Endpoint/Device Security, Security Program Controls/Technologies, Identity

Modern Device Management: Resist Or Embrace?

Author: ESG’s Mark Bowker
Author: ESG's Mark Bowker (@markbowker)

Here’s the problem. Gone are the days where a user would have a single username and password to access a single device. And gone are the times when IT had to secure a single predictable and stable environment. Bye bye. Today as we know, employees have multiple devices that they use every day to get work done.

For example it is not unusual to see an employee with a Samsung phone running Android, an iPad running iOS and a Windows laptop….let’s throw in a Chromebook for fun too. These are all fantastic pieces of technology and do in fact have employee satisfaction and productivity gains that should not be ignored. But how does IT wrap their arms around all these devices, applications, and identities….not to mention securing the now expanded perimeter. Yikes!

Here is problem number two. IT has invested in asset management, device management, application monitoring, network monitoring, and security tools to protect a predictable environment with defined walls. While this approach is still valid and widely used, the integration amongst the aforementioned array of devices is cumbersome, time consuming, and potentially not possible.

So, what does IT do? They buy another tool. A great example of this is due to Macs making their way into businesses, IT invested in management software from companies like Jamf. Good stuff, but is this a future proof approach?

Let’s explore the concept of modern management. Here are the goals:

  • Manage a user’s identity. The identity could be a corporate provided identity or consumer credentials. In either case the user is authenticated with strong authentication (refer to FIDO alliance for some good examples) and authorization is applied based on policy that can be enforced across devices, OSes, applications, and networks.
  • Policies. Throw away the blanket polices created in AD and GPO. Fact is IT hasn’t leveraged these to their full capabilities anyway. Access, device, app, and security policies are created in cooperation with the information security team and enforced by IT operations. A key component of modern management is that it provides a single source of truth associated with an identity, and policies can dynamically change based on device, location, compliance mandate, application, etc.
  • Security. No longer is it OK to think of security as an afterthought. Security policies are perhaps the most critical piece of modern management. Risk assessment to determine the level of trust and policy to enforce as well as proactive monitoring through user behavior analytics and ideally leveraging the powerhouse of machine learning from intelligent cloud providers like Microsoft, Google, Oracle, AWS, etc., to detect threats and through modern management controls prevent threats before a user, device, or app is compromised.

IT is going to resist modern management because they have invested time and energy into the current siloed management approach. I spoke with one IT pro that was heavily invested in Microsoft SCCM for managing Windows and VMware AirWatch for managing mobile devices. He is also a VMware Workspace ONE customer (primarily to manage his AirWatch environment, but resistant to think he would be able to step away from SCCM anytime soon).

So, while the shift toward modern management that is inclusive of device management and security will be met with speed bumps, the concepts are solid and something IT and security organizations should have on their radar to research before further cybersecurity risks elevate and IT loses further control.

Mark Bowker is senior analyst at ESG. Read more ESG blogs here.