In a rather uncommon occurrence, we are updating one of our papers within a year of publication. As shown by our recent deep dive into Advanced Endpoint and Server Protection, endpoint security is evolving pretty quickly. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it has become clear that we need to dig a bit deeper into securing mobile endpoints, so we will.
But the change requires a bit of context. We have said for years that management is the first problem users solve when introducing a new technology. Security comes only after management issues are under control. That has certainly been true of mobile devices, as evidenced by the rapid growth, maturity, and consolidation of Mobile Device Management (MDM) technologies. But you cannot really separate management from protection in the mobile endpoint context, as demonstrated by the fact that security features appeared very early among MDM offerings.
Mobile devices are inherently better protected from malware attacks due to more modern mobile operating system architectures; so hygiene – including patching, configuration, and determining which applications can run on devices – becomes their key security requirement. This means there is leverage to gain by integrating mobile devices into the device management stack (where applicable) to enforce consistent policy regardless of device, ownership (for BYOD), or location. This has driven significant consolidation of mobile management companies into broader IT management players.
In this update of the Endpoint Security Buyer’s Guide we will dig into mobile endpoint security management, defining more specifically what needs to be managed and protected. But most of all, we will focus on the leverage to be gained by managing these capabilities as part of your endpoint security management strategy.
One of the key points we made early in the Endpoint Security Buyer’s Guide is that the definition of endpoint needs to be more inclusive. From a security standpoint if the device can run applications, access corporate data stores, and store corporate data locally, it is an endpoint and needs to be managed and protected. Smartphones and tablets clearly fit this bill, along with traditional PCs.
Organizationally management of all these devices may not fall within a single operations group. That company-specific decision reflects business realities, particularly at large-scale enterprises with thousands of employees and huge IT shops which can afford specialist teams by device. In many smaller companies (the mid-market), we see these operational functions consolidated. But who does the work is less important than what is done to protect mobile endpoints – consistently and efficiently.
Managing Endpoint Device Security
Hygiene tends to be the main focus for managing mobile endpoint security, so here is a list of what that means in the mobile endpoint context:
- Enrollment: New devices show up, so registering each device and assigning it proper entitlements begins the process. This is typically handled via a self-service capability so users can register their devices and accept the organization’s policies (especially for employee-owned devices) without waiting for help desk intervention. Of course you cannot assume everyone gaining access will register their devices (especially attackers), so you will want some kind of passive discovery capability to identify unmanaged devices as well.
- Asset management: Next after enrollment comes the need to understand and track device configuration and security posture, which is really an asset management function. There may be other similar capabilities in use within the organization (such as a CMDB), in which case integration and interoperability with those systems is a requirement.
- OS configuration: Configuration of mobile endpoints should be based on policies defined by groups and roles within the organizations. These policies typically control many device aspects – including password strength, geolocation, activation lock, and device encryption. OS vendors offer robust and mature APIs to enable this capability, so most platforms offer have similar capabilities. Technology selection largely comes down to leverage managing policies within a consistent user experience across all devices.
- Patching: Software updates are critical to device security, so ensuring that mobile endpoints are patched in a timely fashion is another key aspect of mobile endpoint security. For mobile devices you will want to be sure you can update devices over the air, as they are often beyond reach of the corporate network, connecting to corporate networks only infrequently.
- Connectivity: An organization may want to actively control which networks devices use, especially because many public WiFi hotspots are simply insecure. So you will want the ability to specify and enforce policies for which networks devices can use, whether connections require a VPN to backhaul traffic through a central gateway, and whether to use a mobile VPN service to minimize the risk of man-in-the-middle and side-jacking attacks and snooping.
- Identity/group roles and policies: This capability involves integrating the mobile endpoint security management policy engine with Active Directory or another authoritative identity store. This leverages existing users and groups – managed elsewhere in the organization – to set MDM policies.
As you build your mobile endpoint security management strategy, keep in mind that different operating systems offer different hooks and management capabilities. Mature PC operating systems offer one level of management maturity; mobile operating systems are maturing rapidly but don’t offer as much. So to provide a consistent experience and protection across devices you might need to reduce protection to the lowest common denominator of your least capable platform.
Alternatively you can choose to support only certain functions on certain devices. For example PCs need to access corporate data (and SaaS application) over the corporate VPN, so they are easier to compromise and present more risk. Whereas more limited mobile devices, with better inherent protection, might be fine with less restrictive policies.
This granularity can be established via policies within the endpoint security management platform. Over time MDM platforms will be able to compensate for limitations of underlying operating systems to provide a stronger protection as their capabilities mature.
The improved security architectures of mobile operating systems have required attackers to increasingly target applications to access data and compromise device – this has happened on desktop operating systems as well, under somewhat different environmental pressures. So in order to protect mobile endpoints you need to protect applications as well. This requires several capabilities:
- Authorized applications: A common concept for application protection is the “corporate app store” – enabling organizations to offer a whitelist of authorized applications and with centralized purchasing/deployment/configuration. This also entails managing updates (somewhat similar to mobile OS patching and configuring, mentioned above) and removal of apps which violate corporate policies.
- Application controls: Diving deeper into application control, mobile endpoint security also requires more granular control over personal information management apps, including email and web browsers. Organizations may want to restrict access to corporate email or web resources to apps running inside a corporate container. Organizations also increasingly want to control what employees browse to, so enforcement of web browsing policies can often be managed on-device (rather than on a corporate web security gateway). You may also need to enforce specific policies on devices based on the authorized applications described above, so factor in third-party application support as well.
- Privacy/personal data leakage: One of the hot buttons for mobile endpoints is privacy. Individual privacy may be at odds with what’s acceptable for a corporation. For instance many employees allow apps access to their contact lists and text messages, without thinking about it. But this presents a clear security issue if business contacts or texts are stored on devices – and, perhaps, exploited. So organizations need the ability to manage potential leakage by controlling what applications have access. It is also helpful to rate apps based upon privacy, flagging apps that might misuse data and violate policies.
Of course this leads us to what security means to us in a mobile endpoint context. We increasingly see vendors in this space talk about privacy and security interchangeably. Many apps are deemed insecure because they have access to other resources on the device (as described above). But it is really a privacy issue because data is being shared with the app. We can simplify the discussion down to the root: whether an app is exploiting a vulnerability or other mechanism to provide unauthorized access to the device (a security issue) or the app is legitimately accessing information it shouldn’t be able to (a privacy issue). But both increase risk to the organization. And that risk needs to be understood and managed.
Managing Data on Mobile Devices
Today’s mobile endpoints have as much onboard storage as mainframes of yesteryear, so any employee can hold a significant amount of the intellectual property of your organization on their smartphone. This makes data protection another critical aspect of mobile endpoint security. We recently produced a much more detailed analysis of protecting data on iOS 7, so we suggest you check that out to go deep on mobile data protection architectures and advanced content management strategies. At a high level, here are some considerations for buyers:
- Remote wipe: There are times when the data on a device needs to be removed, such as wiping a lost device and when employees leave the organization. Your mobile endpoint security management platform should be able to selectively wipe devices remotely, ensuring that only corporate data is erased while preserving Grandma’s pictures.
- Data protection: How the data is stored on devices is also pertinent; a number of different architectures exist to encrypt data at rest and as it moves to and from devices. Operating system vendors tend to handle storage encryption, and you will need to think about how each app handles and protects data within local storage. Again, consult our iOS 7 data protection paper for a much deeper dive.
- Containers: As described above, some organizations want to restrict access to corporate data to a walled garden on the device, otherwise known as a ‘container’. This approach provides convenient access to the corporate app store and corporate-approved apps – including secure email and web browsing, along with other apps with access to corporate data. Obviously the container’s security and management is critical. Make sure to understand its architecture thoroughly before trusting it with sensitive data.
We increasingly expect mobile security capabilities to be bundled with broader endpoint security and IT management offerings. That isn’t brain surgery – simply an acknowledgement that every emerging market starts as standalone technology, which ultimately gets wrapped into broader offerings. This is nowhere more apparent than with management technologies. We have already seen significant consolidation of MDM players, and these capabilities increasingly become features of major IT/security management offerings. Smartphones and tablets don’t need to be managed differently, although of course that is a choice your organization might make. To be clear, this does not mean all the independent mobile management/security companies will go away or that there is no room for innovation, but we expect only a few to stay independent over the longer term. We have all seen this movie before.
Obviously this impacts buying decisions. In early markets, independent companies (also known as “best of breed”) tend to bring more fully-featured offerings to market. If your requirements are less stringent you might want to look at a bundled offering from the beginning, because many endpoint security and management vendors already provide some mobile security/management capabilities.
Buying dynamics aside, there is leverage to be gained by using a bundled suite. The need to patch and enforce configuration policies is universal, regardless of device. If you can do that within a single user experience, bundling is advantageous so long as you don’t have to sacrifice policy granularity due to operating system differences. The need to protect data also spans devices, so common policies can be implemented here as well. Finally, all these endpoint devices are assets, so centralizing asset management and tracking (through mobile geolocation and periodic assessments) is also useful. All this helps with compliance as well, providing a common reporting infrastructure to substantiate controls for protecting private data on all endpoints.
If you choose to centralize security management of both PC and smartphone/tablet devices, you will want the ability to define roles within the management environment to support your organizational model. If you have personnel detailed to manage only smartphones, they don’t need access to PC management or vice-versa. You will also need to decide the location of your management infrastructure – whether on-premise or in the cloud. Cloud-based management is becoming pervasive for ease of deployment and transparent updates. But one size doesn’t fit all. You might prefer a local management platform to accomodate specific security or cultural requirements, or want to plug into an existing on-site management console.
Another aspect of selecting a security management platform is integration with your other enterprise systems – specifically identity (to define entitlements and access rights) and network security (to restrict certain devices to specific network segments).
As mentioned above, we don’t consider it logical to limit securing employee-owned devices (otherwise known as Bring Your Own Device, or BYOD) to smartphones and tablets. Employees may want to run their office applications in a virtual window on their new Mac, not the 4-year-old Windows XP laptop they were assigned. So you need to secure devices regardless of operating system or physical device, and regardless of whether your organization owns them. This changes how you provision and protect mobile endpoints, particularly in terms of enforcement granularity.
For devices you don’t own you need the ability to selectively enforce policies. It is not practical to dictate what applications employees run on their own equipment. Likewise, you cannot determine which websites they can visit on their own machines on their own time, off the corporate network. You probably shouldn’t arbitrarily nuke devices from orbit if you see ambiguous malware indicators. If your policy allows it, you can legally control and wipe the device. But it would make you very unpopular to blow away a device, deleting a bunch of personal pictures and videos in the process, and making it clear to the employees that you are watching them with power to delete all data – even on their own devices.
So the key is granularity. It is reasonable to perform periodic vulnerability scans on each device to ensure it’s patched effectively. It is also reasonable to require devices to be encrypted so corporate data is protected. It is fair to block access to corporate networks from any device which isn’t configured properly or seems to be compromised.
Your mobile endpoint security management platform should be able to selectively enforce applicable policies, reducing organizational risk while maintaining employee freedom. A tough standard to meet, but critical to employees and management.
Over the next week or so we will be making minor updates to other sections of the Endpoint Security Buyer’s Guide; we will make the updated version available for download within a couple weeks. We would like to thank Lumension for extending the license on this research and giving us an opportunity to update it to reflect the rapid change we have seen.