A Promising Way to Manage Mobile Devices
I just had a long conversation with my old pal and fellow Network World contributor Winn Schwartau and his colleagues at Mobile Active Defense (MAD) Partners. They have a really interesting answer to the mobile device management issue I discussed last week.
To refresh the argument: The problems you face with mobile devices are profound. Computing mobility was a tough enough problem when laptops became commonplace, but smartphones and pads make the task of managing end user devices several orders of magnitude more complex. This means not only can sensitive and private data be inappropriately distributed, but these devices could be compromised by spyware and other malware.
So, without a management and control infrastructure that specifically handles these platforms, you could have -- make that, "will have" -- serious corporate security and compliance problems. Do nothing, and you'd better be brushing up your resume. On the other hand, you could do something … something like reach for MAD's solution.
The MAD system has two parts; client software that runs on Apple's OS3 and iOS4, Microsoft Windows Mobile, Google Android, and Nokia Symbian devices; and MAD's Mobile Enterprise Compliance and Security (MECS) server.
The client software creates a default IPSEC VPN using 256-bit AES encryption that channels all device communications to the MECS server and is designed to impose minimal demands on client resources and has low storage and negligible processor overheads. This software also detects when it isn't the sole communications channel or when the device has been compromised (for example, by being "jailbroken").
The MECS server, which filters content and is used to monitor and manage mobile device configuration, is available as a physical appliance, a virtual machine appliance (the appliances are based on a hardened Linux implementation), or as a "cloud" service. (Also read "Cloudiness and reality.")
<digression>Really, when did we start using "cloud" and stop calling this "software as a service" or SaaS? This isn't a criticism of MAD but, really, not that SaaS was a better name, but do we need to come up with a new terminology every week?). </digression>
The MECS server – which is available in two service levels, one that can handle 5,000 users and another that can manage 25,000 – examines all traffic going to or from the managed device to not only determine, verify and restrict data sources and destinations, but also limit access by geographic location and apply rules accordingly.
These geographic communications rules are a great feature allowing you to, for example, limit access to certain sensitive corporate data files or directories if the user is in Dubai but not if they are in the UK.
MECS lets you add users via Microsoft Active Directory Service and LDAP and customize Internet access rules for each user. You can, for example, enforce site blacklists and monitor user behavior as well as monitor and block content access and dissemination.
A powerful feature of the MAD system is remediation support. When a managed device is compromised by, say, the user running software that routes around the MAD VPN, or installation of unauthorized applications, the "jailbreaking" of the operating system, or any other action that violates your rules, the client software and the MECS server are designed to detect the anomaly. Corporate support and the user can then be notified via e-mail or SMS or, if the violation is serious enough (for example, your iPad has working drawings for a suitcase nuke and you're in Tehran … I'd guess that would be an issue for some people), the compromised device can be remotely "wiped."
Among MAD's interesting client deployments are a "Kosher" iPhone management service for a strict Jewish organization (they say there could be potentially 10 million users), U.S. government deployments (MAD says these have been surprisingly quick deployments that rival the speed of private industry), and a lot of installations in retail (PCI compliance issues are apparently a huge driver).
Currently MAD is in early rollout and so far has something around 10,000 devices under management.
Pricing starts at around $115 per device and falls to $40 or less in volume (MAD aims to undercut comparable Blackberry pricing by around 20%). The self-hosting pricing with their appliance starts at $4,995 and the VMware virtual appliance is $1,500.
I plan to test MAD's system in the near future but, on paper, this looks to be a very promising solution to one of the most vexing challenges to enterprise security.
The rules allow Gibbs to communicate from Ventura, Calif. If you can, message him at email@example.com.
Read more about anti-malware in Network World's Anti-malware section.