BYOD (Bring Your Own Device) has become MDM (Mobile Device Management).
Within a corporate environment users will want to have access to phones and laptops to work within and outside of the traditional office. From a security viewpoint the organisation needs to ensure these are used appropriately and do not compromise security.
An effective although costly solution is to acquire and distribute devices centrally. This enables operating systems and applications to be locked down. Centralised control and monitoring can be installed at the device level. Co-ordinated implementation will ensure that only a limited range of devices and applications are supported; minimising the systems that need supporting. Hardware constraints can be added such as physical locks on devices. Geographical use can also be limited or monitored through ‘hard coded’ access to limited network access points. Devices can be disabled or wiped remotely if reported as lost or inappropriate use is suspected. As these are corporate devices there should not be any objection to their use by employees. There a cost in the initial purchase or lease of the hardware plus that inventory must be kept up to date. Within a few years any device will appear outdated compared to more recent models. Eventually it will no longer support current systems leading to a dependence on outdated solutions that will struggle to cope and be subject to security issues that can no longer be fixed. If the corporate solution is notably inferior to other options; employees will try to avoid their use and look to their own devices.
Where users are allowed to access corporate data through their own devices it will be necessary to control what is accessed and by whom. There will be resentment from employees to having their devices reset for corporate use only. If this is overcome, perhaps by a suitable incentive scheme, there is no still control over the range of devices that employees might use. Either the system must support a wide range of differing hardware and software or employee device use will be restricted to a limited list of approved models.
Mobile Device Management requires control of access to data, operating systems and applications. The key security concern is the data, applications being a way to control access to that data. For operating systems and applications there is also the issue of ensuring that all instances are appropriately licensed and updated.
One solution is the virtual desktop approach. The virtual machine is loaded with appropriate applications and access can be restricted to accounts, devices or locations. The accessing device only needs the application launch program installed (together with other controls such as VPN credentials). When connected to the virtual desktop it is that environment within the network server that is accessing and storing data. The local machine is acting as little more than a dumb terminal. When the session is terminated the local machine can resume its ‘normal’ functions but with no access to corporate data. Virtual desktops make control of access and licensing relatively easy. There do need to be enough instances available within the organisation. This does not need to be one for every employee but if access is required and no ‘free’ desktop is available the individual will simply be unable to access the system.
A minimal implementation of remote access would be on-line applications and storage. DropBox is a well known name in the field. Amazon’s AWS S3 buckets are a more recent solution to cloud storage. Microsoft offer Office 365 which includes SharePoint and also controls access to licensed applications within an organisation. Caution needs to be exercised in these solutions. Sharepoint can be run from a local server or cloud files can be synced with a local device. With a move from hosting in-house to cloud solutions in general these approaches appear attractive. Who has accessed data can be restricted to user groups and roles. Activity can be monitored and rules for alerting administrators set.
Dedicated MDM solutions are unlikely to do much more than provide access to remote data (cloud or on premises) but aim to optimise monitoring and control. These systems need to be operating system independent with options for mobile device systems as well as Windows and Mac (and possibly major Linux distributions). The implementation of easy to use management controls both centrally and on the local device will cut down administration time and enable issues to be swiftly followed up. It is still the onus of the administration to pick up on alerts and monitor traffic for unusual activity.
With a range of bespoke solutions and offerings from the major players choice of a MDM system should not be a hasty choice. Kindus will investigate the needs of your business and suggest the best solutions to meet your needs together with a bespoke cost benefit analysis.