If MDM is failing, what's the solution?
If MDM is failing, what's the solution?

Just over a year ago Gartner forecast nearly two-thirds (65 percent) of enterprises would have adopted mobile device management (MDM) by the end of 2017. Six months later, however, an analyst for the same group told its 2013 Security and Risk Management Summit the market was "going to die". What changed?

For the uninitiated, organisations use MDM techniques to manage smartphones and tablets as they would laptop and desktop computers. Even non-techies should appreciate with BYOD this is something of a stretch - for starters, it's harder to control employee-owned devices.

Here are some of the most common reasons MDM solutions fail:

Variety of platforms: It's relatively easy for the enterprise to manage corporate laptops and desktops running Windows. With smartphones and tablets, organisations have to contend with iOS, Android, Windows Phone devices and more. Android in particular poses problems because it's so fragmented, with many users still running three-year-old distributions.

Advancing technology: When MDM first arrived, BlackBerrys were the only viable business handset. Users expected a relatively humble set of features, primarily the ability to make phone calls and send emails. Today, the enterprise mobility landscape is unrecognisable - device owners expect to be able to run a wide variety of third-party, potentially harmful apps, and they'll happily transmit near endless streams of data through them. Gartner recently predicted that by 2017, smartphone users will send personal data to more than 100 apps and services per day - a nightmare for any IT department to manage.

Limited security controls: The app development tools for mobile operating systems like iOS and Android rarely allow the kind of low-level control MDM requires - and there's no other way for engineers to run their code on these devices.

Resistance from end users: Finally, implementing MDM is a struggle because typically, employees don't want IT poking around on the devices they own and use for leisure. Similarly, not many people are likely to report lost smartphones to their bosses if their employer's solution is to wipe it remotely, deleting personal data at the same time as business assets.

As Girard said: "I can't really whitelist or blacklist apps or have remote control or permission to wipe your device, and I can't tell you where to take your device because of BYOD."

So how else can organisations cope with BYOD?  While blocking employee-owned devices entirely might seem like an attractive solution, it invites so-called 'shadow IT' setups - situations where the workforce uses technology in unsanctioned, un-vetted ways.

A better alternative is to secure the data, not the device. Instead of trying to manage employee-owned devices themselves, deliver sensitive information to unsecured smartphones and tablets in a controlled way that minimises the risk of loss or theft. Here's how:

•          Secure the connection between device and server, so data in transit is encrypted and can't be intercepted.

•          Use strong authentication, possibly two-factor, because it's so easy for an employee to lose their smartphone or tell someone else their PIN.

•          Block any leakage vectors so your data stays in a secure environment. This means both putting barriers around suspicious network traffic and disabling user interface functions like taking screenshots.

•          Use policy-based access controls so data is delivered in a way that's suitable for the device. For example, you might want to encrypt a file if it's opened on a smartphone or tablet for extra security.

•          Encrypt sensitive data at source so it can't be intercepted before it even lands on the device. It should remain encrypted for as long as it's in memory.

•          Convert files to read-only versions if it's too risky to give users access to the original. You could also watermark these documents so if they're leaked, the breach can be traced back to the party most likely to be responsible.

•          Log everything, satisfying the requirements of compliance auditors and giving bosses early warning of suspicious behaviour.

Instead of allowing security to take a backseat to profitable app ecosystems, take control. Ignore techniques and solutions that focus security at the device, which can't be controlled, turn the problem on its head and focus efforts on what can be controlled – the data. BYOD brings a number of challenges for organisations but it also delivers huge advantages. They're not branded ‘smart' for nothing.

Contributed by Jamie Bodley-Scott, global product manager of Cryptzone