No doubt you’ve been dealing with (overwhelmed with?) users wanting to use their smart phones and tablets to access company email and perhaps other corporate applications. It may be sufficient to let them use ActiveSync to get their email on their iPhones, Droids and other snappy new devices. But what if you need a much more secure mobile environment? What if you need to ensure compliance with PCI, or HIPAA, or FISMA? That requires a much more comprehensive approach to mobile security.
Traditional security approaches don’t work well for smart phones and tablets. Conventional firewalls, antivirus tools and other scanners are bandwidth and battery hogs. Downloading and updating these utilities take too many resources that cause device performance to sag. Quite simply, it’s a failed approach for the mobile platform.
Many mobile security vendors base their device management solutions on Mobile Device Management (MDM) software, which is native to Apple’s i-devices and, to a lesser extent, some Android-based devices. There’s just one hitch with MDM: the user can actually turn the security off.
A company called Mobile Active Defense (M.A.D.) has taken a different approach to mobile security. M.A.D. has taken all the traditional capabilities for security and compliance from the fixed (stationary) enterprise, added mobility and geo-location capabilities, and came up with a solution that effectively offers the same level of security and compliance for the mobile enterprise as you have with your fixed enterprise. The solution does not require a footprint on the device, and all policies are applied on a dynamic basis based on a device’s changing physical location. What’s more, the user doesn’t have to do anything and his experience doesn’t change (unless dictated by policy).
The key to this approach is a certificate authority (CA) that does the first level provisioning of the device. (The CA can either be M.A.D.’s or your own.) M.A.D. locks down the device by enforcing an always-on VPN. Once the VPN is enforced, all data traffic goes through M.A.D.’s servers, which are either hosted by M.A.D. (typically for small businesses) or by corporations in their own data centers. Every bit of the data traffic going in and out of the device is encrypted.
Then it’s a matter of enforcement policy, and there are two ways to set up the policies. In the first way, you can take your existing corporate policy sets and move them over into M.A.D.’s configurations and console. You can bring in your LDAP user population, which brings in your existing user groups and how you treat enterprise users. If you take this approach, you are enforcing firewall rules that basically make the devices invisible to the Internet.
Sign up for MIS Asia eNewsletters.