Skip Links

MDM: Part of the mobile security solution?

By George V. Hulme, CSO
March 19, 2012 01:34 PM ET

CSO - The good news for enterprises: Mobile devices are packed with power. A new iPhone is 100 times lighter, 100 times faster, and 10 times less expensive than the luggable notebooks of the early 1980s.

BYOD: There's no stopping your employees' devices on your network

What's good news for enterprises is also bad news for CISOs. Mobile devices can store substantial quantities of data, the applications are powerful, and their network speeds are forever increasing. And, oh yeah, users are bringing their own devices, downloading their own apps, surfing the Web from whatever connections they choose--all with little to no direct control by the enterprise.

[Also see 5 questions to ask about your mobile device security policy]

To help make mobile devices more manageable, enterprises are increasingly turning to mobile device management (MDM) applications and services. And MDM can help with security issues--but how much? Experts say this tool can absolutely reduce mobile risk. But they also say relying on an MDM-only mobile security program is like sitting on a one-legged stool.

Mobile Mania

According to Forrester Research, there are more than 40 vendors in the MDM market, offering software with core features such as configuration management, troubleshooting and support, inventory, remote control and reporting capabilities. The market is growing: Research firm IDC pegged the MDM market at about $265 million in 2009, growing at more than 9 percent annually. The firm expects that growth rate to rise to more than 10 percent next year.

These applications reduce risk by being able to detect and remotely wipe data, and by enforcing password and encryption policies.

"It makes sense to move to MDM and enforce security policies in a more automated way," says Pete Lindstrom, research director at Spire Security.

"With mobile device sprawl, and the value of the applications and data on the devices increasing, more enterprises are going to want to manage the configuration of the devices, what the devices are and where they're being used--many of the things one would expect in traditional asset-management capabilities," he says.

However, just as traditional asset-management applications helped create some level of security and control over notebooks and telecommuters' systems, they certainly fell short of managing everything necessary to keep those systems and data secure. MDM will be no different.

Dig Deeper Than Just the Device

"You can't just focus on the device and expect to have a high level of security," says Rafal Los, chief security evangelist at HP Software Worldwide.

"You have to look at the system holistically. That includes the infrastructure, the applications, how data is accessed and used," argues Los. "That includes looking at not only the inherent security of the applications on the device, but also the application servers and databases they connect," Los says.

Application security has been a plague since before the Web, whether the application resides on a server, desktop, notebook, website or mobile device. And it's a crucial area where MDM tools don't play much of a role beyond pushing patches out to at-risk devices. Consider the privacy flaw in Skype for Android that was discovered last spring: Skype's instant messages were not stored securely, so a malicious app or anyone with access to the device could view the messages' contents. That incident wasn't isolated, and many other mobile app vulnerabilities--including a weakness in a Citibank mobile application--have been identified since.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News