In a rather uncommon occurrence, we are updating one of our papers within a year of publication. As shown by our recent deep dive into Advanced Endpoint and Server Protection, endpoint security is evolving pretty quickly. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it has become clear that we need to dig a bit deeper into securing mobile endpoints, so we will. But the change requires a bit of context. We have said for years that management is the first problem users solve when introducing a new technology. Security comes only after management issues are under control. That has certainly been true of mobile devices, as evidenced by the rapid growth, maturity, and consolidation of Mobile Device Management (MDM) technologies. But you cannot really separate management from protection in the mobile endpoint context, as demonstrated by the fact that security features appeared very early among MDM offerings. Mobile devices are inherently better protected from malware attacks due to more modern mobile operating system architectures; so hygiene – including patching, configuration, and determining which applications can run on devices – becomes their key security requirement. This means there is leverage to gain by integrating mobile devices into the device management stack (where applicable) to enforce consistent policy regardless of device, ownership (for BYOD), or location. This has driven significant consolidation of mobile management companies into broader IT management players. In this update of the Endpoint Security Buyer’s Guide we will dig into mobile endpoint security management, defining more specifically what needs to be managed and protected. But most of all, we will focus on the leverage to be gained by managing these capabilities as part of your endpoint security management strategy. Defining Endpoints One of the key points we made early in the Endpoint Security Buyer’s Guide is that the definition of endpoint needs to be more inclusive. From a security standpoint if the device can run applications, access corporate data stores, and store corporate data locally, it is an endpoint and needs to be managed and protected. Smartphones and tablets clearly fit this bill, along with traditional PCs. Organizationally management of all these devices may not fall within a single operations group. That company-specific decision reflects business realities, particularly at large-scale enterprises with thousands of employees and huge IT shops which can afford specialist teams by device. In many smaller companies (the mid-market), we see these operational functions consolidated. But who does the work is less important than what is done to protect mobile endpoints – consistently and efficiently. Managing Endpoint Device Security Hygiene tends to be the main focus for managing mobile endpoint security, so here is a list of what that means in the mobile endpoint context: Enrollment: New devices show up, so registering each device and assigning it proper entitlements begins the process. This is typically handled via a self-service capability so users can register their devices and accept the organization’s policies (especially for employee-owned devices) without waiting for help desk intervention. Of course you cannot assume everyone gaining access will register their devices (especially attackers), so you will want some kind of passive discovery capability to identify unmanaged devices as well. Asset management: Next after enrollment comes the need to understand and track device configuration and security posture, which is really an asset management function. There may be other similar capabilities in use within the organization (such as a CMDB), in which case integration and interoperability with those systems is a requirement. OS configuration: Configuration of mobile endpoints should be based on policies defined by groups and roles within the organizations. These policies typically control many device aspects – including password strength, geolocation, activation lock, and device encryption. OS vendors offer robust and mature APIs to enable this capability, so most platforms offer have similar capabilities. Technology selection largely comes down to leverage managing policies within a consistent user experience across all devices. Patching: Software updates are critical to device security, so ensuring that mobile endpoints are patched in a timely fashion is another key aspect of mobile endpoint security. For mobile devices you will want to be sure you can update devices over the air, as they are often beyond reach of the corporate network, connecting to corporate networks only infrequently. Connectivity: An organization may want to actively control which networks devices use, especially because many public WiFi hotspots are simply insecure. So you will want the ability to specify and enforce policies for which networks devices can use, whether connections require a VPN to backhaul traffic through a central gateway, and whether to use a mobile VPN service to minimize the risk of man-in-the-middle and side-jacking attacks and snooping. Identity/group roles and policies: This capability involves integrating the mobile endpoint security management policy engine with Active Directory or another authoritative identity store. This leverages existing users and groups – managed elsewhere in the organization – to set MDM policies. As you build your mobile endpoint security management strategy, keep in mind that different operating systems offer different hooks and management capabilities. Mature PC operating systems offer one level of management maturity; mobile operating systems are maturing rapidly but don’t offer as much. So to provide a consistent experience and protection across devices you might need to reduce protection to the lowest common denominator of your least capable platform. Alternatively you can choose to support only certain functions on certain devices. For example PCs need to access corporate data (and SaaS application) over the corporate VPN, so they are easier to compromise and present more risk. Whereas more limited mobile devices, with better inherent protection, might be fine with less restrictive policies. This granularity can be established via policies within the endpoint security management platform. Over time MDM platforms will be able to compensate for limitations of underlying operating systems to provide a stronger protection as their capabilities mature. Managing Applications The improved security architectures of mobile operating systems have required attackers to increasingly