Contrary to popular belief, mobile device management (MDM) does not include a security strategy. Learn about the difference between MDM and mobile device security management (MDSM).
By Winn Schwartau
After almost thirty years in security, I get a little finicky when I see terminology misused, misapplied and all too often, used to mislead. And so I take to task the unfortunate catch-all mobile acronym, MDM (Mobile Device Management) that is the current leader in misunderstanding, inaccuracy and false promises.
I am a security guy, and I like engineering-style precision, especially in rapidly emerging security disciplines such as mobility. I am not going to criticize specific companies – I hope to offer clarification and a much-needed more accurate alternative term: Mobile Device Security Management, or MDSM.
MDM, in both iOS and Android, offers a compact set of tools for a fairly basic level of device management. However, despite the repeated erroneous claims to the contrary, MDM is a not a mobile security solution. If it were, your laptop security posture would be as follows:
- Password length, complexity & duration controls
- Block adult materials
- Block browser and five Browser controls
- Erase laptop within 24 hrs using native Active Sync
That’s it. That’s all you get with MDM.
The industry should explicitly refer to comprehensive mobile security as MDSM, wholly independent of and distinct from MDM.† At last count there were around 80 MDM-only vendors, some of whom, more so than others, position MDM as an adequate mobile security solution.
Ask yourself a simple question: Would you (or your security sensitive organization and customers) ever deploy laptops with the anemic list of capabilities above and call it security?† Of course not.† MDM is not security.
Many organizations, initially under the belief that MDM tools alone would meet their security needs, are now discovering the cost and pain of dismantling their inadequate MDM approach in favor of deploying more comprehensive mobile MDSM suites.
Who today would deploy corporate laptops without at least some of the following controls in place?
- Anti-virus, anti-malware detection for email and downloads
- Wireless and company communications over a non-SSL VPN the user cannot bypass
- Force all, or some defined subset, of traffic over corporate resources
- IPS and hostile activity detection and remediation
- Firewalls with highly granular controls
- Content filtering
- Hidden IP address of the device
- Corporate DLP and SIEM enforcement
All of the above are crucial components of MDSM.
Of course the native MDM controls are one piece of a total mobile enterprise security architecture.† But as many companies have discovered, MDM alone is not up to the task.† As you examine MDSM in your shop, let me add a couple of additional ‘foods for thought’ that should be considered in all mobile device deployment plans.
- Should your mobile population be secured with the same amount of care and diligence you take in your fixed enterprise?
- Does your existing policy sufficiently address mobile security and the added risks they present?
- Should a mobile device be treated as a dumb terminal?
- How does data in transit and data at rest on mobile devices differ and affect your organization’s ability to maintain compliance?
- Are you going to attempt to work out an acceptable security-functionality balance for a BYOD (Bring Your Own Device) policy?
- Or, will you only allow devices under company control to touch your networks, much as you do with BlackBerry today?
Admittedly, proper MDSM is not easy. Yet because MDSM includes many specialized security controls and processes, vastly different than MDM, MDSM is deserved of independent recognition and identity – wholly separate from MDM.
WINN SCHWARTAU is the chairman of Mobile Active Defense, a smartphone security company.
