Three options for securing data in BYOD

From MDM to MAM which is best for you?

This is a contributed piece by Anurag Kahol, CTO at Bitglass


Mobile working is an increasingly important factor in the attraction of new talent and the retention of experienced employees. Workers value having the freedom to work flexibly – at home, while travelling or outside normal working hours – and the ability to tailor working arrangements to suit their needs. Albeit an essential part of today’s infrastructure, many IT leaders will admit that selecting a mobile strategy for the enterprise is no easy task. IT teams must balance the productivity and privacy needs of the workforce with the security needs of corporate data.

The mobile security challenges have been exacerbated in recent years by the rapid uptake of BYOD. These unmanaged or employee-owned devices require access to corporate data, but this increases the risk of sensitive data being leaked, especially if a device is lost or stolen. A further vulnerability is that BYOD devices represent a potential entry point for introducing viruses and malware to the rest of a corporate network.

Faced with a range of mobile and data management solutions on the market today, IT leaders can quickly lose track of what’s important – and what’s not – when mapping out their mobile security strategy.


ONE - The classic: agent-based Mobile Device Management (MDM)

Typically favoured by big companies looking to enforce company policies across a large number of mobile devices, MDM solutions install software in the form of a mobile agent on all devices so that they can be managed centrally by the IT department. Functions such as password protection, remote data wiping and the rejection of unsafe WLAN networks are all handled via a central administration interface.

Difficulties can arise with MDM if the device landscape to be managed is heterogeneous – in other words, if the system is required to cope with a large number of differing mobile operating systems. For example, some management functions may not be available for all device types. These systems are also notoriously complex to implement, so organisations will need to involve employees at an early stage to ensure that the planned solution adequately supports their workflows and assess whether the on-going administration requirements will overstretch IT resources in the long term.

Employee privacy is a further important consideration. MDM software gives the company’s IT department wide-ranging access rights, which can lead to user acceptance problems. Employees may regard the company’s right to reset device settings, identify their location, or potentially harvest information on their device usage and internet habits as an unacceptable intrusion into their private lives and may therefore refuse to have the software installed on their own devices.

With no software installed, it’s likely that an enterprise will simply ban the employee from working on their personal device. For this reason, agent-based MDM solutions work best for companies that provide staff with corporate-owned devices. When considering using these solutions as part of a BYOD strategy, organisations will need to hold discussions with the workforce and explain functions and access rights in detail.


TWO - From the device to the application: Mobile Application Management (MAM)

In contrast to MDM, MAM puts the focus on protecting company-provided applications. MAM is used primarily in the context of BYOD to support the everyday needs of workers – for example, a sales person who want to access email or in-house CRM systems when out in the field. In order to shore up data security, certain company applications are made available for mobile use and are managed centrally by the IT team. Similarly to agent-based MDM solutions, MAM requires software to be installed on users’ devices. This is because, if a device was lost, the agent is the only way these solutions can remotely wipe business data.

MAM solutions have some limitations, particularly around clamping down on shadow IT. MAM is only available for specific applications; it does not cover popular cloud applications like Gmail, Dropbox and Slack. Furthermore, to ensure adequate data protection, a usage policy must be put in place because MAM does not provide any device management functionality.


THREE - Homing in on data: Agentless Mobile Security

Developments in cloud-based security tools have given rise to a new set of mobile security solutions that can protect data directly without the need for an agent on the employee’s device. Encryption of sensitive data can be extended to all popular cloud apps such as G Suite, Office 365, Slack and Salesforce, which means that data is secure regardless of what application an employee is accessing via their personal device.

While all managed and unmanaged devices still need to be managed centrally by the IT team, this can be done without the need to install management software or an agent on each and every end device. In this sense, these solutions are “agentless”. In practice, this means that the rollout time is much faster and users are less concerned about the enterprise having full access to their personal information.

These solutions can still offer all MDM functions, including data loss prevention and remote wiping of company data. Such agentless solutions are suitable for businesses specifically worried about access to cloud applications from personal devices. The increasing popularity of cloud services means the number of agentless solutions looks set to rise; analysts at Gartner predicted in 2015 that more than half of BYOD users that have MDM agent on their device will be managed by an agentless solution by 2018.


Identify specific requirements

There are a number of factors to be taken into account when assessing a mobile security strategy and the importance of specific factors will vary depending on the type of business. Before deciding on a particular mobile management solution, a comprehensive requirements profile should first be produced. Key requirements to consider are sector and company-specific compliance rules. The next step is to make sure that implementation will not be limited by practical problems – that is, by end users not wanting their privacy to be invaded.

Specifically, for BYOD, it will be important to establish what devices and operating systems employees are using and identify what applications they need on a mobile basis. Finally, it will be necessary to decide whether the solution needs to be backed up by legal agreements. In order to come up with an effective solution, all stakeholders will need to be involved in the decision-making process.