MDM, security vendors scramble to address BYOD security issues

Organisations are looking beyond NAC and MDM to resolve BYOD security issues; MDM, security and hybrid vendors are responding with new products.

Results of a new Juniper Networks survey revealed nearly a quarter of European companies have experienced a security breach as a result of personal mobile devices accessing company data.

A lot of the traditional endpoint security companies do not have products suitable [for BYOD] and that is why they are making acquisitions or developing software to do it.

Bob Tarzey,
Quocirca

Last March, Juniper surveyed over 4,000 mobile device users and IT decision markers in the US, the UK, Germany, China and Japan, and reported the findings in its inaugural Trusted Mobility Index (.pdf) report earlier this month.

Organisations have so far used network access control (NAC) technology or a mobile device management (MDM) product to secure their mobile devices. But with a 155% growth in malware targeting mobile devices in 2011, as observed in the Juniper report, security vendors are rushing to bring new mobile device security products to market.

Convergence of mobile security tools
BYOD [bring your own device] is a risk and an opportunity that businesses have to accept rather than one they can choose to embrace or not,” said Windsor-based Quocirca security analyst Bob Tarzey. “It is a converging market with several technologies coming together that allow businesses to deal with the consumerisation of IT.”

“A lot of the traditional endpoint security companies do not have products suitable [for BYOD], and that is why they are making acquisitions or developing software to do it,” Tarzey explained.

For example, NAC supplier ForeScout Technologies and Fiberlink, a provider of cloud-based mobile device management and security, recently partnered to introduce an integrated MDM and NAC offering. And last month, BYOD-focused desktop virtualisation company AppSense announced it will acquire RAPsphere, a developer of MDM products.

Tarzey believes products like these are likely to converge around four fundamental BYOD security issues:

  1. Network access control;
  2. Protection of sensitive data (for which businesses have used technologies like DLP and endpoint encryption);
  3. Protection from malware (by insulating systems from the device or putting antimalware on the device itself);
  4. Cost, including the costs of products such as antimalware and also liability for employees’ mobile phone bills.

“Cost is a big part of MDM that companies are starting to address. This is why Forescout has teamed up with Fiberlink to not only manage the device and make sure it is secure," Tarzey said, "but also to manage the contract and the billing.”

He added, “There is a very strong mobile device management industry led by companies like Good Technology, MobileIron and Fiberlink. But a PC or a dongle is also a mobile device and you’re going to need two tools to secure it. So it does make sense to have integration and that convergence will continue.”

MDM: A container-based approach
Evidence of the healthy competition in the MDM market was seen earlier this month when analyst firm Gartner identified more than 100 MDM vendors. Gartner predicted more mature managed services will emerge during the next three years to drive growth in the industry.

“Organizations have to decide whether a heavyweight (container-based) or lightweight (policy-based) approach is appropriate for them,” said Terrence Cosgrove, research director at Gartner, in a Gartner press release “A variety of factors come into play here, including device ownership (whether the user or the organization owns the device), security, compliance, application delivery and device usability.”

With a policy-based approach, access to corporate data is controlled by setting access policies on the mobile device. A container-based approach separates enterprise data and apps from the mobile device’s native environment. Containers are sometimes used to separate corporate and personal data on the device.

Garry Lengthorn, IT manager for London-based international recruitment firm SThree, has taken a container-based approach to MDM security in his organisation. Lengthorn began using Good Technology Good for Enterprise last year.

“With the browser experience within the Good container as well as the email, managers on the road can access information from their mobile devices on the internal intranet via the browser,” Lengthorn said.

Lengthorn did not want to take on mass management of personal devices. “There was the potential to use MDM devices to wipe these devices, but we were concerned about going into the grey area of wiping corporate data off personal devices.”

Read more on Network security management