As mobile device management solutions become more commonplace in the enterprise, many of the conversations I've had about "What's next?" with customers (both potential and current), lead to larger discussion about their data protection strategy for mobile.
MDM is not enough
Companies are coming to the conclusion that "MDM" (mobile device management) alone is not going to solve for protecting corporate data; and that perhaps an integrated solution offering anti-malware (mobile security), device management (MDM), and app/data protection (MAM) capabilities is worth evaluating.
While standalone solutions can be valuable, the real power comes from integration, and aggregating the telemetry coming from these mobile devices. This allows IT to empower the user to maintain the hygiene of their own device, and still provide the proper level of access to corporate data based on that information.
Corporate-owned or BYOD
Let's use a real-world example, I have a corporate issued iPhone that has been provisioned by our MDM that:
- Requires a passcode for my phone (via an MDM managed configuration profile)
- (then) Provisions my EAS email account
- (and) Provides me access to our Enterprise App Store - both internal apps and store based
However, I also have a personal Android tablet that I self-enrolled, and rather than become fully "MDM managed" I was able to:
- Install our Anti-Malware client (Norton Mobile Security)
- Install our "wrapped" version of Symantec Secure Email & other apps (same Enterprise App Store)
- Not have the potential issue of IT "creeping" on my device
Between those two devices, I am accessing essentially the same corporate data, however the controls are appropriate to the use case. MDM where and when it's needed, and more granular app-level controls where MDM is either not possible or less palatable to the end-user (on my personal device in this case).
Additionally, IT now has some excellent data coming back off my devices, compliant with those MDM policies, with knowledge of any malware and potential threats lurking on my device (here's a freaky example http://tnw.co/1hdjYkO) and can leverage this to take manual or automated actions such as:
- Revoke email access at the network layer if I am out of MDM compliance (no actual MDM commands needed, just the compliance status)
- Kill my wrapped Secure Email client on my Android device if Malware is found (or maybe temporarily block until I update my definitions) - Pin Point App revoke so you can keep your policies off my personal stuff
- Selectively wipe my iOS device if I jailbreak it, or maybe more realistically, selectively wipe it if I leave it in a cab or on a plane. If I somehow do get it back, my stuff is still intact, and company data was removed (and thus the risk)
Those real scenarios are just the tip-of-the-iceberg. Integrating EMM (enterprise mobile management/MDM/MAM/Mobile Security) with two-factor authentication solutions, such as a Managed PKI (mPKI) solution, provides an even deeper set of controls around data access, coupled with generic integrations for SAML-based IDPs means employees like myself can work seamlessly across personal and corporate worlds - no skimping on user experience, no compromise with respect to security - now that's a powerful combination.