This post is contributed by Miku Jha, Product Line Manager for the IBM Mobile Foundation Product Portfolio
With the growing number of mobile enterprise apps and changing usage patterns, enterprises need to shift from the draconian security approach of locking down the entire device to a more granular approach of securing specific apps. This is where MAM comes in as a set of tools and technologies to address the growing app-level security and usage concerns.
- What’s your strategy for third-party apps? How do you secure third-party apps without access to the source code?
- Can you selectively wipe the app when the device is lost or stolen?
- Can you enforce passcode policy compliance across all app types including custom apps, third-party apps and public apps?
- Can you ensure that any data/content accessed by the apps does not go beyond the organization’s control?
- How do we get active app feedback, reviews and ratings for the developers?
MAM is not just a glorified app store
The core MAM functionalities offered across these domains are:
- Application-level policy enforcement
- Runtime policy/security updates on apps (done using app wrapping and SDKs)
- App deprovisioning
- Ability to remote wipe an app and its related data
- Secured container to run apps
- Application analytics
- Integration with MDM (mobile device management) to do remote wipe, selective removal of app, and so on
- Reports on app usage and device usage
- User authorization and authentication
Practical examples of MAM from a security point of view
- Multi-factor authentication: Use app wrapping to enforce multi-factor authentication on third-party apps or generic apps
- PIN authentication: Prohibit offline use and allow access to corporate data only if user is securely connected to the enterprise network
- Geofencing: Restrict app usage based on specific geographic locations during specific periods
- Data-at-rest encryption: Discover and encrypt data specific to an app as opposed to having to encrypt all the data on the device
- App-level VPN: Force an app to use a secure VPN connection to the corporate network. This secures data in motion.
MAM is a natural extension of capabilities for both MEAP (Mobile Enterprise Application Platform) vendors and MDM vendors who are quickly adding mobile application management to their portfolio:
- MobileIron introduced app wrapping and secure app tunnel (AppConnect and AppTunnel)
- Symantec added app wrapping and app SDK via the Nukona acquisition and recently launched its App Center Ready program for ecosystem development
- Good Technology acquired AppCentral for enterprise app store and app wrapping
You need MAM capabilities regardless of your MDM deployment
As you consider MAM in your mobile strategy in 2013, don’t make this false assumption: If I have an MDM solution, I don’t need MAM. You need both for a healthy mobile enterprise strategy.
MDM is about managing, provisioning and securing the device. This is needed when you want to offer device-level protection such as device tracking, remote wipe, IT policy enforcement, compliance and monitoring of employee devices.
However, with the ever-evolving BYOD (Bring Your Own Device) landscape, where the device may be employee-owned but not essentially corporate-managed, a growing focus is on application-level protection and data security.
MDM helps you with securing the device, whereas MAM helps you with securing the information residing on the device or accessed from the device. An enterprise needs both device-level and app-level protection for a comprehensive mobile security strategy.
If you get confused with the ongoing debate between MAM and MDM, remember the thumb rules:
- MAM doesn’t replace MDM.
- MDM alone doesn’t compensate for MAM needs.
- MAM and MDM are complimentary since they approach security and protection from different angles, and both may be needed for your BYOD initiative to be successful.
- Both MAM and MDM can coexist based on your needs.
Be sure to consider the application-level protection and needs of your enterprise and respond “Yes” to “Got MAM?” in 2013.
Miku Jha has deep understanding in Web, Mobile, Virtualization and enterprise technology and is currently involved with shaping product and strategy for IBM Mobile. Previously, Miku led World Wide Technical Sales Enablement at IBM. Miku comes to IBM from Worklight Acquisition where she was a Senior Solutions Architect. Prior to Worklight, Miku has held multiple roles in Program Management, Product Management and business planning at VMware where she was also instrumental in the launch of VMware’s ﬁrst generation Mobile Virtualization solution. She holds an MBA from Cornell University and Bachelor’s degree in Computer Science from Mumbai University.
Miku is an IBM Redbooks thought leader