Mobility initiatives are driving senior managers in every type of business and organization to rethink workflow and day-to-day operations. But at some point, most find themselves looking to their technology staffs to handle the job of supporting these mobility initiatives, particularly when it comes to ensuring the security of these environments.
Not every initiative will need a broad suite of security products, but most will require one or more products in five key areas: mobile device management (MDM), network access control (NAC), endpoint security, encryption and authentication.
IT managers investigating these product categories will discover a mix of overlapping options, as many manufacturers seek to broaden the scope of their tools to meet the increasing mobility demands of users. Therefore, it’s wise to consider these products as a suite of complementary tools that, when used in conjunction, can help an organization embrace mobility without exposing assets to security risks. Any IT manager looking for full coverage when it comes to securing their mobile environment will be acting somewhat akin to a system integrator.
For most enterprises, a move to mobility or a broadening of its use will require deployment of MDM, NAC and endpoint security — or some combination of these technologies. Although encryption and authentication clearly will play critical roles as well, they can be leveraged from the existing infrastructure as an organization adopts mobility.
What are the features that should be used to differentiate these products and simplify selection? And how should an organization decide which tools will best suit its environment? What follows are some key fundamentals about MDM, NAC and endpoint security.
MDM tools enforce enterprise policies on mobile devices, generally only smartphones and tablets. These policies govern features such as application configuration, security settings and version control.
MDM products also universally include some type of remote-wipe functionality, considered a must-have because of the high rate of loss and theft of valuable mobile devices.
MDM tools generally do not include support for notebooks running Windows or Mac OS. This means that IT managers will usually need an endpoint security tool as well to enforce the same set of policies on larger mobile devices.
Network access control is user-focused, network-based management of who can access the network.
NAC tools are technology suites that work with existing network equipment (or sit in-line as a distinct enforcement point) to define access controls for devices based on user identification and security posture assessments. These tools authenticate users, collect authentication from trusted sources and combine authentication information with policies to define access controls. This is typically based on group membership information stored in a central repository such as Active Directory.
These policies can also be influenced by a posture assessment or security health check of the connecting device. Such assessments are often based on a device fingerprint or an on-device analysis of endpoint security, for example the presence of approved anti-malware software and recent patches. Based on authentication and posture assessment, the NAC tools push access control settings into a network dynamically to provide enforcement.
NAC tools mainly have been used on-campus for wired and wireless LAN deployments, although some NAC manufacturers have branched out to VPN connections and smaller WAN-connected services. For the mobility deployment, NAC tools offer a way to also verify that appropriate MDM agents are present on devices as part of posture assessments.
Endpoint protection (EPP) software runs on end-user devices and servers to provide anti-malware, firewall, host-based intrusion prevention and other security-related services. Enterprise endpoint security software adds the capability to deploy and manage these tools from a central management point. EPP makers increasingly are expanding into the data loss prevention and network access control categories because of the natural complement between EPP and these other products.
Although EPP and mobile device management have distinct overall goals, there is considerable overlap, and it is likely that EPP and MDM will merge either partially or entirely over the course of the next few years. This will happen in part because of the growing enterprise use of mobile devices, in addition to and sometimes instead of desktop and notebook systems. In response to these market changes, EPP manufacturers have begun to address the special requirements of mobile devices.
Five vendors — Kaspersky, McAfee, Sophos, Symantec and Trend Micro — dominate and control nearly 90 percent of the EPP market. At the same time, Microsoft has increasingly included EPP features in its base operating systems, reducing room for differentiation by third-party EPP vendors.
When evaluating EPP tools for mobility security initiatives, IT managers are constrained because most organizations already have EPP tools installed. This means that any switch in products comes at a high cost and will need to be justified by a corresponding increase in functionality.
Want to learn more? Become an insider and access CDW's Next-Generation Security Reference Guide.