Saturday, March 8, 2008

Microsoft System Center - Mobile Device Management - Missing Security pieces

Microsoft has well written product reference guide. Please see it here.

It is a comprehensive Mobile Device Manager for Enterprises to manage and control mobiles by their own IT department. It differs from other solutions which are controlled by providers.

It is very obvious that Enterprises would allow mobiles to access their networks for many business applications. Enterprises have to be geared up to provide this access without compromising security. Microsoft solution is taking care of data security on the air. It is not sufficient from threat security perspective. A complete mobile solution require network security processing functions in addition to solution provided by MDM.

MDM seems to be providing following functions using different components:
  • Mobile Device enrollment : Simple facility to enroll mobile devices into corporate network.
  • Mobile Device Management : Managing mobile devices by providing sub functions such as
    • Over-the-Air application management
      • Upload new applications.
      • Configure applications.
    • Inventory Reporting.
      • Give complete list of devices that are in pre-enrolled stage, enrolled stage, device characteristics, installed applications, Some application settings etc..
    • Role based administration
      • Distribution of work among IT professionals to handle large number of mobile devices, applications and its functions.
    • Self Help Portal
      • For employees to view the list of their mobiles _ note that each employee can have more than one mobile and its inventory of applications etc..
      • Remote Wipe upon loss of mobile.
      • Basically, it helps reduce burden on IT professionals.
    • Security Management: Basically, it helps IT professionals and Employees to control the settings on the mobile - Such as Cameras, Blue tooth connectivity, Email settings, SMS/MMS messaging etc..
  • Mobile VPN Gateway
    • To provide secure data access to corporate network from mobiles.
    • It provides persistent tunnel capability, Roaming capability.
Additional Functions that are required by Enterprises to provide mobile connectivity to their networks are:
  • Granular access controls based on type of user and mobile device.
    • There are many LOB Servers (Microsoft term for Application servers) and network resources. Some may not be accessible by all employees. Having access control on a Enterprise side provides better control for security professionals.
    • If the mobile device is stolen, any traffic coming from that mobile device must be stopped. Again, having control at the Enterprise level provides this capability.
  • Network traffic scanning for infected mobiles
    • Mobiles are now general purpose computers. They also can get infected by attackers as normal laptops. They can create havoc, if these are not detected and stopped immediately. It might infect servers and other network resources. Security professionals would like to have a control on network side to detect and prevent any access upon infection. This kind of security is required even if mobiles have security software installed in them.
  • Anti Virus scanning and Anti Spam functions
    • These are highly recommended to be on the Network side too.

In summary, mobile deployment by Enterprises must consider network security functions as part of their overall solution.

No comments: