About the Author
Dom Hume is vice president of technical products and services at Becrypt.
As companies continue to innovate for savings through the use of increasingly sophisticated and ubiquitous mobile technologies, many of them continually face the risks associated with business management. 39, a constantly growing fleet of terminals. To successfully manage the complexity of multiple mobile hardware and software platforms, there is a need for a convenient, secure, and cost-effective way to manage, monitor, and track devices.
The best way to do this is to implement an end-to-end mobile device management strategy, which can sometimes involve taking into account the entire hardware and software stack, to ensure efficient use of time. and the resources needed to secure and monitor business-critical mobile devices.
I have summarized four topics that we consider important to organizations in implementing a robust MDM strategy, much of which is based on the work we have done with the UK government. United.
Choose a device manufacturer dedicated to security patches
It is important to note the fact that Android and iOS have fundamentally different approaches to the phone ecosystem. Apple has a closed ecosystem, while Android is an open platform and phone manufacturers can create their own devices with the help of Android. Google releases updates and patches for its Pixel phones, while releasing patches for the Android community as a whole.
Inevitably, it takes time for individual manufacturers to integrate, test, and release the patch on their phones. As a result, this can lead to a period of time in which known public vulnerabilities can be exploited for a period that depends on the responsiveness of the manufacturer. This situation is not directly reflected in the Apple ecosystem.
It is also important to research the shelf life of patches that a manufacturer has committed to, as this often correlates with the responsiveness of the patches. Organizations with long-term projects may want to rely on specialized manufacturers, such as Bittium, who will be committed to extending the life cycle of devices.
Plan lifecycle management for your applications.
From an app provisioning platform point of view, the Apple App Store and Google Play Store perform the same functions. Although there are some differences in approach, the two programs no longer favor side-loading applications for users.
Since its inception, Apple's app store has established a quality and compliance gateway process through which apps must pass before they can appear in the store. App developers can still sign their own apps and send them to devices, through some MDMs that offer private app stores. However, if an app developer's certificate is revoked, the apps will no longer work.
A safer method is to ask your developer to submit the application to the actual App Store, where the applications are checked to make sure they work and do not affect the functionality and security of the device. For businesses, Apple has created the Business Volume Purchase Program (VPP). This allows organizations to submit requests only to themselves or to specific clients.
It is important to note that applications are not always delivered from Apple's servers. In fact, they are often provided by a Content Delivery Network broker. All iOS devices have built-in App Store function; This can be disabled from an MDM server. Organizations can also send proxy applications and updates from the MDM server.
Google has also implemented an app validation process, subject to a review process that can be a bit time consuming. Although there is no business-only Play Store, Google offers a "private" application concept that allows users to differentiate between business applications and personal applications. MDM administrators can remove business applications from a managed phone. Like 'Bring your own device', the organization sets the rules and locks the device, while giving the user some freedom to customize it for personal use. The user feels that a certain degree of confidentiality is guaranteed, but it is not an element of security in itself.
Consider a "split proxy" architecture for high-risk environments
Organizations viewed as high-value targets and subject to sophisticated cyberattacks are increasingly concerned about the consequences of an MDM server compromise. Hackers who breach the MDM server can easily locate and unlock a device that poses a serious threat to company security. Compromised servers can also be used for subsequent side-to-side movements or as the ideal exit point for data.
The data security issues associated with mobile device management are the result of the characteristics imposed by the smartphone ecosystem. These concerns apply whether an organization's MDM is on-premises or used as a cloud service. MDM servers have complex communication protocols that interact with multiple Internet services, such as push notification systems and online application stores. These communication channels are typically end-to-end authenticated and encrypted, preventing them from being inspected for threats.
Therefore, an organization or its service provider can open its firewall ports to an MDM server hosted on its most reliable network segment or host the MDM server on a less reliable segment, a kind of "demilitarized zone." In the end, this amounts to compromising a secure network or sacrificing the MDM server.
One way to limit the risks of such a compromise is to choose a solution using a "shared proxy" architecture. Using a series of proxy servers that reside in a demilitarized zone, they respond to the range of encrypted communications with the smartphone ecosystem, which is mandatory for an MDM server. MDM traffic can be inspected by proxy servers and is subjected to a web application firewall for anomalies.
The MDM server can be hosted on the secure network, with secure communication, and properly managed with the proxy servers. This type of solution can offer a significantly improved level of defense, while remaining completely transparent to the end user.
Consider business goals before implementation
Ultimately, organizations that prioritize data and employee protection as part of their MDM strategy must assess what they need from their mobile devices and how they intend to be used. A multifunctional workstation that requires access to multiple back-end systems, including sensitive customer data, will almost certainly require a significant budget outlay, in addition to strong risk analysis capabilities.
On the other hand, a small business continuity project, which keeps employees informed about actions outside of office hours in certain circumstances, can be accomplished without any MDM implementation.
Whether a business operates in a high-threat or low-threat environment, you must select an MDM solution that is robust enough to protect your data from increasingly sophisticated and well-funded threats seeking to infiltrate the business. 39; mobile ecosystem compromise business data.
Dom Hume is vice president of technical products and services at Becrypt.