Secure the Application, Not the Device

I was reading an article by Patrick Gray, A radical idea for Mobile Device Management: Don’t bother, when I realized that I wasn’t alone in this world. I have long viewed Mobile Device Management (MDM) as a Red Herring and it felt good to find an ally.

For years, people have fought against restrictions on their company computers. This has been part of the spur behind the Bring Your Own Device/App/Cloud (BYOD) movement of the past several years. Do we want to head down that same path with mobile devices where we are dealing with an even wider variety of devices and less inherent control over the operating system than we did before BYOD complicated things?

Let’s think this through.

Start with the Math

Patrick states that MDM is essentially a $1500 solution for a $300 problem. He discounts the data. This is not the correct math as the data is the most critical problem and can represent the most value.

Securing the device isn’t also likely to lead to its recovery, be it a laptop or phone.

Assume you are a thief. When stealing an item, it is all about speed. The less time you spend taking an object increases the odds you succeed in stealing the item. You won’t take time to evaluate the security on a device until you are safely away. When it is determined that it cannot be used, you’ll likely dispose of it in a way that can’t be traced back to you.

You aren’t going to return it.

Mobile devices are often stolen as thefts of opportunity. A cell phone carelessly left on the fast food counter or in the chair at the airport. These thefts may be made by people without networks to sell the device. If it is secured, they may simply ditch the device.

No matter how you slice it, the MDM software isn’t going to prevent the loss of the device. It may allow you to find and retrieve it, but it is likely cheaper to just replace than tracking it and having it recovered.

The Data Matters

What is an issue is the data. Email, documents, texts, and all sorts of business information are stored, or readily accessed, from a phone. Let us break the theft down for a minute.

  • Who stole it? A random person.
  • Do random people care about what is on the phone? No.
  • If you put a security code on the phone, will they try and access the data? No.
  • What will they do? Wipe the device and start over.

Of course, that doesn’t remove the risk of the device falling into the hands of someone who cares about the data. That still needs to be protected. What can you do?

Encrypt the data. Make it enough of a pain that anyone who isn’t a competitor that intentionally targeted the device ignores the data.

You can encrypt in one of two layers. The first is in the operating system layer which leaves you with many of the same problems as MDM. The second, make the applications do the work.

Application Security

This is where we need to focus, both as application vendors and Chief Information Officers. The best way to solve the data security problem for mobile devices is to have the security implemented within the applications.

They can encrypt upon data transmission and storage.

They can require authentication even when the phone was left unlocked.

They can have organizational administrators wipe the data from the app when it is reported stolen. The person’s pictures will still be there should the phone be found, but the business data will be safe.

MDM or Application Security

For a vendor, the answer is both. Many of the organizations that have deployed MDM solutions will want to take advantage of that investment. Working with key MDM vendors will make the short-term competitive situation more favorable.

Still, attention must be paid to application security. MDM isn’t going to be feasible in small to medium organizations so key applications will need to be inherently secure. Given the environment in which we find ourselves in 2014 regarding the NSA, having an application that is secure without having to invest in other solutions is just a smart move.

If you are evaluating mobile applications for your organization, ask the tough questions. See if there is a plan beyond MDM. Look at the security roadmap. Make sure that they have people dedicated to making your data secure.

Let’s face it, it likely isn’t going to matter. There will likely only be one or two mobile devices whose data is made public. The question is, if all you have to do to prevent it is ask your application providers some tough questions to avoid it, why don’t you.

The risk may be low, but it isn’t zero. You don’t want to be the shining example for everyone else.

3 thoughts on “Secure the Application, Not the Device

  1. I like this, but it may be impractical. You used slightly over 800 words to explain why your application may not really need device level security. When one of our customers, or one of our auditors asks us how we secure their information on mobile devices, I say “we use Mass360” – 3 words, acceptable answer, done. Yours might actually be a better solution, but until you change the world, I’m not sure it would be as easily recognized or accepted.


    • Agreed, I need to be more concise.

      It is an easy answer for auditors, but one that is simply impractical long-term. Many orgs cannot invest the time/money into making a MDM solution work. Vendors have to keep creating versions of their apps for each MDM provider. Short-term, it is the answer. Long-term, things will change.


  2. Lawrence, I absolutely agree. As it happens the absolute same applies to any device, even the ones that are chained to your desks in the office. All businesses use is outer shell protection both physically and via login. Once you are inside you are home free if you are technical enough. This is why hackers have any chance to get hold of so much data.

    MDM is from my perspective only there to control what users can do with the device. Mostly to prevent misuse and also to avoid license and copyright issues the business might face.


Comments are closed.