Growth of bring-your-own-device (BYOD) policies in the late 2000s prompted many organizations to develop security protocols for employee-owned equipment. In response, software companies specializing in the securitization of mobile devices quickly gained acceptance. Today, 65 percent of enterprises have adopted mobile device management software to control smartphones and tablets.1 Often this control includes remote erasure of the units once they are retired. Additionally, organizations are incorporating mobile application management protocols. But are they effective at disposition?
The importance of MDM/MAM
Recently, Blancco Technology Group released a report that 48 percent of 122 devices they purchased in common secondary markets had data remaining on them.2 These were devices sold by consumers and trade-in companies. It isn’t the first time that open market purchases of used hardware have shown the lack of proper data erasure protocols.
For an enterprise, the liability for a single data breach is significant. Being able to prove erasure has been performed is critical. BYOD environments, or organizations that do not require return of devices to validate erasure, are dependent on the efficacy of their MDM and MAM software to protect data. Unfortunately for many of these organizations, Gartner predicts that the majority of end-point breaches will occur on mobile devices by 2017,3 and the preponderance of those breaches will be caused by mismanagement of the MDM/MAM software.
What is MDM?
MDM, or mobile device management, locks down, controls, encrypts, and enforces policies on mobile devices such as tablets and smartphones. Based on the measures deployed, these changes can affect the whole device or pieces of it. For example, many organizations create an encrypted container for corporate email but do not do the same for personal email. Another common feature is to require a password to access the device.
What is MAM?
MAM, or mobile application management, locks down, controls, and secures specific corporate applications. In most cases, these are custom applications used by the enterprise for business-specific purposes. For example, an insurance company may leverage a claims-processing application that can record client data and capture images of the accident. In MAM environments, this data is stored in the cloud and made accessible through the application. No data is actually stored on the device. The device simply serves as a portal.
Where is data stored?
Although MDM and MAM software purport to store data securely in containers or in the cloud, information may be delivered to the device and stored in ways that can compromise security measures. Consider these available areas of storage.
- Cloud-based application (MAM)
- Device-based encrypted areas (MDM)
- Personal email
- Device-synched file (Dropbox, Evernote)
- Browsing history
Complications of remote erase and remote lockdown
In Special Publication 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise,4 by the National Institute of Standards and Technology, the fallibility of remote attempts at data erasure is discussed.
“Remote wipe is a fundamentally unreliable security control; for example, an attacker could access information on a device before it is wiped, or an attacker could power off a device to prevent it from receiving a remote wipe signal. Organizations should not rely on a remote wipe as the sole security control for protecting sensitive data, but instead consider it to be one layer of a multilayered approach to protection.”
The premise behind such criticism lies in the lack of validation steps to erasure. Technically speaking, there is no method to validate erasure of data once a remote-erase instruction has been sent. Although separation from MAM systems can be validated, the uncontained data on the device may remain. In either instance, without physical possession of the unit, it is impossible to validate complete erasure.
For more information on ways to optimize the effectiveness of MDM and MAM tools during disposal and to reduce the risk of faulty erasure, attend our presentation at the upcoming IAITAM Conference.