Identity-based network services versus mobile device management
Christian Karasiewicz 270005XS4E Visits (2942)
This blog post is contributed by Justin Ndreu, a Senior IT Architect for IBM within IBM Global Technology Services.
So you want to become a mobile enterprise and support a bring your own device (BYOD) program for your mobile users? Should you hop on board the mobile device management (MDM) bandwagon? What about those new identity-based network services the big wireless network (WLAN) vendors have recently brought to market? Which one should you choose? Actually, you need both. Here's why:
Mobile device management platforms have been around for several years now and have come a long way. Products like MaaS360 by Fiberlink, an IBM company, can provide a total enterprise mobility management solution to secure and manage all of your devices, apps and content. In addition to enforcing device-level policies, leading MDM platforms like MaaS360 can deliver a complete enterprise data loss prevention solution—meaning users can manage all their emails, contacts, calendars, documents and the web from an isolated workspace on their mobile devices. Even the user enrollment process is painless: simply point your mobile device's web browser to the right URL and enter your existing enterprise credentials to authenticate. The rest of the process is entirely automated.
Identity-based network services
In a mobile enterprise, network services should enable a workflow-based approach to providing a user with the required connectivity and resource access. Platforms like Cisco Identity Services Engine (ISE) and Aruba ClearPass control network access with security features like device profiling, endpoint posture assessment and advanced policy management and enforcement. They also allow users to securely onboard and provision their own devices, while automatically protecting the network through the application of role-based policies.
The full spectrum of device management
Today, there is no single product that can address the full spectrum of infrastructure access and device management.
MDM can almost do it all—as long as the agent software is running on the device. Until that app is installed though, your users are stuck without internal enterprise network connectivity (so no email or other services), and your network is completely exposed to creative users' attempts to manually onboard their own devices. Even if your IT administrator has emailed you the MDM enrollment URL, having to pull out your hefty notebook to open that email and then manually type it out on your mobile device using a cellular connection is not practical. And it will likely result in some calls to the help desk.
On the other hand, today's IP networks are no longer just a means for connectivity. Identity-based network services are delivering many of the services that have traditionally been reserved for the MDM vendors to deliver. Network services do a great job of automating the process for device onboarding and maintaining a high quality user experience. Using certificates for secure authentication, they also make it very easy to revoke access from users who have left the company or devices that have gone missing. Unfortunately, while the network can do a great job of optimizing enterprise application performance, it cannot be used to provision or manage a secure workspace or the apps.
The good news is that most of the major MDM and identity-based network services vendors have worked hard to allow their platforms to integrate with each other. So, for example, if MaaS360 were to detect that your iOS device is jailbroken, the network could automatically invoke a restricted access policy until that condition is remediated.
Understanding the full spectrum of device management is critical to becoming a successful mobile enterprise. Leverage the services you are currently using in your organization today as a starting point to determine what is needed to fill in the gaps.
How is your mobile enterprise addressing the full spectrum of infrastructure access and device management? Please share your thoughts by sending me a tweet @JustinNdreu.