The official hub of The Enterprise Mobility Foundation
Want more than just blog posts? Login or Sign up for a free acount and get research, videos, slide decks and more! Join the online social network for Enterprise Mobility.

Could Mobile Security Be A “Trojan Horse” For Mobile Device Management?

I know – you probably already want to chastise me for trying to have a provocative title to today’s missive, but I actually thought it was a nice play on words. Let me explain to you why. Eighteen to twenty-four months ago, the hot topic du jour was the debate around whether organizations should even allow personally owned smartphones into the workplace. The debate heated up when Apple came out with the iPad and organizations now had TWO device classes they had to deal with. Today, of course – with 20/20 hindsight – we (generally speaking) readily accept the notion of personally owned devices entering into the workplace…with caveats of course.

(One of) the major concern that IT organizations now talk to me about is “security”….they want to be able to “secure” the mobile endpoints that are now interacting with corporate data.  In fine fashion, enterprise mobility management vendors have (understandably) jumped on to this wagon and constantly talk about “securing” mobile devices.  At face value, I actually applaud these companies for looking to help IT organizations secure their mobile endpoints.  But let’s actually look at the word secure. It’s time for a quick vocabulary lesson.

Dictionary.com says that the word “secure” is actually both an adjective AND a verb.

As an adjective, it is defined as:

  1. free from or not exposed to danger or harm; safe.
  2. dependable; firm; not liable to fail, yield, become displaced, etc., as a support or a fastening: The building was secure, even in an earthquake.
  3. affording safety, as a place: He needed a secure hideout.

However, as a verb:

  1. to get hold or possession of; procure; obtain: to secure materials; to secure a high government position.
  2. to free from danger or harm; make safe: Sandbags secured the town during the flood.
  3. to effect; make certain of; ensure: The novel secured his reputation.

….and hence the rub.

I will argue that in one context, IT departments are most focused on securing mobile devices in the workplace….and I use the word as a verb in its second definition.  However, it is (understandably) very easy to use the word interchangeably as its adjective form.  Mobile security however, I will argue is about security solutions.  That would include anti-virus, anti-malware, mobile VPN, authentication systems, data encryption…perhaps even geo-fencing.

And as such, this is why I now argue that mobility management vendors that talk about their strong mobile device management capabilities – in the context of security – are succumbing to the temptations of language confusion.  There is indeed a Trojan Horse in the camps….and its name is security (or should I say secure).  It’s taking over from the inside what mobile device management is about.  Now, in one respect, this is not a bad thing, because I encourage all organizations to deploy mobile device management solutions.  However, much like there is confusion in the space regarding the differences between mobile device management and mobile application management, I fear that there will now also be increased confusion regarding the differences between mobile device management and mobile security.

15 Comments

  1. Posted June 28, 2011 at 15:44 | Permalink

    Hidden due to low comment rating. Click here to see.

    Poorly-rated. Like or Dislike: Thumb up 0 Thumb down 3

    • Posted June 28, 2011 at 17:16 | Permalink

      John – I hear what you say about the blend (and agree to a certain extent), but I’ll argue that the blend occurs like on a Venn diagram….only the intersection of the two circles has both parts….and hence you miss out on the other parts. Sure, there is overlap in many parts of the overall enterprise mobility management spectrum, but I’ve also argues historically that the MaaS term (just like EMM) deserves better clarity.

      Thumb up 0 Thumb down 0

  2. Posted June 29, 2011 at 07:23 | Permalink

    I believe that a very dangerous game is being played by many MDM vendors and it is the customer that will ultimately pay the price. There is a difference between Data Security and Device Management. Just because an MDM vendor can lock and wipe a device does not automatically mean that they can also secure the data. Lock and wipe are an important part of data security, but they are just a part and also the easiest part. True data security must be built into the device and the application – it cannot be bolted on after the fact.

    It is also critically important to remember why the devices and applications are deployed in the first place; so that people can interact with data and be more productive. The primary objective is mobile user service quality that is highly secure and delivered at the lowest cost.

    Mobile Device Management and Mobile Security are starting points for mobility management. They are critically important, but they are not sufficient to effectively deliver mobile services. I believe that this will become very clear in the 2H of this year when large deployments of new mobile devices and applications go into production and users expect/need them to work.

    Thumb up 1 Thumb down 0

  3. Posted June 29, 2011 at 14:15 | Permalink

    Alan I agree that the devices themselves need to provide some of this security or at least allow the security to take over the device. Unfortunately we have allowed this proliferation of various flavors of operating systems on these devices. No longer will one solution fit all. So each security provider must address all of these variations, or risk having a hole somewhere in the armor.

    We then deal with the security of backups and cloud based storage. People feel that if they can backup their data to an outside source that they are secure and feel that no one can gain access to this information. As we have seen in recent months the hacking of various popular websites and the trolling of files placed on these storage solutions by the storage companies employees, it is more of a matter of time, not if they can hack/access the cloud based storage backups/files.

    Thumb up 0 Thumb down 0

  4. Posted June 29, 2011 at 15:04 | Permalink

    Philippe, interesting post. I look at it this way: organizations should utilize mobile device management solutions to *help* govern their mobile security program, which as we discuss all the time, is far more than simply deploying a MDM solution. Maybe we should use the phrase “reduce risk” or “risk reduction” in place of “secure”?

    On another note, it aggravates me that AV, anti-malware, etc. is already being discussed in the context of a commodity for mobile devices, as it has been for a long time for standard desktops and servers. Security awareness, proper policies, and the enforcement of those policies, aka prevention, is the name of the game. You don’t necessarily need security software utilizing resources on your device to keep you safe. Nevermind that it isn’t even available for iOS devices…

    Thumb up 1 Thumb down 0

    • Posted June 29, 2011 at 15:40 | Permalink

      Great commentary Joey. I think you hit it on the head though about the “commoditization” of mobile security. We understand it on the desktop operating systems and hence think it’s exactly the same for mobile….except that it’s not. On your point regarding reducing risk, I would argue that risk mitigation goes well beyond just MDM, but would at the very least also include mobile application management.

      Thumb up 1 Thumb down 0

      • Posted July 2, 2011 at 14:26 | Permalink

        Absolutely! Especially given the extraordinarily poor mobile application development processes and results I’ve witnessed so far. I’ve discussed it with customers and prospects for some time now, but people are beginning to discuss publicly now that mobile application development is ~10 years behind web application development – from a security perspective anyway. In short, mobile application mgmt is critical, especially when you can’t release patches immediately for serious flaws with iOS apps.

        Thumb up 0 Thumb down 0

  5. Posted June 29, 2011 at 15:54 | Permalink

    A complex issue and its only getting worse.

    I question if mobile device security is the proper context anymore. BYOT efforts limit the controls you can enforce on a personal liable device. The focus should be on securing the data as the device level is going to limit the devices you allow.

    Device level controls (API)to provide the “security” aka controls to as Joey states only reduces your risk. There is no 100% zero risk platform. Every device has a range of risk attached to the controls (or not) you can enforce to “secure” your corporate data. Ideally you want your data in your four walls, not cached and not synced locally. Reality is doing so limits the use of a mobile device and reduces usability, efficiency etc.

    Device management should be seen as a totally different bucket and includes functions outside of security (though that has been the driving marketing of MDM solutions).

    Thumb up 0 Thumb down 0

    • Posted July 6, 2011 at 11:59 | Permalink

      “Ideally you want your data in your four walls, not cached and not synced locally.”
      So what happens when the workplace goes cloud?

      Thumb up 0 Thumb down 0

  6. Posted July 1, 2011 at 17:16 | Permalink

    great topic…
    There are three components in enterprise mobility that deals with security aspects.
    1, The mobile phone: it should be a ‘thin’ application residing on the cell-phone.Hence no business logic thereby, even if the cell phone falls into wrong hands, it’s as good as losing ‘jus’ a cell phone.

    2, Data in transit: This is another place where security becomes an important aspect to the organisation, what if the data breaks in transit, the enterprise platform[MEAP] should be capable enough to re-transmit the data, in case of a breakage
    3, Web-server /Middle ware where Mobile applications are deployed: Put it behind the firewall and have it inherit the enterprise wide security properties.
    I am not explaining the nuances of each component here as i hope everyone understands what i am talking about..
    expert views on my comments please..

    Thumb up 0 Thumb down 0

  7. Posted July 1, 2011 at 17:25 | Permalink

    And yes.In case of a web-service/API model, it actually becomes a vulnerable link to your enterprise system. One thing that i missed in my previous comment is the security feature of the middle-ware /MEAP itself.

    Thumb up 0 Thumb down 0

    • Posted July 6, 2011 at 12:00 | Permalink

      I would note however that security and management need to happen at both the application and device layers. Think of it in the context of the OSI model.

      Thumb up 0 Thumb down 0

  8. Posted July 7, 2011 at 05:06 | Permalink

    Really interesting article and comments. While I understand the ideal is to use the mobile device as a thin device, what about scenario’s where this is not possible. Where my staff work we do not have universal 2G let alone 3G mobile coverage so will need to sync data locally to devices.

    I saw a great article here about the Seven Layers of Enterprise Mobility Management and Mobility Lifecycle Management. For me this has been extremely useful in providing a framework I can engage my colleagues with about the many issues involved.

    Thumb up 0 Thumb down 0

3 Trackbacks

  1. [...] Philippe Winthrop @ericylai Check out this little vocab lesson http://bit.ly/iCtCLc [...]

    Thumb up 0 Thumb down 0

  2. [...] Philippe Winthrop @ericylai Check out this little vocab lesson http://bit.ly/iCtCLc [...]

    Thumb up 0 Thumb down 0

  3. [...] Philippe Winthrop @ericylai Check out this little vocab lesson http://bit.ly/iCtCLc [...]

    Thumb up 0 Thumb down 0

Post a Comment

You must be logged in to post a comment.