Why MDM is a relic of the past for mobile security

To deal with BYOD, insecure endpoints, and data leakage, many enterprises opted for MDM solutions-but they've turned out to be overbearing and ineffective.

Why MDM is a relic of the past for mobile security

Ben Cade, CEO of security firm Trustonic spoke with TechRepublic at the 2018 RSA Conference about why mobile device management (MDM) is a thing of the past, and what's next for mobile device security in the enterprise:

Cade: MDM, really, is an industry that was created to try and address a problem, which was you have all these different types of devices. Users want to access their personal information, but also their corporate information in the environment that's most sympathetic to how they live their lives. Of course, from a business perspective, that's a good thing. Particularly as it means saving money on buying devices, or not needing to buy devices anymore. The issue though is, as we all see, you have to click through on your policies that say give me control of your device, let me snoop on all of the information that you might be browsing or looking through and I can wipe your device on arbitrary notice and all of the data on that. And that seems completely overreaching.

SEE: Cybersecurity in an IoT and Mobile World (ZDNet/TechRepublic special feature) | Download as a PDF

So now, the reality is with the technology that's in the device, you don't need to do that. Because firstly, MDM exists to try and deal with I don't trust the endpoint. Therefore I need all of this control to be able to mitigate that risk. Whereas now, with the technology, you can control the device. You can, therefore, trust that your application that's running on that device is secure. You can trust that the user authentication is secure. And so now you're talking about a transition from, if you like, device management where you control other people's devices that you don't own to a model where you're controlling your application and your service. Which means, obviously, that from a user perspective, that's great. I can enable all of these enterprise applications. Of course, the enterprise controls those applications but they don't control my browser, my personal apps, my personal data. And neither should they.

What Samsung did really with Knox is to pioneer, making Android enterprise ready. We actually provide the underlying security for the Knox system and they build many platforms and capabilities above that. But fundamentally that is a solution for a Samsung device whereas, as an enterprise, I need to enable any device that my customer or my employees may want to use. So what's important is how do I do that in a high trust way? Before I would just delegate that to an MDM and they would require you to give away all control of your personal device. Whereas with the technology that's now in the majority of Android devices, I don't need to do that. I just need to know the device can prove it's trustworthy, therefore my application can be installed on that device. I can know that it's that user that's trying to access that device. So I don't have to worry about this data leakage experience any more. For the user, of course, they don't have to click through all of these onerous policy acceptances to give you control of things you don't really need on that device.

SEE: Mobile device computing policy (Tech Pro Research)

The answer right now is many enterprise companies that are building their own applications, for example, like Symantec are starting to use this technology by default. So the first question, if you're a CIO, is you should be asking your application providers are you using this inherent hardware security in the device? The second part is going to what used to be your MDM provider is now, obviously, relabeled as a normally enterprise mobility manager and asking them for their enterprise login. So where you login once as a user and get access to all of the corporate systems, are you using this technology? Because then all of a sudden, you can move from having to take control of other people's devices to a model where you're just empowering your employees to use your applications and services and you control your app, but you don't control their device.

Also see:

Image: iStock/Sitthiphong