technologies are a huge leap forward for us, from where we were with desktops and laptops. It's exciting. It's cool. It's new. But God do we have some problems managing it. Industry please help us.'"
"Yeah, cool," Murray, continued. "We can help you we got this thing called MDM and the customer looked at it and went oh really OK, and they took it. They didn't take it because it was the perfect thing to take but because it was the only thing we had to offer."
"I think that was the case for a number of years and I think a lot of companies took it because they had to, and it was the only thing they really had as a viable alternative," he said.
"But I think the customers knew all along that there was a tremendous amount of weakness and flaws, and it wasn't a complete solution," Murray added. "It has taken a while for the market, technology, and vendors come back around to say we have alternative ways for you to do these things now."
"I do think there was some education from a customer perspective that had to change too," Murray continued. "That's not to say that every customer got it right. I think there are companies who saw the iPhone, and saw one of two things. They saw a high definition TV with a built-in phone and something that had more computing power than their last generation laptop, or they saw a 64GB data theft device. They saw one extreme or the other."
Murray seems both answers as right. He justified, "It's both things. It's what did you see first."
"The companies that saw the 64 Gb data theft device really did run towards MDM and said we have to lock this thing down," Murray stated. "We need to take a command and control approach. We have to go that way with it. That served MDM folks really, really well."
"Others didn't see it that way," Murray continued. "They saw it as an enabling technology and recognized that the EMM approach is what it is and isn't sufficient for securing applications and data, ensuring applications got deployed effectively and adopted well. That end users were engaged with those [applications]. They weren't defining best practice for mobile if you will."
MDM vs. EMM: Part of the problem?
Marketing spin has been slowly diluting the definitions of MDM and EMM for some time now.
Murray told me that Apperian looks to certain analysts in the industry to define the taxonomy of such industry terms. He sees such definitions as woefully needed in the industry.
The origins of MDM as an Apple specific protocol that doesn't exist in the Android world but various mobile security vendors have used agent-based technology and Android operating system could be contributing to some of the misconceptions and wrong messaging around MDM technology solutions.
Shifting from device to app-specific security
While you have to consider the messenger, Murray told me that his company sees a lot of the industry shifting to a more app-specific security model for mobile security. He cited customer inquiries, competitive wins Apperian has had, and changes in messaging of companies formerly engaged in device management.
Murray's observations match roughly the changes I've noticed in the market
"I think when you look at it device management and application management aren't substitutes for one another. They are complements of one another," Murray offered.
"And our viewpoint is look if something has an asset tag on it, then a company owns it, and you should manage that device. It's a company asset," according to Murray.
"Where ever there's corporate data and corporate applications then you've got a duty to actually manage those," advised Murray. "So managing the applications and the data associated with them is something that every enterprise that starts putting data on mobile devices has a responsibility to do.
Enterprises also have a responsibility to protect and respect employee's private data according to Murray especially if employees are allowing their employee to install software on their personal devices.
Leading with MAM or MDM
When I asked Murray about the enterprise need to transition from MDM to MAM, he replied that he doesn't think it's necessarily a transition, rather it might be what technology do you lead with for mobile security.
According to Murray, "It's not do I do device management or do I do application management according to Murray. It's about looking to the management domain either the device or application."
Murray encourages enterprises to look to the management domain. His management domain view matches the emergence of more holistic mobile security I'm seeing in the past two years.
"If the management domain is in the application i.e. I have an application I need to distribute to a broad audience," Murray explained. "Some of those audience are running on devices that are managed, some are running on devices that are unmanaged."
He added, "Some members of that audience may or may not be employees of my company. They may be contractors, franchisees, dealers, or partners. They might be customers in the future."
He gave some good questions to ask in a conversation about the application as your management domain including:
- How is the application performing?
- Is the application achieving its Return on Investment (ROI) goals?
- Am I securing the application properly in all locations?
"When you are in that conversation what you've done is elevated that conversation to say the management domain is now the application rather than the management domain is the device," Murray offered.
He advised, "You need to be thinking what is my strategy for managing the application?"
Murray also recommended analyzing ways to use MAM solutions and technologies to augment your already in place MDM solution to extend your application management capabilities to devices you don't own or can touch directly.
Apperian's Murray brings up security concerns enterprises need to take into account when planning their future mobile security planning. I expect to see application and device security to meet together in more mobile security platform type solutions from major and startup mobile security vendors in the future.