Navigating the dizzying array of compliance standards is hardly a walk in the park. The proliferation of devices employees use to connect to company networks makes keeping tabs on who is accessing what sensitive data mind-blowingly complex.
Most companies resort to device management software, most commonly known as mobile device management (MDM) solutions, to enhance data security and comply with various privacy regulations.
Despite the word “mobile” in the name, these solutions often extend to the management of laptops, tablets, and other devices. They make devices behave in specific ways according to predefined security policies so companies can pass security audits.
But not without a cost.
MDM solutions address the immediate challenge of regulatory compliance, often at the expense of employee productivity and morale. When employees feel that management is spying on them and forcing changes onto their devices, they’re more likely to switch to their personal devices — a worst-case scenario for any IT and security team.
So, should you use an MDM solution? Is it the only way to ensure endpoint security?
An MDM solution requires employees to agree to have their devices fully managed by a central authority, their employer. While the capabilities of MDMs differ by platform, they all assert a form of remote control over the device’s capabilities in favor of the MDM administrator. This can be as benign as setting the default state of various security features or as extreme as forcing a device to erase itself without the person’s consent behind the keyboard.
Before deciding whether MDM solutions are right for you, you should consider their pros and cons.
Here’s why organizations use MDM solutions:
They are effective at rapidly achieving surface-level compliance. MDMs can force a device into the desired compliant state and keep it there without consulting or negotiating with the end-user.
They are easy to deploy. The agent portion of MDM is often built-in to the OS, and devices can be pre-configured by IT before being distributed to employees.
They are inexpensive. Since the OS vendor provides most of the functionalities that make MDM possible, the barrier to entering the MDM space is much lower than building a device management solution from scratch. The commoditization of MDM software means buyers can get competitive pricing and more choices.
They are a known quantity. Most IT administrators are familiar with MDMs and can easily find IT engineers who have experience running them at scale.
There is first-party support. OS vendors are building their own device management products (e.g., Apple Business Essentials and Microsoft Intune) that are cheaper and have better features than third-party MDM vendors.
MDM solutions aren’t without their challenges. Here’s what to consider:
They can’t help you become 100% compliant. If an MDM can’t get a device compliant with brute-force or automation, you’re out of luck. Issues often arise with some of the highest risk items, such as encrypting SSH keys, securing plain-text two-factor backup codes, or minimizing the time production data is stored on a device. These valid security objectives are too nuanced for the blunt instruments provided by traditional MDM solutions. Because they’re unsolvable through the MDM lens, they’re often declared out of scope, giving everyone a false sense of security.
They offer limited visibility. Most MDMs only provide a small number of essential data points about a device. IT administrators have to write and deploy custom shell scripts to gather valuable data to answer pressing questions about the fleet.
You’re on your own with Linux. Very few Linux flavors have a built-in MDM-like management protocol. There’s no real solution to automatically address the near-infinite choices Linux offers its users regarding basic OS features like firewalls, terminals, and automatic updates.
They can create long-term employee morale and productivity problems. All it takes is one poorly implemented policy to negatively impact hundreds of employees, so much so that they’d question the IT team’s motives and even consider using personal devices.
Can you minimize the disadvantage of MDM solutions while benefiting from their strengths?
MDM solutions are complex to deploy and maintain. While they’re a known quantity in the IT world, the invasiveness and less-than-stellar user experience significantly reduce their effectiveness in addressing some of today’s security challenges — the proliferation of devices and human errors.
Many of us have been conditioned to think that the “lockdown” approach is the only way to stay compliant. But that’s not the case. Your IT team and employees don’t have to be at odds with each other.
We must change our mindset to improve how we implement endpoint security. Instead of a top-down “big brother” approach, the principles of Honest Security can help you make security part of the company culture.
Kolide is a new breed of endpoint security solution designed based on the five tenets of Honest Security. Its user-first approach helps increase adoption while the employee training component minimizes security risks due to human errors in the long run.
Kolide makes the device monitoring process transparent by allowing users to see who can access their devices, what data is collected, and even the complete source code of the agent running on their devices. Meanwhile, the software monitors devices and compiles data, so you’re ready for security audits.
Instead of forcing changes onto users’ devices or locking them out of critical data and applications for hours, the software sends automated alerts to employees when a problem is detected. The notification includes simple self-remediation steps that empower users to resolve the issue without straining IT resources.
You can use Kolide as a standalone endpoint security solution or augment your current MDM platform. You can reduce the long-term costs of implementing and maintaining a top-down MDM solution by crowdsourcing security and rallying employees around your security policy through education and collaboration.
Ready to change the device management conversation? Try Kolide for free and experience the power of Honest Security.