Agencies Use MDM Tools to Secure Mobile Devices

Since last November, NASA employees and contractors have been able to access and download applications they need for work on a mobile device of their choice from a NASA-developed app store.

Although the agency doesn’t yet have a formal bring your own device (BYOD) policy, the IT staff is doing what it can to ensure the security of the apps and mobile environments through a set of tools that function as a mobile application management (MAM) system.

“We know the BYOD policy is coming, but we didn’t want to wait, so we took a MAM approach to mobile apps,” says Erna Beverly, an enterprise applications service executive at NASA. “For us, the solution to mobile management is to secure and manage the application and data as opposed to the mobile device.”

While the MAM system’s primary goal is to secure applications and data, it has several functions in common with a traditional mobile device management (MDM) tool. For example, the system allows NASA to provide access to apps for specific groups of users based on their roles or needs.

The space agency plans to incorporate Public Key Infrastructure (PKI) certificate-based authentication as an additional security measure, probably sometime within the next year. Through the use of pulse analytics and administration, Beverly says administrators also can determine what type of device is being used and where.

Once NASA’s mobility strategy is fleshed out and the BYOD policy is implemented, Beverly expects the agency to move to a full-fledged MDM system to gain more control over the hardware, such as the ability to remotely wipe devices.

Remote Control

Installing MDM software on mobile devices has become a common way of managing and pushing policies, applications and configurations, as well as keeping track of devices and ensuring security. Popular solutions include those from AirWatch, Absolute Software, BoxTone, Fiberlink, MobileIron, Sophos and Sybase Afaria.

“With MDM, as soon as you install an agent on the device, you have a lot more granular control,” says Mark Tauschek, lead research analyst at Info-Tech Research Group. “You can do selective wipes — wiping only enterprise apps, or only e-mail, calendar and contacts. It almost always makes sense to use MDM.”

At the National Nuclear Security Administration (NNSA), implementing MDM is table stakes. For several years, the NNSA has used some type of solution to manage the mobile devices of 20 to 30 percent of its geographically dispersed workforce. Pending an upcoming BYOD policy, that number could easily double within the next few years.

For Anil Karmel, the nuclear-security agency’s management and operations chief technology officer, the ultimate goal is to expand the scope of MDM beyond device management to data management. “We want to be able to secure the data based on user-centric approaches,” he explains.

If a worker needs access to general internal data, for example, the policy applied to that device would be relatively open with some minor controls. But the policy would dynamically change based on the security level of the data requested: When that user requests access to more restricted information, additional controls would be deployed. Once the data no longer resides on the device, the basic policy would be put back into place.

Getting to that point requires the agency to fully understand the type of data it processes, where that data needs to be processed and the controls that should be applied to each type of data. With that information determined, the next step is to build a system on top of a commercial MDM solution that would enable policies to be changed dynamically. Karmel is determined to achieve this goal sometime within the next few years.