Mobile Device Management (MDM)
Upcoming SlideShare
Loading in...5
×
 

Mobile Device Management (MDM)

on

  • 3,034 views

The explosive growth in the popularity of mobile devices and growth in their powerful features has led to a sharp rise in the usage of smartphones, tablets and mobile POS devices in the corporate ...

The explosive growth in the popularity of mobile devices and growth in their powerful features has led to a sharp rise in the usage of smartphones, tablets and mobile POS devices in the corporate world. Apart from the mobility advantage, these devices have become more efficient to offer better business growth and increased networking advantage to bring better employee productivity at the workplace. As the market for these devices continues to develop at an exponential rate, concerns about the safety of the sensitive corporate data present on mobile device, in transit or at rest also grow proportionately as the tracking the data, relying on its integrity becomes increasingly challenging. Further enforcing corporate governance, complying with local laws and trans-border regulations also pose a serious challenge in this case. Hence a technical method to secure, monitor, manage and supports mobile devices deployed across mobile operators, service providers and enterprises is need of the hour which has led to the development of Mobile Device Management(MDM).

Statistics

Views

Total Views
3,034
Slideshare-icon Views on SlideShare
2,294
Embed Views
740

Actions

Likes
1
Downloads
148
Comments
0

2 Embeds 740

http://niiconsulting.com 732
http://localhost 8

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mobile Device Management (MDM) Mobile Device Management (MDM) Document Transcript

    • MOBILE DEVICE MANAGEMENT – DEPLOYMENT, RISK MITIGATION & SOLUTIONS From
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 22 NOTICE This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 22 Contents 1. Introduction .............................................................................................................................. 5 2. Typical Design of MDM solution................................................................................................. 7 3. Understanding BYOD and MDM................................................................................................. 8 a. Bring Your Own Device (BYOD) policy and MDM in an enterprise........................................... 8 b. Are BYOD and MDM same things? ......................................................................................... 8 c. If I have a BYOD policy at my company, is MDM deployment necessary? ............................... 8 d. Okay, so how do I effectively communicate mobile security policy to employees? ................. 8 4. Adopting "Personal-liable approach" for Mobile Devices ......................................................... 10 a. Benefits in adopting "Personal-liable approach" for personal mobile devices....................... 10 b. Security costs incurred for adopting personal-liable approach ............................................. 10 c. Questions to ask before opting for Personal-liable approach for MDM ................................ 11 5. Selecting an optimal MDM delivery methodology.................................................................... 12 a. Premise-based..................................................................................................................... 12 b. Software as a Service (SaaS)................................................................................................. 12 c. Managed Services................................................................................................................ 12 6. Designing BYOD policy before deploying MDM ........................................................................ 13 a. Do your Homework.............................................................................................................. 13 b. Identify user needs .............................................................................................................. 13 c. Enacting a End-User License Agreement (EULA) corporate policy......................................... 14 d. Addressing the privacy concerns .......................................................................................... 14 e. HR and Legal concerns ......................................................................................................... 14 f. Training Users and Helpdesk Support................................................................................... 14 g. Addressing Authentication issues......................................................................................... 15 h. Defining Mobile Device Security Rules ................................................................................. 15 7. MDM Deployment................................................................................................................... 16 a. Policy................................................................................................................................... 16 b. Risk Management................................................................................................................ 16 c. Configuration Management................................................................................................. 16 d. Software Distribution........................................................................................................... 16 e. Procurement issues.............................................................................................................. 16 f. Device policy compliance and enforcement ......................................................................... 16 g. Enterprise Activation / De-Activation ................................................................................... 17 h. Enterprise Asset Disposition................................................................................................. 17 i. User Activity Logging............................................................................................................ 17
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 22 j. Security Settings .................................................................................................................. 17 8. Challenges during MDM implementation................................................................................. 18 a. Hidden costs and corporate governance issues .................................................................... 18 b. Employee unawareness about information security while using mobile endpoints............... 18 9. Picking the right MDM vendor ................................................................................................. 19 10. MDM vendors...................................................................................................................... 20 a. Popular MDM Vendor List.................................................................................................... 20 b. Salient Features of some of the leading MDM vendors ........................................................ 20 11. How we can help your organization?.................................................................................... 21 a. Strong support of Solutions Team ........................................................................................ 21 b. Security Awareness Trainings............................................................................................... 21 c. Social Engineering Exercises................................................................................................. 21 12. References........................................................................................................................... 22
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 22 1.INTRODUCTION The explosive growth in the popularity of mobile devices and growth in their powerful features has led to a sharp rise in the usage of smartphones, tablets and mobile POS devices in the corporate world. Apart from the mobility advantage, these devices have become more efficient to offer better business growth and increased networking advantage to bring better employee productivity at the workplace. As the market for these devices continues to develop at an exponential rate, concerns about the safety of the sensitive corporate data present on mobile device, in transit or at rest also grow proportionately as the tracking the data, relying on its integrity becomes increasingly challenging. Further enforcing corporate governance, complying with local laws and trans-border regulations also pose a serious challenge in this case. Hence a technical method to secure, monitor, manage and supports mobile devices deployed across mobile operators, service providers and enterprises is need of the hour which has led to the development of Mobile Device Management(MDM). What is Mobile Device Management (MDM)?[1] Mobile Device Management (MDM) software secures monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablets, mobile printers, mobile POS devices, etc. This applies to both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers. By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime. What do you mean by "over-the-air"? Over-the-air programming (OTA) capabilities are considered a main component of mobile network operator and enterprise MDM software. These include the ability to remotely configure a single mobile device; an entire fleet of mobile devices or any IT- defined set of mobile devices; send software and OS updates; remotely lock and wipe a device, remote troubleshooting and so on. OTA commands are sent as a binary SMS message. MDM enables IT departments to manage many mobile devices used across the enterprise. What is Open Mobile Alliance (OMA)? The Open Mobile Alliance (OMA) is a standards body which develops open standards for the mobile phone industry. OMA Data Management specification is designed for management of small mobile devices such as mobile phones, PDAs and palm top computers. It supports the following typical uses:  Provisioning – Configuration of the device (including first time use), enabling and disabling features  Configuration of Device – Allow changes to settings and parameters of the device
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 22  Software Upgrades – Provide for new software and/or bug fixes to be loaded on the device, including applications and system software.  Fault Management – Report errors from the device, query about status of device Since OMA DM specification is aimed at mobile devices, it is designed with sensitivity to the following:  Small foot-print devices: where memory and storage space may be limited  Constrained Bandwidth of communication: Such as in wireless connectivity  Tight security: As the devices are vulnerable to virus attacks and the like;  Authentication and challenges: Are made part of the specifications Why the sudden demand for managing mobile devices? The popularity in usage of personal smartphones and tablets has created a strong demand to use personal devices at work. Employees feel more comfortable in using their own personal devices for work and are willing to bear the cost of liability, maintenance and upgrades. Employee morale boost and cost savings to the employer are the major attractive factors to opt for the employee-liable approach to use their personal devices at workplace. Also, the obvious networking advantages offered to C-level executives, managers and top management directors for extending the business growth and exploring profitable avenues while on the move presents a compelling case to use mobile devices at workplace or during travel. However, risks associated with these devices such as sensitive corporate data going into wrong hands and dangers of facing litigation suits due to intentional/unintentional data breach or data losses suffered due to lost/misplaced device makes a ready case for managing the mobile devices. There are also legal and HR related issues that need to be ironed out if there is a case of adopting “employee-liable ownership” approach for the accountability of the devices. An organization will still be responsible to maintain security for these mobile devices as per the SOX, HIPAA etc. federal mandates, but since the devices are not owned by the organization, securing the device and the data becomes a tricky issue here as organization may or may not own the mobile device in question at the first place. Thus enforcing accountability becomes tricky in such cases. Using Mobile Device Management (MDM) solutions, organizations can partially own these devices by enforcing corporate policies and procedures to them. Hence the importance of investing in MDM solution makes sense in these situations.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 22 2.TYPICAL DESIGN OF MDM SOLUTION[1] Typically solutions include a server component, which sends out the management commands to the mobile devices, and a client component, which runs on the handset, receives and implements the management commands. Optionally, vendor may provide both the client and the server, in others client and server will come from different sources. Central remote management, using commands sent over the air, is the next step. An administrator at the mobile operator, an enterprise IT data center or a handset OEM can use an administrative console to update or configure any one handset, group or groups of handsets. This provides scalability benefits particularly when the fleet of managed devices is large in size.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 22 3.UNDERSTANDING BYOD AND MDM a. Bring Your Own Device (BYOD) policy and MDM in an enterprise [1] As Bring Your Own Device (BYOD) business policy is becoming more popular, corporations can use MDM to allow employee-owned devices inside the corporate firewall due to better device management capabilities. Employees also have more freedom to choose the device that they like instead of being forced to use particular brands by the IT department. Using MDM, IT departments can also manage the employee devices over-the-air with minimal intervention in their schedules. b. Are BYOD and MDM same things?[2] No. BYOD (Bring your own device) is a business policy of allow employees to use their own devices for carrying out business related work by granting access to company resources backed by proper authentication controls. BYOD represents a policy of offering mobility to a very broad range of organization resources typically delivered either by robust mobile policy, or managed via implementation of MDM, DaaS (Desktop as a Service) etc. MDM can be thought as a subset of BYOD, which is designed to securely manage mobile device endpoints by enforcing corporate policies over-the-air to the employees’ mobile devices. c. If I have a BYOD policy at my company, is MDM deployment necessary? If you have designed and implemented robust BYOD policy properly across your organization then you have to evaluate your options carefully before going for MDM solution. If the primary aim to adopt BYOD was to get rid of device ownership only, it will not make sense to invest in MDM (esp. if your company is small or medium sized). However, if your aim is to prevent sensitive data leakage and enforce device security settings for employees as they access sensitive corporate resources, or if your business is rapidly scaling up, it definitely makes sense to implement MDM. Keep in mind that a proper mobile security policy has to be there in any case to protect vital corporate information. MDM helps to reduce costs and improve productivity in longer run when implemented correctly for the organization. If implemented improperly on loosely defined security policy, it becomes expensive to maintain and achieves little to safeguard sensitive corporate information. Hence, proper care and precautions are needed to develop robust mobile security policy before opting for MDM solution. d. Okay, so how do I effectively communicate mobile security policy to employees?[12] Effective Communication means making the employees understand the policy as easily as possible. Make it simple and direct while keeping it short, sweet and to the point. If you can get employees to be aware of the security elements in your environment, they will be
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 22 the ones who will spot things report it immediately assuming they know what to spot and know who to report it to. Make them aware of BYOD security policy first, not MDM. Help your employees understand what is at risk. It comprises not just theft, loss or the exposure of information or device, but other risks, which they face while they are mobile. Make them aware of the risks involved in the types of environments that they encounter while being mobile and how they should address them.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 22 4.ADOPTING "PERSONAL-LIABLE APPROACH" FOR MOBILE DEVICES[3] a. Benefits in adopting "Personal-liable approach" for personal mobile devices Many organizations may offer their employees a fixed monthly stipend to help offset their monthly voice and data bill. This approach results in predictable mobile expenses for the corporation, and employees become responsible for the costs of their mobile devices and data plans. Hence, expenses related to mobility-related asset management such as acquisition, maintenance, processing of payment for carrier invoices and disposal of devices can be heavily reduced or eliminated. The organization may also position itself as flexible employer and may be able to recruit and retain tech-savvy workers, who typically have a strong attachment to a favourite mobility platform. Productivity can be increased as employees have more options when working out of the office. Additionally, organizations may be able to secure reduced monthly costs for service and premiere-level support from the carriers for their employees. It is generally observed that employees take better care of their personal belongings as they are more attached to their devices because of the ownership they assume over them. b. Security costs incurred for adopting personal-liable approach While the personal-liable model offers benefits for both employees and employers, addressing the important issues of security and governance become more complicated and expensive. When sensitive corporate information is stored on a corporate-owned device, the organization can implement and enforce strict controls on the operating system and other features of the device, such as Wi-Fi and Bluetooth to prevent unauthorized use of that sensitive information. But this is not the case in personal-liable approach as the device owned by the employee is not a corporate asset but may carry sensitive corporate data. Security measures are required to mitigate the risks associated with employees installing applications from app stores. These untrusted applications may expose corporate data or infect other devices in the organization’s network. Also, the company might experience additional expenses to support multiple mobility platforms. Support costs may increase as more, and higher-skilled, help desk personnel are required. Similarly, application development costs may increase. Organizations must implement an employee agreement to address topics that include acceptable use of personal devices and corporate access to the employee’s device. The financial arrangements relating to stipends or reimbursement of actual expenses should also be included in this employee agreement. Corporate counsel should carefully weigh any record-keeping requirements for SMS text messages or call logs made from mobile devices and evaluate potential legal consequences of capturing this information from employee-owned devices.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 22 Finally, employees may discover unexpected expenses associated with using their personal device for work. While their current voice and data plans may be sufficient for personal use, usage may expand dramatically when used for work calls and applications. The cost increase may be sharp; especially for employees who travel internationally, where roaming charges are make the costs very expensive. If the organization reimburses for actual costs, an employee may find that they spend several hours a month separating their personal costs prior to submitting the bill for reimbursement. c. Questions to ask before opting for Personal-liable approach for MDM  Are there any specific concerns that would preclude the use of employee-owned devices?  Is the organization willing to implement additional security controls to allow a broader range of devices?  Is the corporation willing to accept a short-term increase in risk to allow newer platforms access to data while the device’s management and security tools mature?  How will the organization respond to inappropriate material on a personally- owned device? Who decides what is inappropriate?  Under what conditions the organization could examine the personal property of an employee?  What are the laws in your jurisdiction? Do laws differ whether the employee uses the device for their own convenience?  If the risks associated with personal-liable approach are too high, is there a subset of employees with a lower overall risk profile that might qualify for personally- owned devices?
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 22 5.SELECTING OPTIMAL MDM DELIVERY METHODOLOGY[9] Three MDM Delivery mechanisms are available which you can choose depending on your staff expertise and investment you are willing to make for deploying MDM in your organization. a. Premise-based If you want to maintain a high degree of control and also have reliable IT skills and resources, then would likely select a premise-based solution. This is ideal if you prefer to directly control the system’s security and administration. A premised-based MDM solution requires a larger up-front investment. b. Software as a Service (SaaS) If you don’t want to maintain servers at your site(s) but still want the management and administration to be in your hands, then you should consider an on-demand offering. Customers can negate or minimize the up-front cost and instead pay a monthly or annual fee for the system. c. Managed Services If your IT department is over-extended or lacks required expertise, you can consider managed services offering. This option allows you to turn the management function over to experts who handle it for you. This proactive management service provides support without draining internal resources and still provides regular status reports so that you are aware of specific items like roll-outs, software/hardware updates and asset/inventory control. Consider each method carefully. Enquire the vendor to look for one that can support all of the deployment options to best serve you now and into the future.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 22 6.DESIGNING BYOD POLICY BEFORE DEPLOYING MDM[5] A successful MDM implementation cannot be completed without proper planning of BYOD business policy and procedures. While BYOD policies establish a common ground of communication between the employer and the employee and defines the boundaries of data ownership present of the personal mobile devices, MDM offer the employer and organization a peace of mind if any unwanted incident is reported. The security of the data can be then be managed via remote wipe, encryption, self wipe etc. a. Do your Homework  Work with Legal and HR dept. to define personal device policy aligning with organization information policy  Use Social Media to engage the dialogue with employees to get a feel of their work style and support needs  Develop new authentication methods and device management policies that help safeguard corporate information and intellectual property.  Provide employee trainings for information security and IT Service Desk personnel about personal device policy. By applying safeguards to protect information and intellectual property, employees can select the tools that suit their personal work styles and facilitate their job duties. This improves their productivity and job satisfaction. Identify minimum security specifications such as,  Make Two- factor authentication mandatory to push e-mail  Secure Storage using encryption  Security policy setting and restrictions  Secure informational transmittal  Remote Wipe capability  Ability to check viruses from server side  Patch management and enforcement software for rules  IDS capabilities on server side of connection b. Identify user needs Construct blog/online poll or questionnaire to find out the needs of the user. Take user feedback on questions such as such as:  Why do you want to use your own device(s) for work?  What would you give up to use your device for work?  What does your personal device do to help you work?  Would you increase security habits for more device freedom? By analyzing the responses with close collaboration with HR and Legal Team, you can make informed decisions about going forward for forming the policy on usage of mobile devices.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 14 of 22 c. Enacting a End-User License Agreement (EULA) corporate policy The EULA provides the employees very clear instructions of what they can or can't do with a device. Stress has to be placed for managing and protecting the corporate data stored on the device. Also, emphasis has to be placed not to share the un-locked device with non-corporate user including friends or family etc. If any company's data resides on their devices, they should be backed up to company owned device by default. Types of devices allowed such as tablets, smartphones etc. must be stated clearly in policy. The EULA policy must be generic enough to cover all the allowed devices sufficiently. EULA must be reviewed preferably each quarter to ensure as the technology and user demand change, legal protection provided by the policy remains up to date. Users must re-sign the updated EULA when they move to new technology. Finally, it should be made clear that employees who refuse to sign EULA can't use personal devices to access corporate information. d. Addressing the privacy concerns For addressing the privacy concerns, policy must clearly define the following terms:  Corporate-own data: Business Data or intellectual property owned by company.  Employee-owned data: Data owned by employee, such as task list, notes, family photos.  Personal data: Data controlled by privacy legislation such as medical records, home address. In cases where there is a cross-over between personal and corporate-owned data such as calendar records, the policy should state clearly that during investigation, the confiscated device's personal data may be viewed during forensic analysis. e. HR and Legal concerns HR policy must state clearly under what circumstances the employees will be subjected to be compensated outside their working hours. Time sheets must adequately reflect those activities. Legal policy must state that in case of legal hold or eDiscovery, the employee must immediately surrender his/her device on request after which all files may be copied and relevant ones may be used to pursue legal matter. Employees who are subjected to legal hold might have certain restrictions for device usage and should obey to continue work under those restrictions. f. Training Users and Helpdesk Support Stating the policy is the easy part. The hard part is to train users about what policy means and how to protect information on their devices as the BYOD trend and MDM implementation is relatively young and not well understood by users. Users must be made aware of the risks/penalties that will result if sensitive corporate information is leaked out by accident/intention. Sharing the device with family and friends should be discouraged and employees must be made aware of the risks that might emerge in advent of such behaviour. Violation of these rules must attract appropriate disciplinary controls
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 15 of 22 as defined by the policy. It is crucial for employees to understand that the helpdesk is to be contacted first in case of lost/stolen device. Once the incident is reported, helpdesk can quickly issue a data wipe on device over carrier wave. Many employees in a wave of panic might inform carrier service about the device lost/stolen first. In such cases, data wipe can't be issued as the carrier service has already been shut down on request of employee. Any charges incurred such as fraudulent calls etc may be reimbursed by company later. Apart from employees, helpdesk and support staff must undergo mandatory training to reduce any chances of miscommunication for any query raised by the employees. Care must be taken they don't accidently invalidate EULA policy by supplying incorrect answers. Here, extensive mock drills must be conducted after every policy review or revision to minimize such incidents from taking place. FAQ's manuals must be made available online to everyone for ready reference. g. Addressing Authentication issues For better security, two-factor authentication is used for accessing the corporate information. But since the device is unknown in this case, challenge lies how to achieve it. For this, a random text message is sent to predefined phone number. Thus, the text message sent by server is "must-know" factor and phone number is the "must-have" factor which enables 2-factor authentication. h. Defining Mobile Device Security Rules[12] A device used for accessing corporate data must have the following pre-requisites  The device user must have signed company's EULA policy.  It must have personal identification number (PIN)  It has to support a code lock  It has to have an auto lockout feature  It has to support encryption  It has to support remote wipe. Further, Security Policies must be enforced via MDM such as:  User-defined lock code of minimum length as defined in policy.  Auto-Lockout period set as per policy  Issuing Data Wipe if user reports the device to be stolen  Automated Data Wipe issued (for corporate-data only or both) after “x” no of incorrect tries to open lock-screen.  All corporate data is encrypted with a strong key
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 16 of 22 7.MDM DEPLOYMENT[8] Essential components of MDM to consider during deployment phase are: a. Policy A well defined policy provides management direction and support for IT and information security and is the foundation for solid framework implementation. b. Risk Management Periodic assessment of risk should be done. For high risk cases, additional controls may be implemented to reduce risk to an acceptable level. Similarly for low or non-existent risks, minimal controls may suffice. c. Configuration Management This involves automatic configuration of device settings like password policy, email, Wi- Fi, VPN. This aids in elimination of user errors and minimizes vulnerabilities caused by misconfiguration. This also includes configuration lockdown as per user's role based permissions to enforce corporate IT mobility policies. d. Software Distribution This includes over-the-air updates/patches for OSs, applications, synchronization, fixes etc. Backup and restore operations become vital in situations of device crash and replacement in case of any intentional/unintentional wipe-out. When aligned with corporate mobile policies, it is ensured that only trusted mobile applications are distributed. Together with Configuration management, software distribution enables white-listing/black-listing of applications on mobile devices. For maximum efficiency, it is recommended to test the mobile applications separately to check for their trustworthiness before distributing them over-the-air via MDM. e. Procurement issues It is important to coordinate with the HR and Legal teams to define certain terms and conditions in policy and employee agreements. Liability for all parties must be clearly defined in these agreements. This should include private usage of corporate services, expense compensations, employee privacy policy, shared responsibilities for device and content security, misuse, secure wipe of device including personal data in case of device lost/theft etc. f. Device policy compliance and enforcement This is involved in device supply, control and tracking. Asset based inventory assessment are critical prerequisites for policy enforcement to comply with corporate/regulatory mandates around policies, jail-broken/rooted device detection, encryption, privacy based separation of corporate content vs. personal content etc. It is also concerned about the alerts and notifications for asset reporting about devices, users and apps. Overall, it provides an effective governing control over mobile end point devices which can be easily tested against ISMS standards such as ISO 27001 making it easier for audit activities also.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 17 of 22 g. Enterprise Activation / De-Activation Proper implementation of this functionality to connect mobile devices to enterprise network reduces the administrative burden of provisioning and re-provisioning at IT- department. Details exchanged with the server typically include OS, Device Identifier, IMEI number etc. After activation, some configuration settings might be changed such as enable encryption, password settings, application restrictions etc. h. Enterprise Asset Disposition This involves removal of physical devices by de-commission; releasing to BYOD owner in case of device exchange, upgrade or permanent de-commissioning. Follow-up procedures include notifying inventory management, generating user receipt and accepting user acknowledgement etc. If decommissioning is permanent, secure wipe of corporate data must be done and it should be handed over to employee along with his private data untouched. i. User Activity Logging Logging must be done carefully in accordance of various privacy laws, rules and regulations of the country in which company operates its business. Professional legal counsel must be approached before defining the policies governing the user activity logging. j. Security Settings These can be categorized to user security and data security. Data security consists of wiping corporate data/personal data in case of device lost/theft. They also extend to role based user permissions enforced via MDM solutions. User security consists of encryption, authentication on enterprise portal login; lock code and selective wipe in case remote wipe is issued. Selective wipe leaves personal data as it is and only erases corporate data residing in mobile device. It also covers certificate based authentication.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 18 of 22 8.CHALLENGES DURING MDM IMPLEMENTATION[6] a. Hidden costs and corporate governance issues Enterprises typically see the MDM implementation as a measure to save costs and manage mobile endpoints effectively in this process. Often MDM is seen as a complementary practice exercise in tandem with BYOD policy. But the reality is that if your BYOD business policy is not properly defined or effectively enforced, having a MDM solution will be patchy at its best and grow cost prohibitive at its worst. Also, mobile OSs are natively run in sandboxed environment and hence unless rooted/jail-broken will pose great difficulty to enforce corporate policies. But as mobile OS system themselves evolve over time, many MDM like features will be provided natively by them. Corporate governance becomes complex as mobile endpoints are added in asset inventory which may or may not be owned by the enterprise. If your mobile device policy or BYOD policy is not properly defined, MDM may report false positives or large no of false negatives if not properly implemented. This will lower down employee morale and cause confusion and mayhem at workplace. Cost escalation might be the direct consequence of bad implementation on MDM solution. b. Employee unawareness about information security while using mobile endpoints Employees may freely share their devices with their co-workers, family members or friends, which can increase the chances of accidental data breaches of corporate information. Identity theft may result in extreme cases and if some unwanted or intentional damage is caused by that, the blame squarely rests on employee and he might have to suffer the consequences such as job dismissal in case of fraud done by "his (enemy) friend". Using social engineering, competitors can fool the employee into revealing the details by handling over his mobile device for "few minutes" gathering valuable information for corporate espionage. To counteract these threats and associated risk, information security awareness programs and trainings must be conducted on mandatory attendance basis to equip employees to counter such attacks.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 19 of 22 9.PICKING THE RIGHT MDM VENDOR[4] Observing closely, security features such as remote wipe, encryption, enforce password requirement are pretty standard and are provided by almost all the vendors. So, look at the other areas where you could address your business needs better. Key factors to consider while shopping for MDM solution:  Deployments: Assess how efficiently the MDM agent can be deployed on a new device. Deploying new phones isn't a one-time job; it's never-ending.  White-list and blacklist filters: You'll have apps that every employee must install some that are banned and some apps that you insist are updated to at least a certain version.  Custom Appstore: Is there a feature offered by MDM vendor for installing custom, unapproved apps and setting up a company app store experience?  Application Security: Does the MDM vendor offer built-in support for malicious application scanning?  Browser security: Filtered Mobile Web browsing can lower the risk of attack on a device. Is the MDM provider implementing this level of security?  Encryption levels: Do you have to encrypt the entire device, or the MDM provider lets you encrypt company specific or selected files and folders?  Data wiping: Is there is a support for Selective wipe which erases only corporate data in case a remote wipe is issued?  Auto-provisioning of devices: Is there any option for Automatic device provisioning?  Architecture: Examine the vendor's approach to MDM solution such as sandbox, virtualization or integrated approach. This is important in understanding the vendor's technology and your future road map planning.  Location capabilities and network access restrictions: Do you want to let employees use their device's camera for personal use but not at the office? Look whether the MDM solution supports such policies. How robust are the policies?  Inventory management: Is it easy to search, custom filter and modify individual mobile endpoints for hundreds of managed mobile devices? What are the filtering capabilities provided?  Reports: Is there built-in reporting for new devices provisioned, apps out of compliance and devices that haven't checked in for a day or a week?
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 20 of 22 10. MDM VENDORS a. Popular MDM Vendor List  MobileIron  AirWatch  Zenprise  Good Technology  FiberLink  BoxTone b. Salient Features of some of the leading MDM vendors[11] MobileIron:  Healthy mix of partnership relations with distribution channels and OEMs such as AT&T, Vodafone, Apple, Google, Microsoft, RIM, Cisco HP and IBM  Demonstrates life cycle management, including usage monitoring, cost control, application deployment and version control.  Offers strong support for corporate and personal devices.  Strong reporting and dashboard capabilities.  Supports text messaging archiving for devices connected to corporate email AirWatch:  Has a strong security focus, with enterprise integration services that encrypt traffic between enterprise's servers and its cloud system.  Offers Web-based as well as agent-based enrolment.  Strong capability to profile, with detailed and easy-to-use policy settings.  Has strong administrative interface which is easy to use and manage.  Easily scalable and can support large numbers of users across multiple areas. Zenprise:  Zenprise Mobile DLP provides innovative secure container solutions to operate local mobile devices, as well as to be accessed in the cloud.  Application-blacklisting technique works across Apple iOS and Google Android devices.  Offers its own secure Web gateway and can also integrate with Blue Coat Systems and Palo Alto Networks. Good Technology:  Large installed base in regulated sectors, such as financial services, government, defense, public sector, healthcare and professional services.  Good Technology has the strongest implementation of containerization,  Have strong security capabilities, including FIPS 140-2 crypto libraries, end-to- end 192-bit encryption, multiple-factor authentication and multiple certifications.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 21 of 22 11. HOW WE CAN HELP YOUR ORGANIZATION? a. Strong support of Solutions Team NII has been working in close association with leading MDM solution products. Our solution team is well trained and qualified to handle any support related queries you may have. Currently we have actively associated our MDM partnership with MobileIron. Our team consists of certified MobileIron experts who understand each and every module of the solution and have extensive hands on experience. b. Security Awareness Trainings We conduct numerous security trainings for our clients and help them to understand the risks faced by carrying corporate data on their mobile devices. We put forward the precautions and industry best practices they need to follow for securing the sensitive information. c. Social Engineering Exercises We also conduct live sessions on social engineering exercises which demonstrate by practical examples how even a reasonably well informed person about security can be easily tipped off by cleverly crafted social engineering attacks. Having knowledge of these kind of attacks makes sure your corporate data is secure in hands of your employees.
    • Mobile Device Management Confidential  Network Intelligence (India) Pvt. Ltd. Page 22 of 22 12. REFERENCES 1. http://en.wikipedia.org/wiki/Mobile_device_management 2. http://en.wikipedia.org/wiki/Bring_your_own_device 3. http://www.secureworks.com/resources/whitepapers-shortcut/74568 4. http://www.informationweek.com/global-cio/interviews/byod-why-mobile- device-management-isnt-e/240142450 5. http://www.intel.in/content/dam/www/public/us/en/documents/best- practices/enabling-employee-owned-smart-phones-in-the-enterprise.pdf 6. http://software.intel.com/sites/billboard/sites/default/files/Maintaining_Info_Se curity_Allowing_Personal_Hand_Held_Devices_Enterprise.pdf 7. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance _v1.pdf 8. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Device_M anagement_Key_Components.pdf 9. http://www.wavelink.com/whitepapers/avalanche-delivery-whitepaper.pdf 10. http://i.dell.com/sites/content/business/solutions/whitepapers/en/Documents/ unlocking-power-mobile-device-management.pdf 11. https://dell.symantec.com/system/files/Magic_Quadrant_for_Mobile_Device_Man agement_Software.pdf 12. http://searchsecurity.techtarget.com/news/2240148521/BYOD-security-policy- not-MDM-at-heart-of-smartphone-security 13. http://boxtone.com/white-paper-lp/enterprise-iphone-ipad-ciso-security-wp- web.aspx 14. http://info.desktone.com/whitepaper-byod-implications-for-it-virtual- desktops.html