Recently published data indicate that the average businessperson has 3.5 such mobile devices – a laptop, a tablet or netbook and one or two cellular phones. This number has doubled in three years and, in all likelihood, will continue to grow.
Perhaps this is one reason why so many security professionals are focused on controlling and, in particular, remote wiping physical endpoints. Even more surprising is the anecdotal evidence that security professionals are willing to allocate up to a third of their MDM budgets to this one effort. On the surface, this seems to be a reasonable approach to protection of remote data at rest. The algorithm is simple: If confidential data on a mobile device is threatened, then nuke it.
The truth, however, is that when used as a security control, remote wiping represents a conventional way of attempting to solve a problem that is no longer conventional.
This is particularly true when – as is often the case – the mobile device is owned by the employee. Even when implemented and managed correctly (the exception – not the rule), remote wipe does not lower risk in any significant way; it obfuscates the workable processes that do function to protect remote confidential data and creates the potential for very real privacy-related litigation (When Your Company Kills Your iPhone).
MDM is not the Issue
I can imagine that if an employee at one of the 60 or so Mobile Device Management (MDM) companies that have popped up recently were to read the paragraph above, they might disagree with me at best or offer to pay for a hanging rope at worst. I wouldn’t blame them. However, I would argue that they are missing my point. I’m all for management of mobile devices. If a device is granted access to corporate information resources, then it needs to have user/group access and password policies enforced, it needs to be tagged, tracked, logged, backed up – all of the normal and proper asset management procedures should apply to any device, regardless of its type or location.
With this in mind, enterprise IT and IT security must leverage the increasing consumerization of mobile devices in order to maximize corporate profitability, while simultaneously protecting corporate information assets.
There is real dissonance here. MDM vendors have (naturally) taken advantage of this conflict and have, in many cases, pushed their particular solutions past those solutions intended design parameters – management – into security, primarily by integrating some type of remote wipe capability.
