September 07, 2012
The Security Pro's Guide To MDM, MAM, MIM, and BYOD
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
The hot topic right now around the security industry and businesses is how can I bring my own device into the office and use it for work. Regardless if it's an iPad, iPhone, Android, laptop, Macbook air, or the latest and greatest whiz-bang piece of technology, this craze will not die off anytime soon. Corporations want the flexibility to promote innovation and creativeness within their employees and utilizing the latest technology is a massive draw to achieving those goals. First and foremost, a philosophy that we subscribe to within information security is that our initiatives should focus on acceptance and allowing the business to focus on whatever strategy they need to advance business.
Our job in information security is to ensure that the business initiatives can continue while ensuring a low risk scenario. Allowing new technology is not a bad thing! Allowing people to bring in their own device is not bad thing! The strategies around how you implement a foreign device has to be carefully planned and thought out in order to reduce the risk for the organization and be an incubator for innovation and creativeness.
Let’s clear up some industry terms before we get started on our strategy. MDM is referred to as mobile device management, this typically means the ability to manage a mobile device of sorts and ensure certain policies can be managed and maintained. For security professionals, this is often a desired approach because the entire device can be managed and a level of protection can be established. MAM referred to as Mobile Application Management refers to the protection of specific mobile applications versus the entire device. In a MAM model, stringent security controls are placed on the applications themselves versus applying a policy to the entire device.
MIM referred to as Mobile Information Management are essentially cloud providers that allow you to sync information from mobile devices to the rest of your devices. Think of a DropBox or something similar to a remote central location for the storage of information from regular devices to mobile devices. BYOD referred to as Bring Your Own Device refers to the ability to bring in any device you want regardless of technology and utilize it in a manner that allows you to perform business functions on a personal device or “non standard” device.
All right. You are now an expert in acronyms and terminologies! Let’s break each one of these down and look at pros and cons.
Mobile Device Management (MDM)
MDM’s typically tout the entire protection of the device and place restrictions on any device that has the software installed. In most cases, companies will allow employees to sync up things like email, VPN, and other technologies if the specific piece of MDM software has been installed and configured properly. In an MDM scenario, the software is pushed to the device and policies are pushed and enforced to ensure a base level of security.
Pros
- Ability to ensure the proper protection around the entire device and ensure compliance with the set policies.
- Central management of all mobile devices and ability to check statuses and compliance of each device.
- Extremely intrusive on the management of the device and locking down of personal devices.
- Significant issues locking down entire devices based on the volume of devices that are continuously being pushed into the market.
- Degraded user experience and added troubleshooting requirements for the support team.
- Discovery of information for Electronic Discovery (e.Discovery) becomes non-existent or extremely difficult.
- Inability to separate personal data from company data.
- Legal can clearly distinguish what information is contained on the phone that has any type of corporate or sensitive data on it.
- Policies are pushed only to the container; user experience is not impacted for the entire phone.
- The phone itself has a clear distinction of personal and corporate protections.
- The ability to protect a smaller landscape and support more devices becomes a realization.
- Can develop applications within the container and support the ability for single-sign-on and other components all within the self contained encrypted volume.
- Loss of native apps and the “look and feel” of what the user is typically accustomed to.
- Centralized location for data and information.
- Ability to access information from almost any device and share between multiple platforms.
- Security around the information is an unknown.
- Ability to apply controls becomes significantly difficult.
- Monitoring becomes significantly difficult.
- Promotes an open culture of openness and relaxed technology stance.
- Possible cost savings down the road however this is often a misconception.
- Ability to become technology agnostic and support multiple platforms.
- Increased threat landscape for devices.
- Lack of specific controls on the connecting device.