By Kevin Sapp Published: April 17, 2012 on AOL Government
When it comes to mobile computing, what do organizations value the most? Consider the following: You lose your smartphone (or, worse, someone steals it). What first crosses your mind? Is it, “That’s going to cost $200 to replace”? Or, do you think, “Someone I don’t know has access to all of my ‘stuff,’ my contacts, my kids’ photos, my home address, my email”? The answer is obvious; you value the data.
The same is true of your organization.
Two macro-trends are fundamentally re-shaping the enterprise IT environment. The first, “consumerization of IT” is the rapid proliferation of consumer technology; e.g., smartphones and tablets. The second, “Bring Your Own Device” (BYOD), means that employees want to use personal consumer devices to do their jobs. Employees who use mobile business applications have access to enterprise IT resources; e.g., corporate email, content management systems, shared files and other corporate databases.
BYOD presents a very different paradigm to IT than the old “corporate-issued BlackBerry model.” Before BYOD, the enterprise owned the devices and IT employed tools to manage them – in much the same way as they manage laptops, desktops and servers. These devices were almost solely for providing employees mobile access to business email. Enter the BYOD model, where the device is a platform for a wide variety of productivity-enhancing enterprise apps far beyond simple email, and for more than business use.
In the growing BYOD world, enterprise IT is ultimately charged with leveraging the consumerization of IT and BYOD to improve business performance, simultaneous with its long-standing duty to safeguard corporate data. Responsibilities that often are in direct conflict. Thus, the crucial question for IT becomes, “How do you protect enterprise data on an employee-owned device?”
IT professionals dealing with this challenge are bombarded with information and, in most cases, misinformation by Mobile Device Management (MDM) vendors which, according to Gartner, now number over sixty. MDM vendors claim their products and services keep enterprise data secure while enabling mobilization of the enterprise workforce.
MDM provides asset management for non-BlackBerry mobile devices; e.g., iOS and Android devices, just as the BES server does for BlackBerry. The MDM industry emerged in response to the proliferation of non-BlackBerry devices in the enterprise.
What MDM vendors did not prepare for was the rapid shift away from corporate-owned to personally-owned devices in the workplace — BYOD.
MDM does what the name implies — it manages a physical device. While MDM allows IT to configure a limited level of data protection, such as device level passcode and remote wipe, the purpose of MDM is to manage the physical asset. MDM was not built to distinguish between enterprise data — what IT officials cares about –and personal data — what the device owner cares about.
The following example illustrates this point:
MDM supports a “device level” passcode, meaning that the user must enter a passcode to unlock the device before using any app. The passcode policy is enforced irrespective of whether the user wants to access a business app or a personal app. The problem is that a passcode policy that meets the length and complexity required to safeguard business apps is too onerous for general use. A passcode acceptable to the user — usually a simple four digit numeric code – does not meet requirements for business.
MDM is too blunt an instrument to address data security issues. For enterprise IT, MDM is a machete when what is needed is a scalpel.
In the BYOD world, data loss is the crucial enterprise security challenge and MDM is simply not equipped to address it. MDM has no contextual awareness — it doesn’t differentiate the personal and enterprise context –- and, thus, does not distinguish between personal data and enterprise data. MDM is unaware of a corporate-oriented app sending data to a consumer-oriented app and vice versa.
Consider this very common example of a mobile data breach:
An employee receives an email containing a sensitive document as an attachment and sends it to a personal backup app, such as Evernote. Evernote, as a normal function, automatically sends the attachment to the consumer cloud. The data has now leaked from the organization and is no longer under enterprise control.
This classic case of data leakage is what keeps IT administrators up nights –- or it should. Existing MDM solutions are completely blind to this event. They don’t “see” it. They don’t prevent it. They don’t log it. MDM is not data loss prevention.
MDM is now a commodity; the market is bloated by entrants that are not qualitatively differentiated. At the product level, most MDM vendors are engaged in a “feature war” and suffer from a lack of technological innovation.
The dilemma for enterprise IT is that MDM vendors sell products that don’t solve the problem of data leakage. Sixty-plus MDM vendors have hijacked the term “data loss prevention”-DLP- because data loss is a big problem for their customers. Customers want DLP solutions. No matter how often MDM vendors say they are, MDM isn’t DLP!
When you cut through the marketing noise, MDM is stuck in a relatively simple, device-centric world. It hasn’t evolved the intelligence to survive in the vast and complex landscape of mobile apps and data. MDM vendors don’t have DLP, but they keep trying to convince the world that they do. A modern day version of “Pay no attention to the data behind the curtain.”
MDM doesn’t matter – devices don’t matter – it’s the data that matters!
Kevin Sapp is chief technology oficer, SpydrSafe Mobile Security, Inc.