Secure the Application, Not the Device
I was reading an article by Patrick Gray, A radical idea for Mobile Device Management: Don’t bother, when I realized that I wasn’t alone in this world. I have long viewed Mobile Device Management (MDM) as a Red Herring and it felt good to find an ally.
For years, people have fought against restrictions on their company computers. This has been part of the spur behind the Bring Your Own Device/App/Cloud (BYOD) movement of the past several years. Do we want to head down that same path with mobile devices where we are dealing with an even wider variety of devices and less inherent control over the operating system than we did before BYOD complicated things?
Let’s think this through.
Start with the Math
Patrick states that MDM is essentially a $1500 solution for a $300 problem. He discounts the data. This is not the correct math as the data is the most critical problem and can represent the most value.
Securing the device isn’t also likely to lead to its recovery, be it a laptop or phone.
Assume you are a thief. When stealing an item, it is all about speed. The less time you spend taking an object increases the odds you succeed in stealing the item. You won’t take time to evaluate the security on a device until you are safely away. When it is determined that it cannot be used, you’ll likely dispose of it in a way that can’t be traced back to you.
You aren’t going to return it.
Mobile devices are often stolen as thefts of opportunity. A cell phone carelessly left on the fast food counter or in the chair at the airport. These thefts may be made by people without networks to sell the device. If it is secured, they may simply ditch the device.
No matter how you slice it, the MDM software isn’t going to prevent the loss of the device. It may allow you to find and retrieve it, but it is likely cheaper to just replace than tracking it and having it recovered.
The Data Matters
What is an issue is the data. Email, documents, texts, and all sorts of business information are stored, or readily accessed, from a phone. Let us break the theft down for a minute.
- Who stole it? A random person.
- Do random people care about what is on the phone? No.
- If you put a security code on the phone, will they try and access the data? No.
- What will they do? Wipe the device and start over.
Of course, that doesn’t remove the risk of the device falling into the hands of someone who cares about the data. That still needs to be protected. What can you do?
Encrypt the data. Make it enough of a pain that anyone who isn’t a competitor that intentionally targeted the device ignores the data.
You can encrypt in one of two layers. The first is in the operating system layer which leaves you with many of the same problems as MDM. The second, make the applications do the work.
This is where we need to focus, both as application vendors and Chief Information Officers. The best way to solve the data security problem for mobile devices is to have the security implemented within the applications.
They can encrypt upon data transmission and storage.
They can require authentication even when the phone was left unlocked.
They can have organizational administrators wipe the data from the app when it is reported stolen. The person’s pictures will still be there should the phone be found, but the business data will be safe.
MDM or Application Security
For a vendor, the answer is both. Many of the organizations that have deployed MDM solutions will want to take advantage of that investment. Working with key MDM vendors will make the short-term competitive situation more favorable.
Still, attention must be paid to application security. MDM isn’t going to be feasible in small to medium organizations so key applications will need to be inherently secure. Given the environment in which we find ourselves in 2014 regarding the NSA, having an application that is secure without having to invest in other solutions is just a smart move.
If you are evaluating mobile applications for your organization, ask the tough questions. See if there is a plan beyond MDM. Look at the security roadmap. Make sure that they have people dedicated to making your data secure.
Let’s face it, it likely isn’t going to matter. There will likely only be one or two mobile devices whose data is made public. The question is, if all you have to do to prevent it is ask your application providers some tough questions to avoid it, why don’t you.
The risk may be low, but it isn’t zero. You don’t want to be the shining example for everyone else.