August 13, 2019
Microsoft Endpoint Manager: Keeping Your Company Devices Secure
Many of us work from different locations, at various times of the day and use an array of devices including laptops, mobile phones and tablets. Mobility has become a necessity, but what are the security vulnerabilities?
It's likely that you'll start working on one device and then complete the task later using a different device; typically you might check emails on your phone when out and about, and then respond once you’re in the office. Mobility has become a necessity, but what are the security vulnerabilities?
Many current security setups don’t cover bases when it comes to keeping devices safe. While it’s great to have access to data when you’re out and about, there are critical security issues that you need to be aware of.
- What would happen if your mobile device was lost or stolen?
- Could sensitive data be easily accessed/can someone gain unauthorised access?
- Could the accessed data compromise other businesses as well?
- When you get a new device, how easily can you get back up and running again?
The challenge is how to keep your company mobile devices secure, while also allowing employees to use their personal devices i.e. employee BYOD whilst out of office.
The problem with most current setups
As mentioned before, most current security setups don’t cover all bases.
Old techniques and tools
The methods and tools that have been relied on for decades to manage, configure and secure devices and users, are becoming less effective as modern work styles evolve. Previously, devices were associated directly with on-premises infrastructure and trust was established between devices and controllers. Specific devices were assigned to users, and applications for users were installed on those devices. A 4-way paradigm was firmly entrenched between user, device, application and access to information. This operating model lent itself well to managing access to information and protecting corporate assets, but only if users were operating within the organisational network bounds. Policies were defined and applied to devices, and users within the network and environments were secured and well managed using mature, well-known processes. This traditional way includes Group Policies, which were applied when necessary and when devices and users were detected on the secured network.
Moving away from central networks
The neat, structured and well-understood information management techniques and tools used in the past are less effective than newer methods. As users perform activities off the network effectively, if not more effectively, their need to connect to a central network directly diminishes. They can access applications from anywhere and use any device to access information; performing activities when best suited. This operating model challenges the administration, governance and compliance tools used previously.
Corporate policy challenges
How do corporate policies get applied to devices that never connect to the domain or do so infrequently? Not reliably nor effectively using traditional tools and practices such as Group Policies. These traditional approaches require users and devices to be present on the company network.
How do you solve this?
- It would help if you could reach users and the devices that they are operating on, regardless of where they are, and when they are working to apply relevant corporate policies.
- The distinction between corporate devices and non-corporate devices must be defined. Modern workers use their personal devices to perform work-related activities (BYOD).
- If someone is using their personal device for work-related activity, it’s important to make it clear how their device will be treated with due consideration but also have the necessary levels of security around accessible company data. Corporate interests need to be protected.
- There should be a means to remove the specific company from a personal device without compromising personal usage. For example, remote wiping a personal device may not be a suitable course of action. It leaves the entire device reset resulting in the loss of all personal information on the device including the users’ music, photos, contacts and other personal digital assets on the device.
Microsoft Endpoint Manager: The time is now!
Microsoft Endpoint Manager combines mobile device management (MDM) capabilities with mobile application management (MAM). It's a smart option for keeping your company devices secure, inside and outside of the office. If you haven’t already got it, it’s a good time to consider it.
You’ll be able to:
- Manage the apps that access your company information and what they can do with that information.
- Manage the mobile devices that are used to access company data (e.g. requiring passwords on all phones, or passwordless using Biometrics - FIDO 2.0).
- Make sure these devices are compliant with your security requirements such as multi-factor authentication.
Some tools are designed for smart device management, others are designed with application management, and then some offer both device and application management facilities but focus on smart devices. The ideal tools cater for device management and application management across all devices and device types. The best tools will acknowledge the emergence of digital identities, the security models associated with those, the interaction between digital identities, device, location, risk profile and information type. A consistent governance framework will ensure that authenticating people is done based on their current risk profile, and at any time, they may be operating multiple digital personas concurrently (which will attract different rights).
It integrates corporate digital personas associated with Office 365 subscriptions directly and can extend both device and application management controls to Windows 10 devices, iOS device and Android devices based on centralised governance policies, discretely.
Some next steps to consider
For further guidance about the next steps for either scenario or if you’re unsure about your current setup, get in touch and talk to our Continuous Computing team.
We also offer Endpoint Manager workshops. These are a helpful way to discuss your unique business setup requirements and allow relevant parties to map out the best way forward.