When thinking about endpoint security it is important to decide what you consider an endpoint. We define an endpoint as any computing device that can access corporate data. This deliberately broad definition includes not just PCs, but also mobile devices (smartphones and tablets). We don’t think it is too broad – employees today expect to access the data they need, on the device they are using, from wherever they are, at any time. And regardless of the details, the data needs to be protected.
Of course the buzzword du jour is Bring Your Own Device (BYOD), which means you need to support employee-owned devices, just as you support corporate-owned devices today. These folks go to the local big box retailer and come home with the shiny new iDevice or Android thingy, then show up the next working day expecting their email and access to the systems they need to do their job on the shiny new device. For a while you said no because you couldn’t enforce policies on that device, nor could you assume the employee’s children or friends wouldn’t get into email and check out the draft quarterly financials.
Then you were summoned to the CIOs office and told about the new BYOD policy put in place by the CFO to move some of these expensive devices off the corporate balance sheet. At that point, ‘no’ was no longer an option, so welcome to the club of everyone who has to support BYOD – without putting corporate data at risk. The first step is to define the rules of engagement – which means policies.
The reality is you probably have policies in place already, so it is a case of going back and revisiting them to ensure they reflect the differences in supporting both mobile devices and the fact thats you may not own said devices. This is a Buyer’s Guide and not a policy guide, so we won’t focus on specific policies, but we will point out that without an updated set of policies to determine what employees can and cannot do – covering both mobile devices and BYOD – you have no shot at controlling anything.
First let’s blow up the misconception that BYOD = mobile devices. Employees may decide they want to run their office applications in a virtual window on their new Mac, not the 4-year-old Windows XP laptop they were assigned. Which means you need to support it, even though you don’t own the device. This changes how you need to provision and protect the device, particularly in terms of enforcement granularity.
For devices you don’t own, you need the ability to selectively enforce policies. You cannot dictate what applications employees run on their own machines. You cannot whitelist the websites they visit. You cannot arbitrarily decide nuke a device from orbit if it shows indicators of possible malware. Actually, if your policy says so, you probably can legally control and wipe the device. But it would make you very unpopular if you decided to blow away a device and lost a bunch of personal pictures and videos in the process.
So the key with BYOD is granularity. It is reasonable to do a periodic vulnerability scan on the device to ensure it’s patched effectively. It is also reasonable to require the device be encrypted so the corporate data on it is protected. It is fair to block access to corporate networks if the device isn’t configured properly or seems to be compromised. BYOD has several implications for security.
Let’s examine the impact of BYOD in terms of the aspects we have discussed already:
- Anti-malware: If you require anti-malware on corporate owned computers, you probably want to require it on employee-owned machines as well. It also may be required by compliance mandates for devices which access protected information. The question is whether you require each employee to use the corporate standard anti-malware solution. If so, you would use your existing anti-malware solution’s enterprise management console. If not you need the capability to confirm whether anti-malware protection is running on each device on connection. You also need to decide whether you will mandate anti-malware protection for mobile devices, given the lack of malware attacks on most mobile platforms.
- Hygiene: Under our definition (patch management, configuration management, and device control), the key change for BYOD is reassessment of the security posture of employee-owned device on each connection to the network. Then it comes down to a policy decision on whether you allow insecurely configured or unpatched devices on the network, or you patch and update the device using enterprise management tools. Keep in mind there may be a software licensing cost to use enterprise tools on BYOD devices.
The ability to deal with BYOD really comes down to adding another dimension to policy enforcement. You need to look at each policy and figure out whether it needs to change for employee-owned devices. It is also a good idea to make sure you can both visualize and report on employee-owned devices because there will be sensitivity around ensuring they comply with BYOD policies.
We just explained why mobile devices are endpoints, so we need to provide guidance on protecting them. As with most newish technology, the worst initial problem is more than security. The good news is that mobile devices are inherently better protected from attack due to better underlying operating system architectures. That means makes hygiene – including patching, configuration, and determining which applications can and should run on the devices – the key security requirement.
That doesn’t mean there is no mobile malware threat. Or that rooting devices, having employees jailbreak them, dealing with new technologies which extend the attack surface such as NFC (Near Field Communications), and attackers exploiting advanced device capabilities, aren’t all real issues. But none of these is currently the most pressing issue. That can and probably will change, as attackers get better and management issues are addressed. But for now we will focus on managing mobile devices.
The technologies that enable us to manage mobile devices fall into a handful of categories. Of course there is overlap, and all these capabilities are increasingly bundled into packages, but let’s start by describe the categories.
- MDM (Mobile Device Management): This is a very popular technology now, providing a mechanism for defining policies for different categories of users, and enforcing device configurations. You also can ensure timely mobile operating system updates and remotely wipe lost devices. There are hundreds of separate features in a typical MDM product, but in the context of endpoint security you should focus on defining profiles and determining what the employees can do with devices.
- MAM (Mobile Application Management): Should a user be able to use the Salesforce.com app on their mobile device to get into your data? That is a microcosm of the issue MAM addresses for organizations. There are tons of corporate “apps” employees should be using, and MAM provides a corporate app store to authorize which apps they can use. You can also use this capability to stop employees from accessing unauthorized apps and manage or protect specific applications – including mobile browsers and email clients.
- Containers: Another key aspect of security for mobile devices is data protection. Containers keep corporate data within a “walled garden” on mobile devices. This provides better granularity and selective wipe of only corporate data, which is particularly helpful in BYOD environments.
Regardless of which capabilities you need, there are a couple key buying criteria for mobile security offerings. The first is platform support. Obviously you need to protect the devices your employees use. All of them, even those old BlackBerries. Another key consideration is enterprise integration – whether it can leverage your existing identify stores, security operations center (SIEM), and reporting infrastructures. Depending on the organizational boundaries of whichever team is responsible for managing mobile devices, integration with existing endpoint security offerings may also be important.
Does BYOD/Mobile Standalone?
Increasingly we expect mobile security capabilities to be bundled with broader endpoint security and management offerings (or both). This isn’t brain surgery – simply a realization that in every emerging market is standalone technology which ultimately gets wrapped into broader management offerings. We have already seen tremendous consolidation of MDM players and we expect to see more. We believe given the market needs focus more acutely around management that these capabilities should be built into and managed from an endpoint management platform. That doesn’t mean that all of the independent mobile management/security companies go away, rather a handful end up staying independent and the rest are integrated into bigger offering from bigger IT management vendors. We’ve seen this movie before, and so have you.
This impacts your buying decisions because in early markets the independent companies (also known as “best of breed”) tend to bring a more fully featured offering to the market. If your requirements are less stringent, then you may want to look at a bundled offering from the get-go, since many endpoint security and management vendors already provide some mobile security/management capabilities. If you do need advanced capabilities, be sure to look for the key integration points you need for mobile security functions to work with your other enterprise systems – specifically identity (to define entitlements and access rights) and network security (to restrict certain devices to specific network segments). Then revisit the bundling decision as the technology matures.
The next post will wrap up this series, with a detailed discussion of the buying process.