Mobility

The Evolution of Mobile Device Management

As tablets and smartphones become more sophisticated and widespread, agencies need more powerful MDM tools to keep them secure.

Alan Joch

Twitter

Alan Joch has been an independent business and technology writer for more than a decade. His expertise includes server and desktop virtualization, cloud computing, emerging mobile applications, and cybersecurity.

Mobile device management solutions have long been a staple of federal security efforts, but as mobile technology evolves, untethered users are doing more than just syncing calendars and reading email while on the road. They are also accessing sensitive agency data and interacting with proprietary applications, which opens the door to new security risks.

Agencies need MDM solutions that can do more than just carry out basic administrative tasks. Fortunately, MDM is keeping pace with these demands. "MDM is evolving in many interesting ways, and enhanced security capabilities are one of the most important examples," says Eric Klein, senior analyst at VDC Research.

Case in point: When healthcare providers at the Veterans Affairs Department meet with patients, many carry bureau-provisioned tablets that securely call up patient records. Although the underlying proprietary applications don't allow patient data to be downloaded onto the devices, the VA relies on the AirWatch MDM platform for other security controls, such as knowing the location of each device and who's using it.

"MDM is one of the cornerstones of a successful mobile program," says DJ Kachman, director of mobile technologies and client security for the VA's Enterprise Systems Engineering office. "We use MDM to see how each device is conforming to our policies, including if it's running approved applications and an approved version of the operating system."

Photo: Jimmy Daly

An agency's MDM solution must be flexible enough to handle the different ways that users employ their devices, says ATF's Walter Bigelow.

Verifying the validity of applications is one aspect of mobile application management, an operation that some vendors are combining with MDM solutions to create enterprise mobility management systems. These systems may also come with capabilities for creating secure workspaces that separate corporate and personal data, verify that encryption has been enabled on the device and give IT administrators a way to broadcast messages to mobile users. For example, the VA vets each new version of an operating system. "MDM gives us a consolidated method of communicating with all the users of mobile devices," Kachman says.

He sees bulked-up MDM programs as a positive trend for IT administrators. "It always makes more sense from an infrastructure perspective to have a solution that addresses a variety of capabilities rather than having to integrate a number of different components," Kachman says. "This gives us more control over how we expand going forward."

These new capabilities come on top of traditional MDM features, such as enforcing password policies, blocking jailbroken devices from logging on to agency networks and turning off device features that violate agency policies. MDM programs can also lock down lost or stolen devices and, when necessary, wipe the data that resides on them.

This feature came in handy for the Equal Employment Opportunity Commission when one of its executives reported losing a smartphone while on a Washington, D.C., Metro train during the morning commute. The agency used its MDM technology — the GO!Enterprise platform from Globo — to turn on the phone's geopositioning feature. The staff quickly determined that the phone was following the path of Metro's Red Line, indicating that it had probably dropped on the floor of a subway car rather than having been stolen. "This gave us insight into what had happened to the device so we could act accordingly," says CIO Kimberly Hancher. "We immediately followed our established procedures: We locked the device and did a full wipe of the data."

As a result, any sensitive government data or contact information that had been on the phone was protected from unauthorized disclosure.

19.3%

The expected growth in smartphone shipments in 2014 compared with 2013

SOURCE: IDC Worldwide Quarterly Mobile Phone Tracker, April 2014

Tailor MDM for Each Role

The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) also is deploying flexible MDM systems that let managers easily enable or disable mobile device features. The agency provides smartphones and tablets to a wide range of users, from senior executives to field agents. The agency uses these devices to give users access to investigative reports, videos, calendars and email, as well as public mapping applications. ATF uses a combination of MDM solutions from Good Technology and AirWatch to administer and secure the devices.

"It's important to understand the various use cases and how agents may use mobile devices differently than managers and administrators," says Walter Bigelow, chief of ATF's IT Services Management Division. For example, the bureau disables Bluetooth communications on many of the smartphones it provides to staff members to reduce security risks. Phones for some field agents are an exception. "Agents who spend a lot of time in the car need hands-free capabilities," Bigelow says. "Otherwise, if you're holding a phone in one hand and a gun in the other, there aren't any hands left for the steering wheel."

NIST's Mobile Security Guidelines

MDM is just one element of an in-depth defense strategy for mobility. The National Institute of Standards and Technology's Guidelines for Managing the Security of Mobile Devices in the Enterprise updated its mobile security recommendations, originally published in 2008.

Among the recommendations are that agencies institute a mobile device security policy and secure each agency-issued device before providing it to a user. The publication includes guidance on securing organization-provided devices as well as personal smartphones and tablets used for work purposes.

5 Important MDM Considerations

Mobile experts say MDM success requires a mix of the right technology and implementation strategies. Here are five ways to get the most out of MDM.

Communicate early and often. As the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) develops its mobile policies, Walter Bigelow, chief of ATF's IT Services Management Division, and his staff meet with various stakeholders to document their needs. "Not only will you more successfully design policies appropriate for each person's role, but early involvement goes a long way to gaining end-user acceptance," he says. "People better understand what you're doing with the MDM tools and why."
Perform a risk analysis. Before selecting a solution, IT leaders should document the risks the agency faces with widespread use of mobile devices. For some, the top priority may be protecting regulated data, while others may put a higher premium on keeping outsiders from accessing the corporate network and services. "Every agency has a unique mission and different risks," says Tom Karygiannis, senior researcher at NIST. "Once you prioritize what's most important to you, you can start matching available tools to your needs."
Make sure the MDM solution supports existing applications. The Equal Employment Opportunity Commission relies on Novell GroupWise for email, a somewhat uncommon choice in the federal government. "One of the biggest drivers for us was having an MDM program that was capable of synchronizing with our email platform," says EEOC CIO Kimberly Hancher.
Similarly, IT managers must ensure that an MDM solution supports all the mobile operating systems used within the agency, including Android, Apple iOS, BlackBerry and Microsoft Windows.
Focus on the management console. The centralized administrative console within an MDM solution enables administrators to quickly apply new policies and update security settings, then roll them out to devices as users authenticate themselves to the agency network. Eric Klein, senior analyst at VDC Research, notes this is one of the core capabilities to evaluate when shopping for MDM. "It's a crowded market, so take solutions for a test drive and look closely at the consoles," he says. "Each has its own way of managing the various solution components, so IT managers must make sure the console fits their needs."
Regularly evaluate new products. The highly competitive and dynamic mobile management market means a constant flood of new features. So even after selecting a solution, agencies should stay abreast of new developments. "Our evaluations never end," says DJ Kachman, director of mobile technologies and client security for the VA's Enterprise Systems Engineering office. "Part of my team's responsibilities is to meet with new vendors and look at new technologies. We never rest."