Modernizing Authentication — What It Takes to Transform Secure Access
In our recent article offering advice on how to purchase mobile device management (MDM) software, we gave a brief overview of the benefits of MDM. For a more detailed real-world perspective on MDM, we interviewed two companies about their experiences with MDM.
First up is the Needham Bank, Massachusetts’ largest mutual co-operative bank, with five branches in Needham and surrounding towns and over 100 staff serving the bank's 34,000 customers. Founded in 1892 to encourage thrift, home ownership and enterprise, in recent years it has embraced technology. It has introduced high-tech solutions such as remote deposit capture, online residential loan applications, mobile banking and text message banking.
As far back as 2008 Needham Bank provided mobile devices - mainly Apple iPhones and iPads - to staff at all levels of the organization to access reports and email. These devices were managed using the limited functionality offered by Microsoft's Exchange ActiveSync.
Time to Make a Change
But when Apple released iOS 4 in 2010 it introduced a sophisticated API for mobile device management. This enabled iPhones and iPads running the new version of the operating system to be provisioned and managed by enterprise MDM systems whose capabilities went far beyond those offered by ActiveSync.
This was the catalyst for Needham Bank to investigate implementing an MDM system to bring the organization's mobile devices under closer control, explained James Gordon, the bank's vice president of IT. "As a bank, we felt that we should be looking at all the controls that were available and deciding where it would be prudent for us to exercise these controls," he said.
Gordon wanted a solution that could take advantage of the new management API as quickly as possible and scanned the market for suitable products. He decided on an on-premise MDM system from MobileIron. It was a fast mover and had a product that took advantage of Apple's new API, Gordon said, adding that, "At that time no-one else was doing it."
The bank implemented the solution by installing two virtual appliances in its computing environment, and it rolled out the MDM to 65 mobile device users on a self-service basis.
"Enrollment was pretty easy," said Gordon. "When we received an email from a staff member's boss granting them mobile access, we simply emailed that staff member a document which enabled them to enroll themselves on the system. We had to do a bit of configuration behind the scenes at our end each time, but that amounted to about 20 seconds of work, compared to the 20 minutes per person it used to take us using BES (Blackberry Enterprise Server) or Exchange."
MDM Benefits: Expense Management and More
Gordon makes extensive use of MobileIron's application inventory functionality, which lists the apps installed on individual devices, allowing him to ensure that no apps that could compromise the security of bank or customer data have been installed. He also uses the MDM to prevent the use of iCloud. Apple's cloud-based storage and backup system, to ensure that bank or customer data does not end up outside the organization in Apple's cloud facilities.
In addition, Gordon uses the MDM to detect any devices that have been jailbroken and to prevent staff installing applications that have not been approved by Apple or which bypass iOS's security mechanisms.
Normally iPhones and iPads can only download apps from Apple's iTunes (unless they have been jailbroken,) but the MDM enables them to download apps from an enterprise app store accessible only to the bank's staff. In some organizations, this feature is used so that employees can download iOS apps that have been developed in-house for their use, but Gordon uses this functionality in a slightly different way: to provide easy access to publicly available apps that the IT department recommends, such as its supported remote access app.
It is becoming common for MDM solutions to introduce elements of telephone expense management (TEM) functionality into their feature sets, and Gordon says that MobileIron's international roaming monitoring feature has proved useful to keep the bank's mobile data costs under control. When employees take their phones overseas, both they and Gordon receive notification and employees get a message warning them that they could incur hefty data and voice charges because they are overseas.
"Just because employees have a company phone it doesn't mean that they can rack up $3,000 data charges when they are on vacation, and we want employees to know this," Gordon said.
The MDM's geolocation feature, which uses GPS capabilities to find devices that have been mislaid, has also proved useful to reduce the costs associated with giving employees iPhones and iPads. The ability to locate mislaid devices quickly minimizes the need for devices to be wiped and replacements to be purchased, reconfigured and deployed.
"We have used this feature on devices we believe may have been lost by staff or stolen, before we wipe them remotely," he said. "In many cases it turned out that the devices were simply in the employee's car, or had slipped down the back of a chair."
Gordon said managing handsets using the MDM not only makes the devices more secure, but it also increases overall security in a way he had not originally anticipated. That's because the MobileIron server that faces the Internet is a hardened Linux server, and this replaced a Microsoft server that ran ActiveSync. "That is a real security win. People should be nervous of having a Microsoft server which is publicly exposed to the Internet, and now we don't need to do that," he explained.
The only real drawback to the MDM, according to Gordon is its financial cost. "There is no getting around the fact that the MDM is an increased cost for us -- we pay per user, per month. If MDM becomes a commodity, then that will hand the advantage to large companies that offer MDMs like McAfee, who will be able to offer solutions at very low cost. I hope that this serves as a constant reminder to MobileIron that they have to continue to innovate to justify the cost," he said.
MobileIron's MDM offers role-based access and other role-based features, and Gordon's advice to any company thinking of deploying an MDM is to segment the workforce well before starting to roll out the MDM. "If yours is a big business, then I would advise forecasting your needs as much as 48 or 60 months ahead if you can. If you have 100,000 different people with many different roles, then pre-planning your deployment and thinking ahead is vital." (More advice on implementing MDM is offered in this article from December 2013.)
Key takeaways from Needham Bank's deployment of MDM:
- MDM systems help mitigate mobile device risks, but only at a financial cost
- Features like expense management and even device geolocation can help defray these costs
- An effective self-enrollment system can ease the IT burden of deployment
- In larger organizations, expect to spend time planning your deployment in order to get the most out of its features
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.