Risk
8/13/2012
10:14 AM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

What Sophos Brings To MDM Table

Security vendors are rushing to fill gaping holes in IT's ability to manage mobile devices. But if you expect perfection, you'll wait too long.

The invasion of personal smartphones into the enterprise, whether through the front door of an official BYOD program or back door of I'll see how much I can get away with is by now so well established that the IT discussion is no longer about whether it's a good idea, but rather how to cope with the onslaught of unmanaged devices from a hodge-podge of manufactures and running several different OSs. For IT, standing at the rampart and yelling stop is about as effective building a sand berm in the face of an onrushing tsunami.

It's a situation not dissimilar to that faced a couple decades ago as PCs began flooding into offices while IT was still ensconced in its raised floor lairs tending to "real" computers. Gradually, a software ecosystem developed to automate and centralize the management of inherently personal and distributed devices. Today, many of those same companies, including endpoint security specialists like McAfee, Symantec and Sophos, are rushing to fill gaping holes in IT's ability to manage mobile devices.

As our MDM research report and survey found last year, fully 65% of respondents anticipate an increase in employee-owned mobile devices. To no one's surprise, as we outline in a recent report on mobile application development, the vast majority of those phones and tablets will be running iOS and Android. MDM software is the industry's solution to the vexing problem of making order out of chaos, but so far it's been greeted with a lukewarm response by enterprise IT. Our survey finds under a third of organizations have implemented these all-in-one management suites.

Sophos, a firm better known for PC anti-malware and data encryption than mobile security seems determined not to miss the post-PC market. The firm, which built its Sophos Mobile Control product upon technology licensed from Dialogs, a German firm specializing in mobile and communications software, clearly felt that developing MDM technology is far too important and strategic to remain an outsourced function and acquired the company earlier this year. The first fruits of this union were announced this week with a point upgrade to Sophos' MDM product. On the surface, there's not a lot new in Mobile Control 2.5, which already boasted a solid, if not extraordinary, set of MDM features; the complete litany of which you can actually see in more detail by looking at Dialogs' smartMan feature list [PDF] rather than the vague marketing speak pervading Sophos' own data sheet. The big additions are improvements to its management interface and enterprise integration, notably the ability to link devices and security policies to Active Directory groups.

[ Doing nothing is not an option. Read 6 Keys To A Flexible MDM Strategy. ]

Mobile Control's AD integration allows tying users to specific devices and groups to sets of configuration policies. For example, marketing employees might be allowed to use the Facebook app on the corporate WLAN while everyone else is blocked, or executives may be configured to use an exclusive remote VPN gateway when traveling not available to other employees. The ability to automatically map policies and configurations to existing users and groups is a big boost to administrator efficiency.

Another enhancement in 2.5 is support for app distribution and control on iOS. Previous versions allowed installing and removing apps on Android and Windows Phone, but Apple's tight control over app distribution can complicate life for enterprises. The new version enables IT to push or delete iOS apps installed from either the App Store or an in-house portal. The update also features improvements to device compliance checking and reporting. Mobile Control features a handy client-side app that gives users an overview of the device's compliance status including any resolution steps they must take to rectify the problems. IT gets the same data for all devices on a central management console.

Although Sophos didn't participate in our MDM Buyer's Guide, when comparing its feature list to the 20 or so categories we asked about, Mobile Control could check almost all of the boxes. No, it can't remotely control a device (at least not the ones that matter: Apple and Android), nor remotely upgrade the OS, but when it comes to app management, policy enforcement, device inventory, usage tracking, geolocation, and remote wipe, Sophos has you covered. One area that Sophos doesn't address--again, for the smartphones people care about--and in all fairness, few MDM products do--is data backup. With the proper configuration and usage guidelines, mobile device backup shouldn't be a critical feature since, as I point out in an earlier column, it's best to keep company data off of mobile devices. But as I point out in a forthcoming report on e-discovery in the age of cloud services and smartphones, there are certain types of important company information that invariably end up being either generated or inadvertently stored on mobile devices; things like text message conversations, call logs, audio recordings, camera snapshots--all of it potentially valuable information if the phone is lost or its owner is pertinent to pending litigation.

The MDM market is rapidly evolving, resembling the state of anti-virus and PC security products a decade ago; meaning every product has flaws and a widely accepted, de facto standard feature set has yet to emerge. But in IT, perfection can never be the enemy of the good, since the good is always getting better. When it comes to getting a handle on mobile devices within your organization, Sophos' updated Mobile Control is emphatically better than nothing and at least as good as most of its competitors. IT shops already using Sophos for PC endpoint management should start their MDM evaluation here.

Android and Apple devices make backup a challenge for IT. Look to smart policy, cloud services, and MDM for answers. Also in the new, all-digital Mobile Device Backup issue of InformationWeek: Take advantage of advances that simplify the process of backing up virtual machines. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.