Defining unified endpoint management
The core principles of present-day unified endpoint management are similar to the core principles of early-2000s mobile device management (MDM). However, demand for real-time, remote access to organizational data has increased rapidly over the past two decades, so that demand necessitated a more comprehensive approach. MDM programs focused exclusively on the administration of mobile devices like laptops, tablets, and smartphones. But UEM encompasses a broader set of devices, including personal devices (in accordance with bring-your-own-device (BYOD) policies), desktops, internet of things devices, wearables, and printers. With UEM, a single management platform can be used to remotely enroll and manage devices by changing settings and locking or tracking devices, and it can facilitate information, content, and application management.
Using a single UEM platform to manage such a wide variety of devices is a lofty goal, but it’s an important one because insecure mobile devices remain one of the more well-known, high-risk security concerns that IT teams seek to better manage. In the Verizon Mobile Security Index 2021 report, 40% of survey respondents stated that mobile devices are the biggest IT security threat, and 53% said that “the consequences they suffered from a mobile-device-related security compromise were major.”
Planning for a unified endpoint management program
The most difficult aspect of establishing a UEM program is the sheer number of operational considerations that need to be accounted for when planning the program, some of which include:
- Disparate use cases for different personnel and departments
- The assortment of devices and operating systems that need to be supported by the UEM solution
- Whether BYOD or corporate-only devices should be used
- Costs associated with data usage and device procurement
- Privacy concerns of employees who elect to use personal devices as part of a BYOD program
- Centralizing remote management and patching of mobile devices
- Allowing for remote locking and wiping of devices
- Integration and synchronization with a centralized identity management service, such as Microsoft Active Directory™
- Various other organization-specific requirements
This list of considerations can vary wildly depending on the type of organization and the unique needs of its user base. For example, a school district seeking to secure a large number of devices that students and faculty use for educational purposes has vastly different needs from the needs of a small bank with fewer remote assets. Both organizations have to consider different legal and compliance statutes. Additionally, both organizations must manage scaling issues that arise when the quantity of remote assets increases. Various user bases (students versus corporate employees) do not handle physical devices in the same way, and the applications and services running on each endpoint vary due to the drastically different technology stacks.
Understanding specific unified endpoint management needs
While taking numerous operational considerations into account might seem daunting for some IT departments, when IT teams initially look at creating new (or bolstering existing) UEM programs, organizations can ask a number of questions to address these concerns, including:
- What kind of mobile access to organizational resources is needed?
- How many mobile devices are in use?
- What data will be handled on these devices?
- What security vulnerabilities are associated with the in-scope applications and devices?
- Which applications and peripherals do users use on a daily basis?
- How will these devices fit into the technology stack and broader ecosystem?
- Where will these devices likely be used or stored?
- What regulatory or compliance frameworks need to be considered?
For some, addressing these questions can be a significant challenge because of the size and complexity of many corporate environments, but it’s important to identify answers to these and other questions early on so that the approach and controls can be built or tailored with specific end objectives in mind. If an organization is not sure what kinds of devices its user base needs, then it can’t vet which solutions are interoperable with specific operating systems. Likewise, if an organization allows personal devices to be used as part of a BYOD initiative, then the IT department likely will not have full control of the device or it will need to take into consideration how organizational practices will respect the user’s personal data and privacy.
Using a corporate laptop and then a UEM tool that has local agents periodically checking in with a UEM server for security updates and configuration changes based on new corporate policies is a fairly common approach, but that approach might not be feasible with BYOD assets due to privacy concerns. Similarly, monitoring a personal device’s geolocation data or application activity also raises privacy concerns, as many users would not feel comfortable with their employer’s IT department having the ability to monitor their location and personal device usage data.
Understanding the specific data types that are accessible on the devices and how users handle that data is critical when considering where and how to implement security controls. If users store sensitive data locally on their devices, then a variety of security controls should be considered, such as restricting the use of removable media, implementing web content filtering controls to prevent bulk uploads of data to file sharing sites, and applying data loss prevention policies to email accounts to prohibit data exfiltration attempts.
Alternatively, some organizations might take a more surgical approach to restrict the organization’s applications rather than the devices holistically. This approach is called mobile application management, and it is most commonly seen in corporate email applications that restrict copy-and-paste capabilities, prohibit downloading of any attachments to the local device, or otherwise prevent that data from leaving the secured application instance. These approaches allow corporate IT departments to carefully manage corporate data without imposing entire control over the device, which is especially useful when dealing with personal devices.
Regulatory and compliance frameworks should serve as the guiding principles for the control implementations that organizations might consider. For example, if the data in question is electronic protected health information (ePHI), then Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules should drive control considerations and implementations on mobile devices that access ePHI.
In 2017, the Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA rules, found that one healthcare system violated the HIPAA security rule because it had not implemented encryption on a lost device that contained the ePHI of roughly 3,800 patients and therefore allowed a breach of patient information. Over the next three years, two more incidents of lost, unencrypted devices containing patient data were reported from the same healthcare system. The loss of these unencrypted, non-password protected devices resulted in a fine of $3,217,000, one of the heaviest penalties ever issued by the OCR. This extreme example demonstrates the importance of understanding the organization’s role and responsibilities in securing data on mobile devices in accordance with regulatory standards.
Implementing unified endpoint management security controls
Once all the different needs of the organization have been considered and documented within corporate policies and procedures, it’s time to implement security controls across the fleet of mobile devices. Regardless of which UEM program an organization decides to use, the following security controls for mobile devices should be considered:
- Enforcing the encryption of local data
- Configuring user access controls such as stringent password policies or, at a minimum, a personal identification number for mobile devices
- Requiring that the most recent security updates and patches be applied for all access to corporate resources and data
- Maintaining asset and application inventories for tracking and compliance purposes
- Enforcing audit policies that capture event logs detailing user actions, what data was accessed by the mobile device, and other system-specific details that can be used for incident investigation purposes
- Implementing endpoint protection and antivirus solutions, as applicable to the device and associated operating system
- Performing host-based compliance checks to verify that the device is configured in accordance with enterprise security controls and policies
- Using geofencing capabilities where applicable to ensure that corporate resources cannot be accessed from foreign countries if no employees work there
- Implementing remote wipe capabilities if the device is lost or stolen from an employee
Despite the enforcement of such security controls, many concerns persist that underlying operating system vulnerabilities could serve as an avenue for an organization’s data to be compromised. These concerns were validated with the revelation that an Israeli company known as the NSO Group was selling malware, called “Pegasus,” to government intelligence agencies. The Pegasus malware’s primary function was to act as spyware and surreptitiously monitor a mobile device without the user’s knowledge, and it also likely included remote code execution capabilities.
Pegasus might have been in use since at least 2013, offering its operators the ability to compromise versions of iOS 7 (2013) through 14.6 (2021) and a variety of Android operating systems. However, even before the discovery of Pegasus, government agencies such as the National Security Agency had the ability to use malicious software implants to covertly exfiltrate data from mobile devices, including widely used devices such as the iPhone.
The concern with these attacks is not solely that a big brother agency could monitor individuals’ activities but that these vulnerabilities or exploits could be leaked and used by criminal groups to damage organizations, as has happened in the past. In these situations, it’s important to rely on a defense-in-depth model as well as detailed incident response procedures that enable the organization to respond to a breach in a timely and appropriate manner.
Why unified endpoint management matters
In the increasingly mobile-dependent workforce, balancing efficiency and user experience with a strong security posture is indeed a lofty goal. Effective unified endpoint management programs minimize security risks of mobile devices and help maintain confidentiality, integrity, and availability of data. However, no security controls are foolproof.
In addition to implementing solid UEM programs, organizations should make sure that incident response plans have been appropriately documented and tested. Additionally, they should verify that personnel involved in responding to such events have at their disposal the tactics, techniques, and procedures necessary to contain the threat, appropriately investigate the threat actor’s actions, eradicate the threat actor’s presence, and recover from the attack.
By approaching the widespread use of mobile devices with security as a priority, organizations can minimize risk so that even if some security mechanisms fail, additional controls are in place that can prevent further compromise or minimize the impact of an event.