Skip to Main Content
September 07, 2012

The Security Pro's Guide To MDM, MAM, MIM, and BYOD

Written by David Kennedy
Penetration Testing Security Testing & Analysis
The hot topic right now around the security industry and businesses is how can I bring my own device into the office and use it for work. Regardless if it's an iPad, iPhone, Android, laptop, Macbook air, or the latest and greatest whiz-bang piece of technology, this craze will not die off anytime soon. Corporations want the flexibility to promote innovation and creativeness within their employees and utilizing the latest technology is a massive draw to achieving those goals. First and foremost, a philosophy that we subscribe to within information security is that our initiatives should focus on acceptance and allowing the business to focus on whatever strategy they need to advance business. Our job in information security is to ensure that the business initiatives can continue while ensuring a low risk scenario. Allowing new technology is not a bad thing! Allowing people to bring in their own device is not bad thing! The strategies around how you implement a foreign device has to be carefully planned and thought out in order to reduce the risk for the organization and be an incubator for innovation and creativeness. Let’s clear up some industry terms before we get started on our strategy. MDM is referred to as mobile device management, this typically means the ability to manage a mobile device of sorts and ensure certain policies can be managed and maintained. For security professionals, this is often a desired approach because the entire device can be managed and a level of protection can be established. MAM referred to as Mobile Application Management refers to the protection of specific mobile applications versus the entire device. In a MAM model, stringent security controls are placed on the applications themselves versus applying a policy to the entire device. phone update MIM referred to as Mobile Information Management are essentially cloud providers that allow you to sync information from mobile devices to the rest of your devices. Think of a DropBox or something similar to a remote central location for the storage of information from regular devices to mobile devices.  BYOD referred to as Bring Your Own Device refers to the ability to bring in any device you want regardless of technology and utilize it in a manner that allows you to perform business functions on a personal device or “non standard” device. All right. You are now an expert in acronyms and terminologies!  Let’s break each one of these down and look at pros and cons. Mobile Device Management (MDM) MDM’s typically tout the entire protection of the device and place restrictions on any device that has the software installed. In most cases, companies will allow employees to sync up things like email, VPN, and other technologies if the specific piece of MDM software has been installed and configured properly. In an MDM scenario, the software is pushed to the device and policies are pushed and enforced to ensure a base level of security. Pros
  • Ability to ensure the proper protection around the entire device and ensure compliance with the set policies.
  • Central management of all mobile devices and ability to check statuses and compliance of each device.
  • Extremely intrusive on the management of the device and locking down of personal devices.
  • Significant issues locking down entire devices based on the volume of devices that are continuously being pushed into the market.
  • Degraded user experience and added troubleshooting requirements for the support team.
  • Discovery of information for Electronic Discovery (e.Discovery) becomes non-existent or extremely difficult.
  • Inability to separate personal data from company data.
MDM for us is a dying breed and eventually will phase itself out. Bold statement yes, I know. If you look at the cons, they are some of the most important aspects to ensuring the protection of data and ensuring the user population doesn’t go into a full on assault against the security team. From a litigation and legal standpoint, there is no realistic way to separate corporate data from personal data. In most cases, legal teams have a significant problem with allowing personal devices to obtain sensitive information if that clear distinction isn’t in play. From personal experience, being a CSO of a Fortune 1000, we went down the MDM route and mid-swing moved to MAM because of the amount of issues from the user experience and from multiple legal standpoints. Mobile Application Management (MAM) MAM in most cases provides protected containers that store all of the sensitive information within that container, password protected, and the policies that you want to enforce within that bubble. All of the sensitive information is stored within a container that is all within one location on the device and not allowed to cross over into the personal data side of the house. Let’s look at the pros and cons for this: Pros
  • Legal can clearly distinguish what information is contained on the phone that has any type of corporate or sensitive data on it.
  • Policies are pushed only to the container; user experience is not impacted for the entire phone.
  • The phone itself has a clear distinction of personal and corporate protections.
  • The ability to protect a smaller landscape and support more devices becomes a realization.
  • Can develop applications within the container and support the ability for single-sign-on and other components all within the self contained encrypted volume.
  • Loss of native apps and the “look and feel” of what the user is typically accustomed to.
In my opinion, the MAM side of the house is going to be the major push in the future. Security cannot continue down the roads of being the draconian preventers and lock-downers of the entire organization. Security needs to remain simple and focused on keeping things simple. If you begin to intrude on devices in a negative way and hinder the employee’s ability to use the personal device, the program and initiative is dead. From a MAM perspective, people either love it or hate it. For most, having to type in a PIN to get into a protected container may be a different experience then they are use to, but they can quickly get use to it.  Stay away from MDM long-term, MAM is the future. Mobile Information Management A small write-up on MIM, storing sensitive information in cloud infrastructures is still a difficult decision. Consider giving the secret recipes to your organization to the next-door neighbor. You’re friends with the neighbor, he locks his front door, but he has a party with hundreds of people over every single day. Convert this to the MIM side of the house. You store the sensitive information in a remote third party environment that you hope has good controls. They might have an SSAE-16 (woohoo!).  What a lot of companies are doing is moving towards a MIM model that is stored locally within the protections of the organization. In this scenario, the information would be stored within the company with the same monitoring and protection mechanisms. Pros
  • Centralized location for data and information.
  • Ability to access information from almost any device and share between multiple platforms.
  • Security around the information is an unknown.
  • Ability to apply controls becomes significantly difficult.
  • Monitoring becomes significantly difficult.
Bring Your Own Device BYOD is becoming a standard terminology and trend. It’s been tossed around for years however the technology was never really there. BYOD for security professionals is a scary scary scary concept. How can you protect a machine that is coming from home, has little to no security around it, probably two years out of date (if lucky), and has every known piece of rootkit and backdoor on it. This is one hundred percent a valid concern and a major risk for organizations. Bringing your own device into the network introduces SIGNIFICANT risk to the entire company.BYOD Now that we have the disclaimer in there, this type of movement can be good for an organization and business without being an insane headache for the IT and security team. I’ve only seen three proper implementations of BYOD in my lifetime and they require significant investment. This is where it gets tricky. ROI on a large BYOD strategy is a tough one to swallow. This is where our communication skills kick in towards the business to explain clearly what this means. You will need to invest in building an infrastructure out that can support the ability for users to access and perform work and ensure that the risk is low towards the organization. That alone right there is the only way a BYOD strategy can be successful, investment. OK – I got buy-in to invest, I have bags of money, and what do I do now? I’ll explain the successful implementations of BYOD and why they work. First, when a user brings in a laptop or device into an infrastructure, there should be extremely limited access to the overall network. A lot of folks go down the road of allowing only BYOD on the wireless infrastructure because it is easier to implement things like 802.1x authentication to those devices and restrict access to the network. More successful organizations have implemented some form of NAC on the network side that when plugged in isolates and quarantines the devices into their own VLAN and away from the rest of the network. Step 1. Invest in some sort of NAC solution for wireless and/or the wired network side. You can typically get around this by utilizing the Guest wireless network that has proper segmentation. Step 2. Invest in something comparable to clean access. When a user plugs into the network – guest, wireless, or wired, an integrity check is performed to ensure proper protection and patching of the devices. While Anti-Virus is a dying beast, it still provides a base level of assurance against common viruses found in the wild. Step 3. Invest in a VDI infrastructure (virtual desktop infrastructure) that virtualizes and centralizes all of the virtual machines into a location where information cannot be removed from the company. In a VDI environment you essentially remote into a machine that has all of your applications on it. You can publish specific applications based on user permissions and identity.  In the network segment, ensure users can only hit these systems. Step 4. Protect the sensitive data. Data should not be allowed on personal devices. This includes email. Users should not have the ability to sync email on their personal devices or download sensitive information from file shares. That should be self-contained within the VDI systems. Step 5. Remove the ability to contact the Internet from the individual segment except for heavily filtered and protected HTTP/HTTPS traffic. Egress connections are the main way an attacker establishes a connection back for further instructions. Ensure extremely tight outbound traffic and ensure massive proxy and filters are in place. Step 6. Update your acceptable use policy to reflect that the company does not support the ability to save sensitive information on computers and a legal disclaimer about the right to monitor the activity on systems while plugged into the corporate network. Pros
  • Promotes an open culture of openness and relaxed technology stance.
  • Possible cost savings down the road however this is often a misconception.
  • Ability to become technology agnostic and support multiple platforms.
  • Increased threat landscape for devices.
  • Lack of specific controls on the connecting device.
That’s it! You now have a full-fledged working BYOD strategy that minimizes the ability for a compromise of sensitive data. There is a fine line between to much security and the user experience. In this environment, the user should still be able to use the device in everyway, browse the Internet, and still perform the functions of business. Wrapping Things Up Regardless of what technology you decide to move to, be wary and cautious of what you select for your corporate standard. We are purely basing this on working with a number of large customers that have implemented a wide variety of strategies and those that actually work. From an MDM perspective, it is extremely rare to see a successful long-term MDM program that works. Long-term, MDM is going to fizzle because of its inability to remain unobtrusive to the user population and devices. MDM’s typically work in environments where the company provides the phones and full protection of the device is expected. BYOD can work. It needs to be carefully thought out from a security perspective and a return on investment. Is it worth it? Think about that when moving into any strategy and the protection you are putting around the devices. In closing, this is not a new topic however has really become a mainstream issue facing organizations this year. The industry is struggling with what to do to solve these issues. Get ahead of the curve and get cracking on a strategy that best fits your business. Need help in your strategy? TrustedSec can help. We have extensive experience in developing programs around mobile strategies. Visit our mobile security section here.