Mobile device management (MDM) and enterprise mobility management (EMM) have long driven the mobile security discussion in business and government. Looking into the future, MDM and EMM could lose dominance as app-first security becomes more feasible for some enterprises. I see this app security future as a culmination of business, industry, technology, and strategy changes.
Caleb Sima, co-founder of Bluebox Security, says there are three security phases that organizations go through with mobility. The phases could take multiple years, and there could be shifts in what mobility means for an organization. Phase one is being device-centric, where an organization applies known and familiar security models to mobile devices right away. Sima is quick to point out, though, that mobile devices are more personal, unlike laptops or other endpoints.
“All of a sudden device-centric thinking took a step back,” Sima says. Next, organizations enter the app-centric phase. Because enterprises may not necessarily own the mobile device, they must decide whether they position everything around the device or around the app. An organization may own the app running on the device, whether it’s an enterprise app or a consumer app that acts as a window between the user and the organization. Sima explains app-centric thinking as:
"Well, it's not the device that gets on your network; it's the app that gets on your network."
The third phase, according to Sima, is data-centric thinking, where an organization won’t even think about the app. It’s a future phase where organizations will focus on the type of data they own, the rights they have over the data, and how users can consume and use that data.
Sima sees organizations today at the peak of device-centric security. He says device security is easy to adapt and control, and there's no high learning curve.
“We're going into an app-centric world," Sima says.
"The app-centric world is about the apps, the access, and the window to the world at which I have.”
App-first mobile security wins
Going with app-first mobile security can take the form of cloud platforms outside the corporate firewall, consumer apps protecting transaction data, and application development best practices.
Yaacov Cohen, CEO of Harmon.ie, says when a majority of your services are coming from the cloud, it’s possible to move away from stand-alone mobile management. He points to Microsoft Office 365 as an example of a product used as an all-in-one solution that’s handling document collaboration, application security, email, some mobile device management, and even more advanced security, like data loss protection.
Cohen also likes Office 365 for mobile users because of enforcement rules that enables administrators to lock down corporate documents from ever being downloaded to personal devices.
App-first security will always win with consumer apps. Sima uses the example of a mobile bank app connecting a customer to an endpoint or service. The bank doesn’t own the device but must ensure the appropriate protections over transaction data on a device.
Chris Crowley, an independent consultant and certified SANS instructor at the SANS Institute, recommends a number of best practices for apps deployed to customers, including sound application development, jailbreak detection, app modification detection, and not trusting any data coming from that application (in other words, applying server-side controls).
Crowley recommends mobile application management (MAM) for corporate-developed or purchased applications provided to employees, contractors, and business partners. He explains that containerized protection of applications and the associated data allows the organization to affect those apps and data. The organization owns the data and needs to assert management of that data.
Where MDM and EMM still reign
Crowley sees an EMM strategy as a compelling and straightforward solution for corporate-owned devices. He explains:
“The main reason for EMM instead of MAM is the specific configuration control of the device settings itself. This also includes an opportunity for escrow of credential information and backups of devices to prevent data loss in the event of loss or theft.”
Harmon.ie’s Cohen points to the many enterprises still running their business-critical applications on-premises and behind the firewall as EMM holdouts. That's because mobile users will have to access the network to access shared resources, making device-centric security a necessity.
Of course, MDM and EMM will remain solutions for bring-your-own-device (BYOD) environments. According to Crowley, there may be varying levels of corporate data shared through BYOD. He also suggests that a BYOD strategy may no longer be cost effective or advantageous to some organizations, adding that many businesses may not have the needed maturity or discipline and will continue to struggle with corporate-issued versus BYOD solutions.
Recent victors in the ongoing MDM and EMM market consolidation have been larger companies, but an established enterprise security vendor has yet to pull mobility management into its product portfolio. In terms of this potential market change, Cohen dices up a future EMM market into three vendor tiers:
- Cloud vendors like Microsoft gradually pulling in more EMM features into their platform.
- Traditional MDM/EMM vendors like MobileIron and Good by Blackberry.
- Well-known enterprise security vendors like Check Point and Symantec.
Cohen sees a future where traditional security vendors with existing reputations for securing corporate networks make more moves into the EMM market. It could be one way that EMM keeps the potential of app-first mobile security at bay, given the wide reach and influence of these vendors.
The ultimate EMM market consolidation—beyond even recent acquisitions like Blackberry and Good Technology, VMware and AirWatch, and IBM and Fiberlink—would be one or more enterprise security vendors bringing full-featured EMM into their security stack. EMM management would no longer be a separate product offering, but rather another element of a larger network-level security platform.
Sober up on BYOD and mobilityWhether or not to ditch mobile management suites will remain a question organizations must answer for themselves. Nolan Wright, CTO and co-founder of Appcelerator, recommends that organizations trying to decide between app-first and a mobile management solution be real clear on their vulnerabilities and map to solutions that will secure their corporate information across devices. Part of that decision-making process could include charting where your organization sits in the stages of device-centric, app-centric, and data-centric security.
The new generation of cloud-first infrastructure organizations, including start-ups, can skip to app-first security without missing a beat in most cases. More established organizations won’t have it as easy, since they have to address budgets, infrastructure, staffing, and perhaps even maintaining compliance with the mobile security solution they choose.
Ultimately, the decisions around mobility management versus app-first security may never happen until we all sober up a bit. BlackBerry's recent bargain-basement acquisition of Good Technology and Globo PLC’s financial improprieties show the challenges of maintaining a profitable mobile security platform business. The “bill is coming due” for enterprise mobility in some organizations, as the technology challenges and money spent by organizations isn't being offset by the productivity and business process gains that were part of the promise of BYOD and enterprise mobility.
Is your organization ditching mobility management? Share your reasons in the comments section below.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.