Contents Introduction........................................................................................................................................... 3 Data Security Requirements for BYOD.................................................................................................................. 3 Capabilities............................................................................................................. 4 About ForeScout...................................................................................................................................... 5 Conclusion............................................................................................................................................ 5 2
Introduction ForeScout MDM provides on the go employees with important corporate information at their fingertips from broad distribution of company wide information to targeted information for specific stakeholders. Distribute quarterly sales and financial documents to the Board of Directors and executive stakeholders. Update product and marketing materials om real-time for sales teams so they don t need to scramble to find the latest datasheet or competitive information. Share company wide information such as training materials, emergency information and HR policies. The rise of bring your own device programs is the single most radical shift in the economics of client computing for business since PCs invated the work place. Gartner, Bring Your Own Device: New Opportunities, New Challanges, 16 August 2012, David A. Willis Mobile devices such as smartphones and tablets have entered the workplace en masse, quickly becoming essential tools for employees. These devices increase workforce productivity, improve sales enablement, and facilitate faster decision making by managers and executives. However, they also necessitate additional investments in IT infrastructure and management software, as well as the development of policies and procedures to effectively manage and secure them.................................................................................................. Any discussion of enterprise mobility invariably leads to talk of BYOD (bring your own device) programs and policies. BYOD programs allow employees, business partners and others to use personally selected and purchased devices to execute enterprise applications and access corporate data. According to Forrester, 48% of employees chose their smartphones without regard for IT support. A Gartner survey of CIOs expects 38% of all mobile devices used within the enterprise will be employee owned by 2014. While employees are overwhelmingly in favor of using personal devices in the workplace, IT managers have a tough time reconciling the confirmed security risks with anticipated productivity gains. In many cases, line of business (LOB) executives are breaking the tie and deciding that the business case presented by workforce mobility is simply too attractive to overlook. This has forced IT managers to rethink the way they approach enterprise mobility. IT operations and IT security teams can no longer dictate which devices they will support, and have lost veto power over personally owned devices. They are being asked to embrace BYOD programs while ensuring personal devices do not compromise enterprise security or cause data leakage. Data Security Requirements for BYOD While mobile device management (MDM) software is important for managing the physical devices themselves, protection of corporate information on these devices cannot be neglected. Securing the information on mobile devices requires stricter controls than simply protecting the devices themselves. One of the more promising strategies for protecting information on mobile devices is segmentation and containerization of information and applications used for work and play. Containerization is a set of mechanisms that enforce separation between corporate and personal footprints on a device. It can be used to create encrypted folders and isolated containers (or sandboxes) to house sensitive information and corporate apps. For example, by placing a corporate email app in one of these security sandboxes, the program remains isolated and insulated against any actions taking place on unregulated portions of the device. IT managers can tailor custom policies for groups of users and/or devices for access to corporate data and apps. Data security and segmentation controls offer smooth support for BYOD programs because employees retain device control and application choice outside corporate sandboxes. This ensures better security without compromising user experience, and embraces consumerization without compromising IT controls and policies. IT organizations retain granular control over corporate footprints on employee-owned devices easing the task of demonstrating policy compliance in corporate audits. 3
[MDM] platforms are expanding deeper into enterprise mobile software and documents management support. Enterprises should look not just at a vendor s MDM technology but also at how well it can support enterprise mobile needs. Gartner, Magic Quadrant for Mobile Device Management Software, 17 May 2012, P. Redman, J. Girard & M. Basso The containerization of individual applications and files through policy wrapping locks down selected corporate content, avoiding restrictions to the user experience with native applications. Gartner, Critical Capabiliities for Mobile Device Management, 8 August 2012, M. Basso & P. Redman Capabilities ForeScout MDM, powered by MaaS360, allows organizations to securely share and manage sensitive corporate information on mobile devices by tracking and managing personal and business footprints through a variety of mechanisms: 1. Corporate email configuration, management, and selective wipe: ForeScout MDM can provision the corporate email account on devices and then selectively wipe corporate email and attachments on a device while leaving personal email, data, and photos untouched. ForeScout MDM email controls also allow organizations to restrict business emails and attachments from being emailed via personal email accounts. This keeps personal and business email data separate and eliminates a common data leakage issue, while providing a cost effective way for businesses to carefully manage corporate information in email. 2. Secure Document Container: ForeScout MDM can distribute and manage corporate documents on mobile devices and stores them in an encrypted business container, separate from personal documents. Policies can be applied to either allow or restrict document sharing. Restricting sharing means corporate documents cannot be moved to other applications, emailed, or have screen captures performed on them. Any distributed document can also be centrally removed from the device, either individually or in bulk. 3. Mobile Application Management: ForeScout MDM provides an easy to use, on-device enterprise app catalog with full operational and security lifecycle management of apps across mobile device platforms. This allows organizations to separate business apps from personal apps with the ability to remove any business application and its associated data individually or as part of a selective or full remote wipe. 4. Personal privacy settings: ForeScout MDM allows businesses to block the collection of selected personal data such as location and installed applications. This can be very important for some customers, especially in certain regions of the world where attitudes toward personal privacy are extremely strong. In some areas and industries, IT managers may not be allowed to track personal information (such as the user s location and installed applications) even on corporate owned devices. ForeScout MDM facilitates such privacy controls. Each of these data security controls can be applied on an individual, group, or full population of devices, allowing for highly segmented approaches to managing personal vs. business information for a variety of uses and user groups. For instance, hospitals use Secure Doc Sharing containerization technology to distribute sensitive medical information via mobile devices, ensuring that the documents remain securely encrypted within the ForeScout MDM doc container. All of the above functionality provides the ability to have integrated policies across email, application, and document data management. For example, if a device is discovered to be lost or non-compliant (perhaps jailbroken), ForeScout MDM can automatically wipe all email and associated attachments, restrict or wipe any documents that are in the ForeScout MDM document container, and remove proprietary corporate applications that hold sensitive data all based on a single automated rule predicated on a simple device attribute (jailbroken) identified in real time. 4
Conclusion ForeScout MDM provides powerful capabilities that allow organizations to securely manage mobile devices as well as the information and applications on those devices. Using ForeScout MDM s data security and privacy functions, IT managers can segment and manage corporate and personal footprints on the same device. This empowers IT professionals and organizations to: Increase employee productivity through effective mobile device usage Improve user experience associated with mobile device use for corporate purposes Deliver tailored mobile capabilities to different segments of the workforce Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.... About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 408-213-2283 www.forescout.com 2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, ForeScout MDM, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2013.0057 5