TrustSpace ; Digital Secure WorkSpace Based on ‘Zero Trust’

TrustSpace ; Digital Secure WorkSpace Based on ‘Zero Trust’ 1

Research from Gartner:Market Guide for Mobile Threat Defense 7

How to Successfully Navigate the Hurdles of Global-Scale BYOD Implementations 16

I. Enterprise Mobility Trend Under Digital TransformationIn recent years, with gradual perfection of the mobile communications infrastructure (mobile device, 4G communication network, Android, iOS, and other mobile operating systems) and acceleration of the digital transformation process of enterprises, the BYOD mobile working mode is gradually becoming the main device mode for enterprise mobility. Many industry customers, such as those from finance, enterprise, government, medical fields, etc., have started to encourage the staff to use enterprise applications on their personal device, and allow devices to access the enterprise intranet at any time and any place for mobile working.

The trend comes from two core driving forces. The first one is the enterprise’s need of continuously reducing the cost and improving the efficiency. With COPE/COBO working mode enterprises will significantly

increase their purchase costs and operating costs, therefore enterprises are certainly inclined to use the lower-cost BYOD mode which is using staff’s existing personal mobile device for working. The other driving force is the staff’s spontaneous need of using their personal device to work. The COPE/COBO mode will bring about a lot of inconvenience and troubles to the staff during mobile working. A typical case is that the staff have to carry two phones with them, where, one is the company phone for working, and the other is their own phones. This is a bad experience to the users. The staff also like to use their personal devices for mobile working.

In their 2018 report Gartner reported that, “…by 2022, more than 75% of smartphones used in the enterprise will be bring your own device (BYOD), forcing a migration from device-centric management to app- and data-centric management.”1

1 Gartner Inc., Define BYOD Ownership and Support Expectations in Contracts to Ensure Successful Implementation, 29 March 2018, G00351642

2

2 Gartner Inc., Define BYOD Ownership and Support Expectations in Contracts to Ensure Successful Implementation, 29 March 2018, G00351642

FIGURE 2Changes in Device Ownership Over a Period of Time

Base: n = 57 (Desktop) and 43 (Tablet and Smartphone) Gartner Research Circle Members Q: How are each of the following items in the equipment portfolio of the deskbound worker (office only) provided today? Q: How do you expect each of the following items in the equipment portfolio of the deskbound worker (office only) to be provided in three years?

Source: Gartner (March 2018)

Figure 2. Changes in Device Ownership Over a Period of Time2

BYOD mobile working not only accelerates the process of enterprise mobility, but also brings new challenges to the enterprises in respect to IT information security, device management, etc. The core challenge is how to securely provide right users right applications and data with right devices at the right time and place.

II. Demand Trend and Strategic Recommendations on Enterprise Mobile Security • Demand trend of enterprise mobile security

º Enterprises no longer focus on device management; instead, they pay more and more attention on how to deliver mobile applications securely and efficiently and how to protect data.

º For BYOD and highly-compliant industry scenarios (such as the government, finance, etc.), the demand of mobile threat defense is increasingly stronger.

º Multi-factor identity authentication, dynamic identity authorization, and unified identity management are becoming the key points to be considered.

º IT senior management pay more attention on mobile working user experience and protection of staff’s personal privacy.

• Strategic recommendations on enterprise mobile security

º Enterprises upgrade the original device-centered mobile management strategy to the user-centered workspace strategy.

º Enterprises build a new mobile security model to cope with the security and compliance challenges under workspace strategy.

º Enterprises fully consider the difference between BYOD and COPE mode in respect to security management and user privacy, and make differentiated security strategies.

3

FIGURE 2Changes in Device Ownership Over a Period of Time

III. ‘Zero-Trust’ Security Architecture of TrustSpaceTrustSpace secure workspace (hereinafter referred to as “TrustSpace”) is a brand-new digital secure workspace solution launched by 360 Enterprise Security Group. Based on ‘zero-trust’ and ‘zero-control’ concept, TrustSpace helps enterprises to fully activate BYOD working mode in both IT managers and final users perspectives. It builds a three-level trust system including system environment, identity boundary, and application data, makes the mobile working secure and reliable for IT managers. Moreover, zero management of device, zero collection of privacy, and zero cost of usage, are used to eliminate the mobile users’ privacy concern and stimulate the final users’ mobile working vitality.

TrustSpace ‘zero-trust’ security technology is to build a trustworthy workspace on open mobile device, to provide the general data protection scheme for enterprise-level applications and data and completely reduce series of safety risks due to enterprise mobility. TrustSpace ‘Zero-trust’ security is a new secure model built based on device, user, and application, respectively shown as follows:

• Trusted Device system environment

Based on mobile security big data, TrustSpace MTD (mobile threat defense) technology provides device-level (such as Jailbreak/Root, system vulnerability, and system configuration compliance detection), network-level (such as Wi-Fi security detection), and application-level (such as malicious APP behavior detection) risk perception and threat detection on mobile device, to ensure that TrustSpace run in a secure and trusted operating environment.

Source: 360 Enterprise Security Group

Source: 360 Enterprise Security Group

4

• Trusted User identity boundary

By deep integration of new-generation container technology and identity authentication technology, TrustSpace re-divides the boundary of enterprise applications. The boundary has two meanings. The first meaning is that the boundary is TrustSpace, which builds a basic boundary between enterprise applications and personal applications by container technology and verifies the user identity by implementing basic identity authentication at the entrance of the boundary. The second meaning is the internal application boundary inside TrustSpace container. It is defined based on the different values and sensitivities of application and data. For some highly-sensitive applications, continuous dynamic enhanced identity authentication is required based on the time, position, behavior, and other factors, hence to guarantee that these highly-sensitive or highly-valuable applications can be accessed securely by right users at the right time and place.

Source: 360 Enterprise Security Group

• Trusted Enterprise application and data

TrustSpace makes the enterprise application/data trusted by protecting the data in full-life cycle. The mobile device data full-life cycle model includes different stages such as data storage, data usage, data sharing, and data transmission. At each stage, some core technologies and security mechanisms are used to protect data. At the data storage stage, the application-layer transparent encryption and decryption technology is utilized to create an independent secure area in mobile device to strong encrypt documents requiring local storage. The encryption methods include AES and local cryptographic algorithm. Meantime, the key information, such as the key used during data encryption, is subject to secure storage using the secure key box technology. At the data transmission stage, the TLS-based application-level encrypted channel is used to realize the secure channel access. At the data usage stage, in order to effectively prevent data leakage, it’s necessary to set policies, such as the screenshot protection policy, copy-and-paste prohibition policy, and application/document watermarking policy, etc. At the data sharing stage, the main work is to restrict the data sharing and exchanging between applications in the workspace, or between internal applications and personal applications.

The core of data reliability is the data storage reliability, where the key issue is to secure management and storage of the encryption key. TrustSpace secure key box technology is just the right method to realize the secure storage and management of key data such as the encryption key, certificate, etc. It provides the foundation for building a reliability and protection scheme for the enterprise application data through its full life cycle within TrustSpace.

Source: 360 Enterprise Security Group

5

5

IV. Functional Modules of TrustSpace

In terms of the functional architecture TrustSpace mainly consists of four parts, including TrustSpace client, TrustSpace console, TrustSpace application portal, and 360ID platform.

TrustSpace client is installed on the mobile device, including three core areas, ‘zero-trust’ core competence area, the secure working suite area and the enterprise internal application area. ‘Zero-trust’ core competence area provides the core secure technology based on ‘zero-trust’ for enterprise applications, such as MTD mobile threat protection, data protection, and multi-factor authentication, etc. The secure working suite area provides working suite which will be used in all kinds of general application scenarios for the enterprise mobility, such as Secure Browser, secure cloud disk, secure e-mail, secure document reading, and secure instant messaging, etc. The enterprise internal application area will deliver the enterprise

internal mobile working application to the mobile users in a safe and effective manner.

TrustSpace console is the control and strategy center, which provides a serial of secure and compliance policies to users.

TrustSpace application portal is the key control point for the enterprise application to access to the enterprise intranet, which provide application-level SSL VPN channel and authorization for the application, and apply strong data encryption to the data transmitted by the application. Furthermore, TrustSpace application portal integrates seamlessly with TrustSpace client. With TrustSpace, mobile users can connect in the enterprise intranet directly.

The 360ID identity platform is the authentication and authorization management center provided by TrustSpace. It can set several authentication methods for the access to TrustSpace and implement continuous dynamic authentication and access authorization for application end users.

Source: 360 Enterprise Security Group

V. Application Scenarios of TrustSpace TrustSpace provide three different types of product components and function combinations for different mobile scenarios. For a majority of small and medium-sized enterprises and those whose mobility applications are in public internet, TrustSpace provides the total ‘zero-trust’ secure technology. For large and medium-sized organizations and those whose mobility applications are in enterprise intranet, in addition to the ‘zero-trust’ secure technology, TrustSpace provides the mobile application remote access to the intranet by additionally increasing the TrustSpace application portal modules. For the super large organizations and some who have highly-sensitive mobile application scenarios, in addition to the ‘zero-trust’ secure technology and mobile application remote access to the intranet, the 360ID platform is added to provide the enterprises with the function of multi-factor authentication and continuous dynamic application access authorization.

6

Furthermore, for BYOD and COPE mobile working mode, TrustSpace provide two secure strategies, ’zero-device management’ and ‘strong-device management’, to meet the differentiation secure strategies and compliance management demand from different enterprises.

Category Basic Edition Advanced Edition Enterprise Edition

Scenario description Internet Scenario Intranet Scenario + basic authentication

Intranet Scenario + advanced

authentication

Module

TrustSpace secure workspace

√ √ √

TrustSpace application portal

√ √

360ID platform √

Function description

Unified application gateway

√ √ √

Zero-device management (BYOD)

√ √ √

Strong-device management (COPE)

√ √ √

Data Security √ √ √

Secure working suite √ √ √

Mobile threat defense √ √ √

Identity authentication √ √ √

Container/Secure key box

√ √ √

Application-level VPN channel

√ √

Multi-factor authentication

√ √

Unified Single Sign-on(SSO)

√

Unified user center √

Source: 360 Enterprise Security Group

7

7

Mobile threat defense (MTD) solutions have matured and can provide value to organizations looking to strengthen their mobile security. Security and risk management leaders should leverage MTD to address evolving mobile security needs.

Key Findings

• The MTD market continues to have organic growth. Beyond a unified endpoint management (UEM) security add-on, MTD is also used to address use cases such as mobile phishing, bring your own device (BYOD), app vetting and compliance.

• MTD solutions prevent or detect threats against iOS and Android platforms by employing a variety of techniques, including machine learning and behavioral analysis based on mobile threat intelligence.

• Enterprises are still fine-tuning their risk perception and maturity around mobile. While they start to recognize the value of MTD solutions, they do not show particular urgency to adopt them.

Recommendations

To address mobile risks, security and risk management leaders should:

• Introduce MTD solutions gradually. Adopt MTD solutions sooner in high-security verticals, with large Android device fleets, or in regulated verticals, such as finance and healthcare.

• Leverage app vetting and device vulnerability management MTD functionality first to demonstrate immediate value to the organization.

• Integrate the MTD solution with the UEM tool. Prefer app-based deployment, leaving proxy-based deployment options for corporate-owned business-only (COBO) scenarios.

Strategic Planning Assumption

By 2020, 30% of organizations will have MTD in place, an increase from less than 10% in 2018.

Market Definition

The MTD solution market consists of solutions that protect organizations from threats on iOS and Android devices.

Market DescriptionMTD solutions protect at the device, network and application levels:

• On the device level, MTD tools monitor indicators such as OS versions, security update versions, system parameters, device configuration, firmware and system libraries to identify security misconfigurations, device vulnerabilities and suspicious or malicious activity. MTD tools check for modification of system libraries and configuration, as well as for privilege escalation (such as jailbreak or rooting).

• On the network level, MTD tools monitor cellular and wireless network traffic for unsanctioned, suspicious or malicious behavior. MTD tools can check for invalid or spoofed certificates, and for stripping of Transport Layer Security (TLS) or Secure Sockets Layer (SSL), and can perform a variety of other customized man-in-the-middle detection techniques. For example, an MTD solution could identify bidding-down attacks from a malicious network, where the encryption algorithm negotiated is intentionally weak to allow for eavesdropping.

• On the application level, MTD tools identify grayware (see Note 2) and malware through application sandboxing and code analysis. MTD application security techniques include signature-based anti-malware filtering, code emulation or simulation, application reverse engineering, and static and dynamic app security testing.

MTD solutions provide protection by preventing, detecting and remediating attacks (see Note 3). Different MTD solutions employ different techniques. (Even though focused on traditional endpoints, “Comparing Endpoint Techniques for Malware Protection”

describes these techniques.) In general, MTD solutions collect and analyze indicators of compromise to identify anomalous behavior and counter threats. To do so, MTD solutions gather threat intelligence from the devices they support as well as from external sources. By observing the behavior of healthy devices and the behavior of devices under attack, MTD solutions learn to recognize malicious and suspicious behavior and intervene to remediate it.

Figure 1 illustrates how MTD solutions are typically composed of an on-device agent in the form of an app; a server component; and an administrative console that enables enterprises to monitor, report and audit. The server component conducts analysis that can either reside in the cloud or on-premises. Depending on the vendor, the detection engine can be split between the cloud-based server and the device, or it can reside exclusively on the device. Although we see endpoint protection platforms (EPP) converge toward cloud-based solutions to keep up with constant updates, the on-device agent provides a better likelihood of the protection persisting over a compromised network. The console provides identification and categorization of riskiness of devices, suggests mitigating measures, integrates with UEMs (see Note 4), and allows the administrators using the console to prioritize intervention on vulnerable devices. Depending on the vendor and the options provided, the MTD app can be either distributed as an enterprise app, or downloaded and installed directly from the commercial app store. An enterprise app typically makes up for the inconvenience with having a few more privileges on the device.

Market Direction

Apple and Google constantly add security improvements aimed at covering the needs of their iOS and Android consumer users. Several signs, however, continue to indicate that mobile security issues are growing in both volume and importance:

• Nearly one out of five business and industry apps leaks personally identifiable information (PII).1

Market Guide for Mobile Threat DefenseResearch from Gartner

8

Source: Gartner (October 2018)

FIGURE 1Example Architecture of an MTD Solution Integrated With a UEM Solution

• Every year, 42 million mobile malware attacks take place.2

• 63% of grayware apps leak the device’s phone number.3

Furthermore, enterprises believe mobile malware attacks occur more often than is reported. In a recent Gartner survey, 60% of respondents stated they believe mobile malware incidences are underreported. To the same question for desktop malware incidences, respondents stated they believe only 16% are underreported.4 Mobile security incidents come, for example, from eavesdropping over untrusted wireless networks and spyware apps.5,6

Even though the mobile security space is still fast-paced, MTD solutions have reached a degree of maturity that makes them suitable for enterprise adoption. Enterprises are adopting MTD solutions to augment the security baseline that their UEM tools provide. Enterprises have mastered UEM systems and want to go beyond the controls these tools offer them. The effort is not only to address advanced malicious threats, but also to simply improve their basic security hygiene (see the Market Analysis section for further discussion of use cases). As MTD solutions mature, security departments become the main buying center, rather than mobility or IT operations.

Gartner estimates the MTD market amounts to approximately $200 million worldwide at the time of writing. This is a fairly low number compared to other enterprise security markets, such as the market for endpoint protection platforms. The main reasons for the slow adoption of MTD solutions are:

• Mobile platforms were built with the countermeasures necessary to address the typical endpoint security failures. Application sandboxing, app store curation and limiting of user privileges have delivered stronger security than that of traditional computer endpoints.7

• The lack of highly visible and successful mobile attacks against enterprises has not encouraged organizations to go beyond UEM to protect their mobile devices. Enterprises tend to focus on data leakage8 risks during everyday usage of mobile devices, rather than malicious threats against them.

There is great growth potential for the MTD market, if its adoption follows the footsteps of its endpoint management counterpart, UEM. In the same Gartner survey mentioned above, 64% of respondents estimated that their mobile security spending will grow by 22% in 2019. As the market grows, it attracts the attention of traditional endpoint

protection vendors as well as some endpoint management ones. Some examples are:

• Check Point acquired Lacoon in 2015.9

• Symantec acquired Skycure in 2017.10

• Microsoft integrated Lookout Mobile Endpoint Security with Windows Defender Advanced Threat Protection (WDATP) in 2017.11

• MobileIron partnered with Zimperium in 2017 and offers the MTD solution inbuilt in its UEM agent.12

These signs indicate that MTD could become a part of EPP offerings (or security-focused UEMs) before it reaches its full growth potential. As PC platforms adopt a locked-down approach similar to mobile ones,13 this possibility becomes even more compelling. Currently though, most enterprises deploy and operate MTD solutions distinctly from their EPP solutions.

MTD vendors also use other channels to promote growth:

• Via partnerships with managed mobility services providers

• As consumer solutions, such as freemiums and as part of carrier bundles

• Within consumer-facing banking and other high-security apps (see the Market Analysis section)

All these avenues are not only meant to grow revenue, but also to increase the mobile threat intelligence that feeds the MTD analysis engines.

Market Analysis

Deployment OptionsMTD solutions can be deployed in four ways, as shown in Figure 2:

• The most common option is MTD integrated with UEM on managed devices. MTD leverages UEM to enroll on the device, obtain information about the device and perform remedial actions

9

9

FIGURE 2MTD Deployment Options

Source: Gartner (October 2018)

• Some MTD solutions also come in the form of an SDK to embed into an app. Today, this method is mostly used to protect consumer-facing apps, rather than employee-facing apps, and is, therefore, not a focus of this research. The remediation actions take place in the app itself, rather than on the device. For example, the app may decide to abort operation if it identifies the presence of malware on the device. Some MTD vendors are partnering with app shielding vendors to provide broader functionality or extending their functionality to encompass app shielding.

• The last deployment method observes and analyzes network traffic. In this case, the MTD solution redirects the traffic to and from the device to the analysis engine. There, it can analyze the traffic, filter malware and provide functionality that is often found in secure web gateways,

such as domain blacklisting and content filtering. This option adds more visibility than all other deployment options, but the privacy implications of constant traffic monitoring make it difficult to suit anything apart from COBO scenarios. Enterprises that take this approach usually have iOS-supervised devices and higher-than-average security requirements. This approach differs from the secure transport enforcement feature that many MTD solutions provide (see Table 1), in that the traffic redirection is constant.

Use CasesVarious use cases are emerging around the MTD space. In this section, we discuss some of the recurrent ones in the past year. These use cases go beyond the most obvious one, which addresses the need for a general mobile security solution and we have discussed throughout this report. This use case has had little variation from previous years. Among the efforts from vendors that we have recently seen is integration with Microsoft’s conditional access.14

One of the most discussed use cases in the past year has been mobile phishing.15 The screens of mobile devices are small, and the presentation of information tends to leave out details to enhance user experience. There are also numerous channels to reach a mobile device that, unlike email, are not under phishing protection. It is, therefore, easy for users to fall victim to phishing on mobile devices. MTD solutions can protect from malicious URLs sent via email, text, social or instant messaging and other apps. Depending on the solution and type of deployment, MTD solutions can remediate, for example, by blocking the URL or by alerting the user about the threat.

Unmanaged devices is another use case that is increasing. Scenarios such as BYOD sometimes make it impractical to manage employee devices via mobile device management (MDM). Users of unmanaged devices make choices that can put enterprise infrastructure at risk.16 Security leaders need a way to protect the enterprise infrastructure from these potentially compromised mobile devices. One solution is to deploy MTD on

on the device. UEM has an MDM profile installed on the device, which allows it to take actions that a normal app cannot, such as performing a remote wipe. The MTD app on the device collects information that it sends to the cloud-based engine to identify attacks and update the defense engine. When an attack or an indicator of compromise is identified, the engine sends an alert to the MTD dashboard, which notifies the UEM dashboard. Action is then taken on the device depending on the organizational policies.

• Devices that are not managed by a UEM can host a stand-alone MTD. In this case, the MTD can act as a privileged entity on the device by running its own MDM profile. Stand-alone MTD is selected often when managing devices is not an option (for user experience or other reasons). If it does not manage the device, the information around the device and the range of remediation actions may be limited.

10

BYOD devices. As discussed in the Market Direction section, without an MDM profile, device information and remediation actions may be limited, especially on iOS devices. However, MTD vendors are coming up with innovative ways to remediate. For example, an MTD solution can set up a VPN that constantly redirects traffic back to the device to avoid allowing a compromised device from accessing corporate resources. This technique is sometimes referred to as blackholing. iOS, where it has always been more challenging to intervene with an unprivileged app, is starting to enable this sort of functionality via APIs and entitlements.17

Enterprises also leverage MTD to perform app vetting. Certain mobile app reputation solutions (or mobile app security testing) have expanded their capabilities and have become MTD solutions, while others have been integrated in larger MTD suites. MTD solutions today can analyze apps and indicate which ones are in conflict with the corporate policy. MTD, therefore, can be used to blacklist and whitelist apps. Some organizations use the MTD solutions not only to vet third-party apps, but also as a lightweight mobile app security testing solution for their own mobile apps.

Compliance is another frequent use case. Gartner clients sometimes suggest the reason they are looking for an MTD solution is regulation-related or related to the recommendations of an audit. In most of these instances, the requirement is for an anti-malware solution to be present on all endpoints, mobile or otherwise.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market IntroductionIn this section, we provide a list and description of representative vendors in the MTD space. A common baseline of MTD functionality that all vendors in this report offer includes:

• Device-level configuration vulnerabilities: The solution can identify device

configurations and settings that can expose the device or make the device vulnerable to attacks; for example, the device being set in developer mode, the device being rooted or jailbroken, the OS version being outdated.

• Malicious apps: The solution allows malicious apps to be identified and blocked or blacklisted.

• Network attacks: The solution can identify, block, prevent or remediate network attacks. Examples of attack techniques to be detected are SSL stripping, malicious iOS profile, rogue access Wi-Fi point and badly reputed IP addresses.

Vendors offer this functionality with varying degrees of efficacy and granularity, and this research does not rank MTD products. All of the representative vendors support both iOS and Android. Beyond the fundamentals that make the basis for MTD and that the representative vendors in this research all support, Table 1 provides a summary of additional capabilities of the representative MTD vendors discussed.

Vendor ProfilesAppthority

www.appthority.com/solution/overview

Appthority protects against leaky and malicious apps, device misconfigurations, and active network threats. Compliance management can be enforced directly on the device, using an optional agent, or through integration with UEM. Malicious and risky app behaviors are detected through static analysis of the binary code, including third-party libraries, and dynamic behavioral analysis via code execution. Appthority looks for device misconfigurations as well as for malicious network addresses and vulnerable app back ends. Appthority integrates in Google’s Android Enterprise to automatically whitelist apps for Managed Google Play based on corporate policy. It also provides an SIEM integration and reporting following a publish-subscribe pattern. For organizations that do not wish to install an MTD app on their devices, Appthority provides the option to only access the application vetting

component and integrate it with the UEM of choice to remediate noncompliant apps. Appthority provides on-premises integration/connectivity with UEM systems leveraging a UEM connector as a virtual appliance to be deployed inside the customer’s network.

BETTER

better.mobi/mobile-threat-defense

BETTER’s ActiveShield is an MTD solution that delivers continuous on-device monitoring. It provides detection, prevention and remediation for mobile threats on the application, network and device level. On the application level, ActiveShield performs static and behavioral analysis to identify malicious apps. For selected applications, it can block exfiltration of sensitive data from the apps residing on the device. ActiveShield can also blacklist specific Wi-Fi or cellular networks. Its dashboard can highlight vulnerabilities as well as their severity for each device. Remediation can take place via integration with UEM, and integration with SIEM is also possible. BETTER also provides a separate SDK for unmanaged devices. BETTER integrates with ServiceNow for IT service management. A recent offering from BETTER provides Microsoft Intune customers with 50 free licenses for 18 months.

Check Point

www.checkpoint.com/products/sandblast-mobile

Check Point’s SandBlast Mobile provides MTD leveraging on-device functionality as well as Check Point’s ThreatCloud. SandBlast Mobile offers application scanning and cross-platform attack protection, combined with network and device anomaly detection. SandBlast Mobile also provides On-device Network Protection (ONP) for anti-phishing, safe browsing and URL filtering. ONP also allows it to have anti-bot and conditional access in case the device is infected, all independently of a UEM deployment. Part of the analysis takes place on the device and part of it occurs in the cloud. In the cloud, the app goes through a series of engines including advanced static code flow analysis, dynamic sandboxing (emulation) and machine learning. If a device is suspected

11

11

Vendor Device Vulner- ability Manage- ment

App Vetting

Anti-Mobile Phish- ing

Device attack protection

Content Filtering

Cellular network attack pro- tection

Secure Tran- sport Enforce- ment

UEM/ MAM Inte- gration

SIEM Inte- gration

Deploy- ment Method (app, SDK, proxy)

On-Prem- ises Option

Appthority (Mobile Threat Protection)

Yes Yes No No (only device- config- uration vulner- abilities)

No No No VMware, Microsoft, MobileIron, Citrix

Splunk, API Agentless (app protection only), App

Yes

BETTER (Mobile Threat Defense)

Yes Yes Yes Yes Domain blacklisting (no roaming or 4G/Wi-Fi policy options)

False base station

Black- holing (for network attacks), VPN

VMware, MobileIron, Citrix, Microsoft

Splunk, Hewlett Packard Enterprise- ArcSight, IBM (QRadar), LogRhythm, syslog/API

App, SDK Yes

Check Point (Sand Blast Mobile)

Specific vulner- abilities, without severity indication

Yes Yes Yes Domain blacklisting (no roaming or 4G/Wi-Fi policy options)

SS7, False base station (via Vaulto)

VPN VMware, MobileIron, IBM, Microsoft, Citrix, BlackBerry

Splunk, QRadar, ArcSight, Check Point SmartEvent, syslog

App, SDK Yes

Kaymera (Cipher= Watch)

No Yes Yes Yes No False base station

VPN VMware, MobileIron

syslog App Yes

Lookout (Mobile Endpoint Security)

Yes Yes Yes Yes Domain blacklisting (no roaming or 4G/Wi-Fi policy options)

False base station

Black- holing

VMware, BlackBerry, MobileIron, Microsoft, IBM

Splunk, ArcSight, QRadar, syslog/API

App, SDK

No. Option to only store PII on UEM server on-premises

Pradeo (360° Mobile Threat Defense)

Yes Yes Pradeo brow- ser, SMS

No (only device- config- uration vulner- abilities)

Domain blacklisting on Pradeo browser (no roaming or 4G/Wi-Fi policy options)

False base station

Via Pradeo browser

VMware, BlackBerry, Microsoft, MobileIron, IBM, SOTI

Splunk, QRadar, ArcSight, syslog

App, SDK

Yes

Table 1. Representative Vendors in Mobile Threat Defense

Continued on page 12

12

Table legend:Device vulnerability management: The solution can show the mobile OSs and the vulnerabilities for each version and security patch level.App vetting: The solution has functionality that allows it to block, blacklist or identify apps that can perform actions or request permissions that are in conflict with enterprise policies and could lead to data leakage. These are not necessarily malicious applications. The enterprise administrator can customize these policies.Anti-mobile phishing: The solution can block malicious URLs. If only specific channels are covered (such as SMS or browser), this is specified.Device attack protection: The solution can identify, block, prevent or remediate OS or kernel-level attacks.Content filtering: The solution can blacklist specific domains or disallow connection through specific access channels such as cellular or Wi-Fi.Cellular network attack protection: The solution is able to detect threats deriving from cellular network vulnerabilities such as the ones in the SS7 protocol or the false base station (aka Stingray) attack (see Note 5).Secure transport enforcement: The solution can provide transport security during an attack (for example, by activating its own or a third-party VPN when it identifies a network or other related threat). Blackholing suggests that the solution can instead block traffic from the device toward the enterprise to protect the enterprise from a compromised device.UEM integration: Device management solutions with which the MTD solution functionally integrates. Additionally or alternatively, availability of an API for integration with further products.SIEM integration: SIEM solutions with which the MTD functionally integrates. Additionally or alternatively, availability of an API for further integrations or support of syslog or CEF formatsDeployment method (e.g., app, SDK, proxy): App suggests that the solution can be deployed either stand-alone or integrated with UEM (see UEM/MAM integration), as shown in Figure 2.On-premises option: The solution can be deployed in the enterprise premises.

Source: Gartner (October 2018)

Vendor Device Vulner- ability Manage- ment

App Vetting

Anti-Mobile Phish- ing

Device attack protection

Content Filtering

Cellular network attack pro- tection

Secure Tran- sport Enforce- ment

UEM/ MAM Inte- gration

SIEM Inte- gration

Deploy- ment Method (app, SDK, proxy)

On-Prem- ises Option

Symantec (SEP Mobile)

Yes Yes Yes Yes Via integration with other Symantec products

False base station

VPN, Black- holing

VMware, BlackBerry, Citrix, MobileIron, Jamf, IBM, Microsoft, API

ArcSight, QRadar, LogRhythm, RSA, Splunk, McAfee, Fortinet, API, syslog/CEF

App, SDK

No

Wandera Yes Yes Yes Yes Yes False base station

VPN VMware, BlackBerry, Cisco, Citrix, IBM, Jamf, Microsoft, MobileIron, SAP Afaria, SimpleMDM

Splunk, RSA, AlienVault, McAfee syslog/CEF

App, Proxy

Yes

Zimperium (zIPS)

Yes Yes Yes Yes Domain blacklisting (no roaming or 4G/Wi-Fi policy options)

False base station

VPN, Black- holing

VMware, BlackBerry, Matrix42, MobileIron, Microsoft, Citrix, SAP Fiori, IBM

Splunk, ArcSight, McAfee, syslog/API

App, SDK Yes

Table 1. Representative Vendors in Mobile Threat Defense

Continued from page 11

13

13

of being under attack, SandBlast Mobile can force communications into a closed/quarantined tunnel as well as guide the user to remove the threats from the device. SandBlast Mobile integrates with Vaulto to protect from cellular network attacks. SandBlast Mobile also provides a cloud-based management portal, an on-premises option and a managed security services providers (MSSP)-managed platform. SandBlast Mobile integrates with major UEM and SIEM tools. Check Point’s broader mobile security offering provides secure containment and device management through its product Capsule, and is featured in the “Critical Capabilities for High-Security Mobility Management.”

Kaymera

www.kaymera.com/mobile-threat-defense

Kaymera CipherWatch provides MTD by identifying attack patterns, indicators of compromise and behavioral anomalies on the network, app and device level. Kaymera’s solution takes into account the context in which devices are being used. Kaymera assigns a risk profile to the user (for example, based on seniority or the sensitivity of the data residing on the device). Kaymera Adaptive Mobile Threat Defense (AMTD) also integrates with UEM solutions to provide remediation. To promote users following best practices, the solution provides an individual score for each device that increases with best practices followed. Kaymera’s broader mobile security platform provides secure voice and texting and device management as well as its own hardened OS, and is featured in the “Critical Capabilities for High-Security Mobility Management.”

Lookout

lookout.com/products/mobile-endpoint-security

Lookout Mobile Endpoint Security detects malware and grayware on iOS and Android devices. Lookout’s detection uses app binaries, OS fingerprints and network connections to determine when anomalous app, device, network or website behavior occurs. It also leverages periodic code samples from monitored devices, including the ones using Lookout’s consumer offering.

Lookout uses the information gathered to create heuristics that allow it to detect and prevent attacks. The dashboard allows for customizable policies and alerts, and alerts and advice are also sent to the user via Lookout app. Lookout on-device remediation inhibits a compromised device from exfiltrating data or contacting and infecting the enterprise network. Lookout interfaces with UEM tools to facilitate remediation and can also be deployed inside Android Enterprise and Samsung Knox containers, as well as an integrated feed for Microsoft’s Windows Defender. Lookout also provides an SDK deployment option that can protect unmanaged devices use cases as well as consumer-facing apps. While Lookout does not provide an on-premises option, its privacy mode option allows personal information to only reside on the premises-based MDM server of a UEM solution.

Pradeo

www.pradeo.com/en-US/mobile-threat-protection

Pradeo 360° Mobile Threat Defense conducts application scanning to detect and qualify behavior and vulnerabilities. The product also identifies device and network misconfigurations. Pradeo’s solution for application scanning is based on an engine that leverages machine learning, and combines static, dynamic and behavioral analysis. On the network and device side, the solution can identify misconfigurations that can lead to security issues and trigger remediation actions. In addition to iOS and Android apps, Pradeo’s solution can scan Windows 10 applications. Pradeo 360° Mobile Threat Protection can integrate with UEM suites to blacklist applications. Its integration with the Knox platform allows it to block noncompliant behavior, still allowing the usage of the application on Samsung Knox devices. The solution offers a secure browser and a secure email client. Pradeo also offers the solution in the form of an SDK that can be embedded in apps, under the name Pradeo Security App Self-Protection.

Symantec

https://www.symantec.com/products/endpoint-protection-mobile

Symantec Endpoint Protection (SEP) Mobile provides visibility and protection for managed and unmanaged mobile devices from malware, network threats and app/OS vulnerability exploits. SEP Mobile leverages threat intelligence from Symantec’s Global Intelligence Network (GIN), in addition to device- and server-based analysis, as well as predictive malware detection techniques. SEP Mobile provides an on-demand VPN to protect data in transit over unsecured connections and SMS phishing protection. Its mobile network access control (mNAC) technology can selectively protect sensitive corporate resources from risky devices, protect against fake corporate Wi-Fi networks, and block app and browsing toward known malicious command and control servers. SEP Mobile’s main functionalities are initiated on the device, providing protection in the absence of network connectivity. SEP Mobile can integrate with other Symantec offerings, such as Symantec Web Security Service (WSS) to provide content filtering, and also integrates with Android Enterprise.

Wandera

wandera.com/solutions/threat-defense

Wandera combines network-based traffic monitoring and filtering with on-device threat detection. Wandera’s MI:RIAM engine uses a combination of behavioral analysis, application and domain classification, and signature scanning to identify malicious or suspicious network connections, zero-day phishing attacks and risky apps. MI:RIAM leverages machine learning to process in the cloud threat intelligence data from Wandera’s supported devices as well as from other sources. While Wandera’s main setup is proxy-based, certain capabilities such as device anomaly checks require an optional on-device agent. Wandera can provide URL and domain policy enforcement to blacklist specific domains (such as a video on-demand service) when roaming over 4G, but still allow it over Wi-Fi. Its proxy allows Wandera to block data exfiltration as well as phishing attacks. Wandera can

14

also be deployed as a stand-alone app in enterprise scenarios where the proxy is not an appropriate fit or where network-based threats are not a concern. The solution provides data anonymization for organizations that wish to use the proxy while ensuring user privacy.

Zimperium

www.zimperium.com/zips-mobile-ips

Zimperium offers zIPS, an MTD solution that operates entirely on the device. zIPS analyzes data on-device for good and bad behavior, and then utilizes its machine-learning-based engine, called z9, on the device to detect attacks. z9 identifies malicious apps, tackles network threats and includes tracking of indicators of compromise for device-level attacks. zIPS provides an enterprise administrative dashboard that can be hosted in the cloud and can simultaneously integrate with multiple UEMs. Zimperium recently acquired Mi3 Security, with which it previously partnered to provide app scanning for grayware apps. Zimperium’s z9 integrates in the MobileIron MDM agent and is available as MobileIron Threat Defense. Zimperium is also part of McAfee’s Security Innovation Alliance, and zIPS integrates with ePO. Zimperium offers zIAP, an SDK, that is also part of SAP Fiori. Zimperium can integrate with SIEMs and also provides a Splunk App for viewing threat data. The vendor partners with a number of carriers to provide MTD as part of mobility services as well as consumer applications.

Other Vendors

A number of other solutions provide MTD functionality. Relevant products include Corrata (Internet Security) and Usage Control, Cisco Security Connector, Deep Instinct (D-Client), Kaspersky Security for Mobile (see Note 6), Palo Alto Networks (GlobalProtect) and Proofpoint Mobile Defense.

Market Recommendations

Security and risk management leaders should leverage MTD to address evolving and advanced mobile security needs. Before investing in any MTD solution, security leaders

should have a security baseline in place for their mobile devices, possibly enforced via their UEM solution. This baseline includes:

• Maintaining minimum OS and device standards, and disallowing enterprise access to unpatched or older devices

• Forbidding app sideloading, and only allowing the official app stores and the enterprise store

• Prohibiting jailbreak and rooting of devices, as well as unlocked bootloaders

• Enforcing a complex-enough passcode (six character alphanumeric, at a minimum) and/or biometric-based authentication, imposing encryption, as well as a passcode retry limit

• Enforcing a remote wipe procedure as well as periodic encrypted backup

Organizations should gradually introduce MTD solutions based on their industry, applicable regulations, sensitivity of data on mobile devices, use cases (for example, frequent international travel in high-concern countries) and organizational risk appetite. Organizations in high-security verticals, those with large Android device fleets or those in regulated verticals such as finance and healthcare should plan to adopt MTD solutions sooner rather than later.

Security leaders should integrate the MTD solution with their incumbent UEM tool, and enterprises should leverage UEM wherever possible. However, in the cases where they cannot apply device management, security leaders should contemplate MTD as a protection. Typical scenarios for this will be BYOD. The proxy-based deployment is not the most indicated for BYOD scenarios, and should be selected mainly where strict device management is applied.

Security leaders should leverage the app vetting and device vulnerability management MTD features to provide immediate value to their organization. While app vetting MTD functionality can indicate which apps are

undesired, device vulnerability management can indicate unpatched devices and devices that carry severe vulnerabilities. Some security-aware UEMs are starting to develop device vulnerability assessment capabilities, so potential overlap between the two tools should be evaluated before making a selection.

Security leaders should shortlist solutions focusing on the core MTD capabilities. The functionality analyzed in Table 1 will provide further understanding of the completeness of a solution. “Comparison of Mobile Threat Defense Solutions” provides an evaluation of MTD solutions against specific threats and illustrates a sample methodology to evaluate solutions. Completeness of product will be as important, if not more, than efficacy of the response.

MTD tools, especially on iOS, have limited visibility on the system and background processes. OS features such as app sandboxing that protect mobile devices from attacks also inhibit security solutions from fully monitoring what occurs on the device. Even though MTD tools can help, enterprises that require protection from targeted and state-sponsored attacks should not consider MTD as an antidote, and should recognize the complexity and high costs involved in countering those type of threats. The “Market Guide for Secure Instant Communications” illustrates some purpose-built mobile devices that could be used for those use cases.

Evidence1 “Mobile Leak Report 2017,” Wandera.

2 “Mobile Malware Evolution 2017,” Kaspersky Lab.

3 “2018 Internet Security Threat Report,” Symantec.

4 2017 Gartner Mobile Security Research Survey. This research was conducted via an online survey in November 2017 among members of the Gartner Research Circle – a Gartner-managed panel composed of IT and IT-business professionals. In total, 85 members participated. Qualified participants included business end users with either an IT or IT-business focus as a primary role.

15

15

5 “How the Copycat Malware Infected Android Devices Around the World,” Check Point.

6 “HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries,” The Citizen Lab.

7 “Program Overview,” ZERODIUM. As one example, an exploit against iOS today is valued three times as much as one for Windows.

8 “Dozens of iOS Apps Secretly Collect Location History for Data Monetization, Analysis Says,” AppleInsider.

9 “Check Point to Acquire Lacoon Mobile Security for Industry’s Most Advanced Mobile Threat Prevention,” Check Point.

10 “Symantec to Acquire Skycure, Providing Customers With Comprehensive Mobile Threat Defense Across iOS, Android and Windows,” Symantec.

11 “Lookout to Offer Microsoft Windows Defender ATP Customers a Comprehensive Mobile Security Integration,” Lookout.

12 “MobileIron and Zimperium to Deliver First Real-Time Detection and Remediation for Mobile Threats,” MobileIron

13 “Windows 10 S Is the Future (but Not the Present) of the Desktop PC,” ZDNet.

14 “What Is Mobile Threat Defense Integration With Intune?” and “What’s Conditional Access,” Microsoft.

15 “WhatsApp: Mobile Phishing’s Newest Attack Target,” Dark Reading.

16 “Fortnite Will Require Android Users to Allow Unknown Sources. Time to Rethink MTD and EMM Policies?” BrainMadden.com.

17 “NetworkExtension,” Apple Developer.

Note 1Representative Vendor Selection

The vendors named in this guide provide the fundamental functionality of mobile threat defense solutions on device, network and application levels, as well as additional mobile threat defense features. Gartner estimates that there are more than 15 vendors in this market.

Note 2Grayware

“Leaky” apps are apps that are not necessarily malicious. However, they can be in conflict with enterprise policies or even put enterprise data at risk.

Note 3Definition of Mobile Threat Defense Terminology

The name mobile threat defense suggests these solutions provide not only prevention, but also detection and remediation. “Defense” alludes to the fact that MTD focuses on malicious threats, rather than managing a device or protection from simple user mistakes.

Note 4Unified Endpoint Management (UEM)

The term “UEM” is replacing the notion of enterprise mobility management tools. Information on the component pieces of UEM can be found in “Prepare for Unified Endpoint Management to Displace MDM and CMT.”

Note 5False Base Station Attack

The false base station attack (also known as Stingray) is a network attack that affects and leverages the cellular connection of a device. Similar to a rogue access point attack for Wi-Fi, a false base station pretends to be a legitimate cellular base station to allure connections from one or more cellular devices. Under certain circumstances, a false base station can act as a “man in the middle,” intercepting traffic, and can, at a minimum, obtain a permanent identifier of the cellular device, called IMSI. A false base station is also called an IMSI catcher for this reason.

Note 6Kapersky Lab

In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky Lab’s software from their systems. Furthermore, several media reports, citing unnamed intelligence sources, have claimed that Kaspersky’s software was being used by the Russian government to access sensitive information. Although the U.S. government has not given any official explanation for the ban, Kaspersky Lab vehemently refutes the unsubstantiated claims and stresses that there has yet to be any evidence produced of its alleged wrongdoing. Kaspersky maintains that the actions lack sufficient basis and are unconstitutional, and has initiated legal action against the U.S. government. Gartner clients, especially those who work closely with U.S. federal agencies, should continue to monitor this situation for updates.

Source: Gartner Research, G00341580, Dionisio Zumerle, John Girard, 30 October 2018

16

How to Successfully Navigate the Hurdles of Global-Scale BYOD Implementations

Research from Gartner

Bring-your-own-device initiatives offer the opportunity to cost-effectively extend mobility enterprisewide. However, no single BYOD approach works in all geographies. I&O leaders must learn to navigate the cultural, risk, cost and legal/regulatory hurdles of BYOD to expand mobility across the globe.

Key Challenges

• Regional economics drive significant variability in mobility costs, complicating subsidy programs.

• Robust labor and privacy laws in some countries inherently favor organizationally owned models or specialized approaches that blur the line between ownership models.

• Users’ participation in bring-your-own-device initiatives can erode an organization’s buying power with carriers for company-owned lines, increasing costs for non-BYOD users.

• Affordable devices preferred by users in some countries may not meet security and data protection requirements.

Recommendations

I&O leaders focused on mobile and endpoint strategies should:

• Segment the user roles that could benefit from BYOD in their organizations based on business need for mobile devices.

• Tailor ownership models and policies mix on a regional and countrywide basis, using a phased approach and working in collaboration with HR, legal, finance and line-of-business stakeholders.

• Cost-optimize subsidy investments by factoring in the impact of labor laws, regional consumer mobility costs and cultural attitudes.

• Use incentives to achieve business goal-based optimum participation in BYOD programs.

• Make local personal device preferences, and those devices’ ability to meet security and manageability requirements, primary factors in determining ownership models.

Strategic Planning Assumption

By 2020, 90% of global enterprises will have implemented business processes that depend on a mobile device.

Introduction

The improved efficiency, access and employee engagement that mobile computing enables makes it fundamental to digital transformation. Such transformation requires

Source: Gartner (January 2018)

FIGURE 1Device Ownership and Management Models

expanding mobile access to as many users as possible for maximum benefit; however, doing so by traditional means is prohibitively expensive for most organizations.

In most cases, a “hybrid” program, consisting of a mix of organizationally owned and user-owned devices, is the most cost-effective way to provide mobile access to the largest number of users in an organization (see Note 1).

Device Ownership and Management ModelsVarious mobile device ownership and management models are shown in Figure 1. (For additional information, see Note 2, Note 3 and Note 4, as well as Table 1.)

17

17

Available With Enterprise Mobility Management (EMM)

Available With Stand-Alone Mobile Application Management (MAM)1

Comment

Screen Lock Timeout √

Passcode/Complexity Enforcement

√

Device Data Encryption

√

Full Device Wipe (Factory Reset)

√ Not recommended for bring your own device (BYOD) initiatives

Selective Wipe of Enterprise Applications and Data

√ √

Per-App Virtual Private Network (VPN)

√ √ May require compatible VPN or gateway product

Single Sign-on (SSO) for Managed Applications

√ √ May require supported identity and access management (IAM) infrastructure

“Open-in” App Restrictions for the Containerization of Enterprise Data

√ √

Enterprise App License Management

√ √ Capabilities variable between products

Table 1. Common Mobile Policies and the Management Systems That Can Apply Them

1 Stand-alone MAM requires software development kits (SDKs) or app wrappers to instrument apps for policy management. Stand-alone MAM has limitations for managing public app store applications. App store vendor end-user license agreements prohibit the wrapping of public apps. Independent software vendors (ISVs) don’t commonly accept requests for custom versions of their apps compiled with MAM SDK libraries. This may limit the scope of enterprise-enabled apps. It’s the primary reason EMM is the recommended approach, when possible, although vendors such as AppDome and DronaHQ are working to change this.

Source: Gartner (January 2018)

Expanding mobile access in the most cost-effective way will require most organizations to adopt elements of two or more of the above models. This mix will vary from region to region. In most cases, some mix of traditional/choose your own device (CYOD) and BYOD will provide the optimal results.

However, although traditional models and CYOD (essentially, traditional models with a degree of limited user choice among standard devices) are well-understood, outside a small number of countries, BYOD is much less so. Despite popular perceptions to the contrary, BYOD is not common in every country or region of the world, nor is it practiced in the same way from one

place to another. In some areas, BYOD is well-established and mature. In others, BYOD simply isn’t practical or cost-effective. Cultural, legal, economic and device availability issues collectively have a major impact and make simple answers and one-size-fits-all approaches impractical. This makes implementing a mixed ownership model – especially one that spans multiple regions – highly challenging to implement.

The optimal mix of models will differ significantly across organizations, and across geographies within multinational organizations. There’s no “right” combination that can be prescribed.

Accordingly, this research provides guidance to infrastructure and operations (I&O) leaders planning to implement BYOD on a global scale to extend mobile computing to as many users as possible, without exposing the organization to undue financial, legal and security risk.

Analysis

Segment the User Roles That Could Benefit From BYODImplementing a hybrid ownership model of enterprise-owned and BYOD wherever practical allows for lowest-cost expansion of mobility to the greatest number of users. A quick look at the most common approach illustrates why:

18

• Users who have a qualified “business need” for a mobile device are offered an organizationally owned device by default. This group often includes executives, frontline sales, field service and IT personnel responsible for the high-impact support of business systems. They can opt in to the BYOD program and use their personal mobile devices to fulfill this need. The organization may or may not compensate them for the costs associated with the business use of these personal devices (which are highly variable, based on the country involved).

• Users who have a less-compelling business need for a mobile device may qualify for the above group based on manager approval, or they may only get mobile access by participating in the BYOD program (this varies). This group often includes salaried knowledge workers and supporting roles. If this group receives a subsidy, it’s often at a lower rate than those in the above group.

• Those for whom mobile access is considered a convenience may get mobile access only through participation in the BYOD program. This is typically “everyone else,” including task workers and hourly workers. Specific policies such as those related to overtime work may restrict when and how these users use their mobile access. These users typically receive no subsidy (in countries where subsidies are common). Because mobile access for these employees is for convenience, rather than for strict business need, no subsidies are typically provided (in countries where subsidies are commonly used).

In this widely adopted hybrid model, the organization still pays for devices owned and issued by the company for those who qualify. However, all other employees are given the option to opt in to the BYOD program, if they choose. The primary motivator for those employees to opt in initially is mobile email access; however, organizations frequently make all but sensitive/regulated, data-oriented business apps available to them as well.

In many organizations, this latter category of user (convenience-oriented/unsubsidized) is the largest of the three. (For detailed information on how to segment users by device ownership model.

Tailor Your Ownership Models and Policy Mixes on a Regional and Country BasisAs organizations have expanded access to mobile computing globally, approaches to mitigate some of the most problematic aspects of BYOD have evolved. However, best practices for many places where BYOD has not been common have yet to emerge. I&O leaders launching multinational BYOD initiatives or expanding mobility programs cost-effectively will need to work closely with the HR, legal, finance, and security and risk groups, region by region in a phased approach, to build successful programs, while mitigating risk.

Common challenges to establishing a BYOD program in different geographic areas include:

• Availability/Popularity of Enterprise-Friendly Devices – Android dominates many areas worldwide; however, older versions of that OS (prior to Version 6) can present management and security challenges. These older versions are still in widespread use in many countries.

• User Privacy Concerns – Users may be initially resistant to the requirement to enroll devices in EMM systems as a condition of access. Alternative management approaches to EMM, such as MAM, have limitations that may be problematic for many organizations, especially those deploying public (i.e., app store) applications.

• High Consumer Mobile Costs – Device and carrier costs for consumers vary widely from region to region. In areas where these costs make up a significant percentage of the employee’s annual earnings, BYOD may be unrealistic, unless subsidies for business use are provided. Historically, this has been a major barrier to adoption in many countries.

• Data Privacy Laws/Regulations – In areas with strong user privacy protections, such as the EU, BYOD as commonly practiced may make compliance difficult. The EU General Data Protection Regulation (GDPR), which takes effect in 2018, is not yet well-understood in terms of BYOD impact. It’s a major reason BYOD adoption has slowed in EU countries in recent months.

• Labor Laws/Labor Contracts and Works Councils/Labor Unions – In some countries, states or provinces, labor laws compel organizations to provide subsidies for work-related use of devices. In others, Works Councils and Unions may object to BYOD on privacy or financial grounds, making it challenging to implement where such organizations are strong. Stringent labor laws/regulations or labor contracts complicate BYOD. Places such as Scandinavia have spawned alternative forms of BYOD (e.g., “SIM swap”).

• BYOD Practices Counter to Mainstream Patterns – In China, BYOD for PCs (BYOPC) is common, but BYOD for mobile is not. This is the opposite of the rest of the world. In addition, as practiced in China, BYOPC may not meet the security, risk and support requirements of global organizations.

• BYOD Simply Not Commonly Practiced – In some countries, such as Japan, conditions would appear to be favorable to BYOD, yet BYOD is rare. This creates cultural barriers to adoption, as user demand for BYOD may be low. In addition, lack of experience with BYOD in such countries means a lack of understanding of country-specific issues that may arise.

This list should make it obvious that a single, uniform set of BYOD policies across even a handful of countries is unrealistic.

Figure 2 summarizes the key challenges to implementing BYOD globally. This map makes it apparent why multinational organizations have struggled with implementing global BYOD programs across all the geographies

19

19

they do business in. The varied issues illustrated here amplify why a phased approach to planning could be key when BYOD is a fit for your organization. A cross-functional team – with representation from IT, HR, legal, finance and business stakeholders – is essential to evaluating the desirability of implementing BYOD in each region of interest.

Start with geographic areas in which BYOD is widespread and well-understood. This includes the U.S., Canada, the U.K., Ireland, Hong Kong and Australia/New Zealand.

Source: Gartner (January 2018)

FIGURE 2Primary BYOD Challenges Across Regions and Countries

In the U.S. and, to a lesser extent, Canada, subsidies for monthly carrier fees associated with BYOD are common and should be considered for deployments there. Such subsidies are less common in the U.K., Ireland and Australia. Be prepared to re-evaluate the need for subsidies in each region on an annual basis, because the need for subsidies may change in a given area, along with the amounts subsidized. Since 2014, subsidies in the U.S. and Canada, for example, have declined by more than 30%.

It’s assumed that SRAs need to cover only a portion of the carrier fees. There’s no need to subsidize the cost of the device itself (unless it’s viewed as a benefit, as in parts of Europe), and many users may fall into an unsubsidized category. Nonetheless, BYOD still provides a mechanism to make mobility pervasive at a reasonable cost in these areas.

Although BYOD has fairly strong uptake (although much less than in the above countries) in Western Europe, the imminent implementation of GDPR has slowed adoption in recent months, as organizations struggle to understand its implications. In addition, strong privacy and employment laws make deployments in this area tricky. Consider traditional models or CYOD for these countries, if BYOD proves too problematic or complex to implement. If you go this route, then re-evaluate the feasibility of BYOD once GDPR’s impact is better understood.

In other areas, such as Russia, India, Turkey, Brazil and Chile, BYOD is widespread, but local device preferences and common BYOD management practices may create challenges. The versions of Android that are popular in these countries tend to lean heavily toward Version 5.x, with a substantial amount of Version 4.x as well, although Version 6 is on the rise. This, combined with lagging investment in EMM tools, can make it difficult to meet security and risk requirements, especially if enterprise apps are to be deployed. In countries such as these, infrastructure investments may be required, and acceptable device policies will have to be carefully tailored to balance consumer preferences with enterprise risk mandates.

Challenges such as these should make it clear that one-size-fits-all approaches to implementing a hybrid of ownership programs are impractical. Engage with stakeholders and take a phased, country-by-country approach. Position the right mix of CYOD and BYOD to provide the right model in each geography, based on local conditions. BYOD will not be a good fit for some areas. When this is the case, consider whether a corporate-owned, personally enabled (COPE) CYOD approach is a good fit to achieve many of the end-user benefits of BYOD, thus sidestepping the challenges. At

20

times, depending on requirements, a purely traditional approach will also be the right decision.

Cost-Optimize Your Subsidy InvestmentsCost-optimizing your subsidies – should your organization deem them necessary or desirable – is a major key to success. Ultimately, the question of whether or not to subsidize certain BYOD users for the business use of their personal devices – and how much – is a question not for IT, but for your legal, HR and finance departments. Ongoing engagement with these groups – along with your business stakeholders – should be central to your efforts to define policies across all aspects of a BYOD program.

Factors to consider include:

• Those related to risk – State/provincial, local and country labor laws, union/works council issues, and employment contract requirements.

• Those related to organizational and local societal culture – How the organization wishes to be perceived by employees and the impact of this perception on recruiting, retention and employee satisfaction; larger cultural attitudes about the rights of individuals/employees versus businesses.

• Business-IT strategy goals – Cost sensitivity/savings goals; transformation versus optimization through mobile computing; desire to encourage or limit participation in BYOD programs.

Subsidies for BYOD device use for business have become widespread in the U.S. and, to a lesser degree, in Canada, where they are viewed by many organizations as required due to legal risk (see below). In countries such as Australia and the U.K., they are used, but by a much smaller percentage of organizations than in North America. In parts of continental Europe, they can actually be problematic, because subsidies could be viewed as employee benefits that can’t be easily modified or taken away. In many of the countries in Africa or Central and

South America, where the carrier fees are exceptionally high, users may not participate in a BYOD program without them.

In other words, subsidies may be a clear requirement for success with BYOD in some geographies, but the opposite may be true in others. A global program must consider the question on a country-by-country basis or, at minimum, by region.

The primary driver of the expansion of subsidy implementation in the U.S. was a 2014 California court ruling. This came in response to a suit by an employee who successfully claimed her organization’s lack of a subsidy for BYOD users violated California Labor Code 2802.This caused many U.S. organizations’ legal departments to rethink their position on subsidies. Because wording similar to California Labor Code 2802 exists in several other U.S. states, and similar mandates may be buried in various statutes and be hard to uncover, many U.S. companies have decided that a token stipend is worth the cost for offsetting this risk.

Gartner estimates that about 65% of U.S. companies with BYOD programs offer a subsidy to that portion of their user base with a business need for a mobile device. Average amounts, user segmentation and payment management approaches can be found in “How to Manage BYOD Stipends, Reimbursements and Allowances, 2016 Update.” The use of subsidies in Canada has grown since this ruling as well, but at a slower pace.

In parts of the EU (in particular, Scandinavia), offering a subsidy for BYOD use amounts to a benefit to the user, and becomes ensconced in the employment contract between the user and the organization. If the company decides in the future to modify the program, change eligibility requirements or alter stipend amounts in line with industry averages, the user must agree to the changes, and the contract must be amended accordingly. For this reason, “mainstream” BYOD is not common in that region. Instead, the “SIM-card swap” approach (refer to Note 2) is commonly used.

Economic factors should be evaluated as well. In large parts of Africa, Central America, Oceania, Southeast Asia and Eastern Europe, the cost of using a personally owned mobile device can be from 5% to 50% of a user’s monthly income. Compare that to well below 1% in the U.K./Ireland, Western Europe, China, Japan, the U.S., Canada and Australia. In high-cost areas, BYOD without a subsidy is usually a nonstarter.

Other economic and cultural factors include the regional job market. When India was the hottest tech job market on the planet just a few years ago, the devices a hiring organization offered the user were commonly factors in acceptance of job offers. Companies offering better (and more types of) devices often had an advantage when recruiting talent.

Use Incentives to Achieve Business-Goal-Based, Optimum Participation in BYODA desire to save money should not be the primary justification for adopting BYOD. Despite declining subsidies for BYOD users (even as the use of subsidies have expanded greatly in North America), BYOD might not cost you less than organizationally owned/issued devices for users who qualify for them. Savings will depend on the nature of your business and the types of users you must serve, as well as the mix of ownership models that suit a given region. The opportunity to save money has increased as subsidy amounts have declined; however, given the geographic variables, realizing actual savings remains far from certain.

As Type 1 users (who qualify for organizationally owned devices and plans) opt in to the BYOD program, the organization’s “attainment tier” (i.e., buying power with carriers) is eroded for the devices/plans it still owns and issues. However, this doesn’t necessarily mean higher costs overall for mobile. You can mitigate this and strike a balance between loss of buying power and, through incentives and disincentives, influence demand for BYOD. To drive the right level of demand, you must determine your goals and know your per-user costs, something into which most organizations

21

21

with large numbers of company-issued lines have good visibility. Offer appropriate incentives based on these goals/costs: To get more users to opt in to BYOD, offer older, less desirable devices as your organization-owned phones and tablets.

To limit BYOD participation, restrict access to only a few business-related mobile apps or offer lower support levels, where possible (this is cost-effective only for the largest organizations with the greatest buying power). To understand the key cost levers for CYOD, see “U.S. Enterprises Should Separate Wireless Device and Service Purchases to Optimize Costs,” “Toolkit: Best Terms and Conditions for Enterprise U.S. Cellular Service, 2017,” and “Best Practices for Optimizing Mobile Contracting the European Way.”

In some regions, particularly the U.S. and Canada, carriers have adapted to BYOD. They often try to offset attrition of corporate lines by offering some credit for user-owned lines or adding value to contracts via deeply discounted devices or other services. However, even these efforts often can’t make up for lost buying power. Therefore, it’s important to know the levers available for achieving the right balance, and to use them to good effect.

Make Local Personal Device Preferences a Primary Factor in Determining Ownership ModelsBYOD implies that I&O leaders increase the diversity of devices in the organization to adapt to support such an environment effectively. However, it should not mean that users can choose any device they want. Historically, it was common to implement a fairly liberal BYOD acceptable-device policy. The most common policies allowed for iOS devices (typically current minus one revision or higher) and any Android device running Android 4.2 or higher. This usually was workable when the only business access available was email via Exchange ActiveSync. However, as organizations started deploying more mobile apps for business and deploying EMM to support more-complex use cases, the flaws of this approach became apparent – the most prevalent of which was the “Android fragmentation problem.”

Modern Android (since at least Version 6/Marshmallow) has evolved enterprise-friendly controls, such as Android for Work APIs and Zero Touch deployment capabilities (available on Version 8/Oreo and up, and on prior versions with Samsung Knox). Managing these versions is on par with managing iOS devices, given a well-maintained EMM product. However, older versions are a different story, and acceptable device policies that don’t account for this can invite problems.

As an open-source OS, Google allows Android to be modified significantly by device manufacturers. Prior to changes made since Marshmallow, the same nominal version of Android on devices from two different original device manufacturers could behave very differently when managed using EMM or other tools. Essential features, such as encryption, might be missing altogether on less-expensive phones, some devices could not be updated with critical security updates and some devices would be difficult to impossible to enroll with EMM. Moreover, organizations found that older versions of Android had no capability for applying security and data-leakage policies to business apps, making secure enablement of a mix of business and personal data on the same device all but impossible. All of this resulted in higher total cost of ownership (TCO). A fragmented Android environment could cost as much as five times what iOS does, and result in an inability to meet basic security and compliance requirements.

Starting with Android for Work (AfW) in 2015, Google has taken steps to address these issues. Google has since rolled AfW functionality into mainstream Android versions, starting with Version 6.x. Gartner advises I&O leaders to add support for Android devices and to set a minimum threshold for acceptable devices (i.e., Android 6.x or later). They should also conform to Google’s certification (largely identifiable by the presence of Google Play out of the box).

As organizations became aware of this, they started adapting their policies. It’s now common for a BYOD acceptable-device policy to allow for iOS (current or current-1)

and Android 6.0 (or, even better, Version 7.0) or higher, which has greatly improved manageability, compliance and TCO. Similar approaches enable a mix of iOS and Android devices from a particular manufacturer with enterprise-friendly features.

Although limiting device eligibility solves the TCO and support problems identified above, I&O leaders must account for the needs of different users and their varying cost sensitivity, when developing an acceptable device policy. Some users may be able to afford only the least-expensive devices, and these are often based on out-of-date versions of Android. To extend mobile computing across the enterprise, balance a sensitivity to device cost with manageability and data protection requirements.

Evidence

This research is based on Gartner client inquiries and client engagements in which Gartner has assisted clients in their work-around BYOD and CYOD plans and policies.

Note 1Glossary Terms

BYOD is a program (most commonly today, a formal, governed one) that allows an employee to use an approved, personally owned device for work purposes. This device may be a substitute for a similar organizationally owned device or a device type that normally would not be issued to that particular employee by the organization, but that the employee wants to use for business purposes.

CYOD is the traditional model by which the organization owns and issues devices to eligible users, but with the addition of choice from among a selection of similar devices offered to that user. Contrast this with the more-rigid model, in which IT selects a single, standard model for a particular device type or a particular job role.

Corporate-owned, personally enabled (COPE) initiatives allow users a degree of personal use of organizationally owned devices.

22

Note 2More on Device Ownership and Management Models

The traditional model is the historical, industry-standard approach to device ownership and management. The organization owns and issues devices to users, based on business need. Devices are procured, provisioned and managed throughout their life cycle by the organization. Devices may be strictly controlled or “locked down,” such that users are not permitted to use or modify the device for personal, nonbusiness purposes (e.g., install apps, use personal email accounts or change certain configurations). Increasingly, organizations permit policy-governed personal use of the device, allowing users to select and install personal apps, check personal email or change certain configurations, as desired. This effectively enables users to carry a single, company-owned mobile device for both work and personal use. This usage model is commonly known as COPE.

A variation on the traditional model is CYOD. With CYOD, users choose an organizationally owned and issued device from among two or more standard device models, based on job requirements and/or personal preference. This model arose as an alternative to BYOD for some geographies or organizations in which BYOD is impractical to implement. At the same time, the organization wants to provide the users the specific benefits associated with BYOD by letting the users choose the devices with which they feel most comfortable or productive. In accordance with this motivation on the part of the organization, CYOD devices are also typically COPE devices as well.

BYOD devices are user-owned and allowed to access business resources (e.g., email, apps and data), as long as the user agrees to a set of organizationally defined policies. These may include a degree of IT management of the device via enrollment in EMM or MAM tools, compliance with business-use policies, accepting certain subsidies in lieu of receiving an organizationally owned device. (See “Toolkit: BYOD Mobile Device Policy Template, 2017

Update” for details on the scope and nature of best-practice policies.) BYOD devices may be subsidized, where the organization compensates the user for monthly carrier costs associated with business use of the device, or unsubsidized.

Regional laws and conditions have spawned a variant of BYOD, commonly seen in Scandinavia, which may eventually be used in other areas as well. Once an unapproved, “underground” practice on the part of end users, the SIM-swap approach has become an accepted and policy-governed model for some organizations. In this model, users are issued an organizationally owned device, because this is the easiest way for the organization to comply with local labor laws or regulations. However, users are subsequently allowed by the organization to take the SIM card from that device and install it in a compatible personal device of their choice, enabling them to carry a single device for both work and personal use. Business access from this device is then governed by the same rules as a “mainstream” BYOD device.

Hybrid models combine two or more of the above approaches.

Note 3More on COPE

Historically, many organizations prohibited the personal use of devices issued for business. These restrictions were often implemented as part of an effort to minimize voice, data and text costs, or out of concerns about data risk. Of course, this was prior to today’s common mobile device management (MDM) standards across major mobile platforms. However, carrier costs have declined significantly in much of the world, with a corresponding reduction in the cost impact of typical personal use. In addition, modern, sandboxed mobile devices were designed to facilitate a mix of business and personal use on the same device securely via containerization. These factors have opened the door for organizations to allow for the convenience of a mix of business and personal use mobile devices. Allowing personal use on corporate-owned devices

offers organizations the added benefit that employees will not be carrying two smartphones and turning off the corporate-owned one at the end of the business day. This factor has, in practice, become the primary motivator for users to opt in to BYOD.

Contrast this with PCs, which historically have no built-in facilities for keeping business and personal data separated, and it’s easy to see why BYOD for mobile has proved much simpler to implement than bring your own PC (BYOPC). This is reflected in the adoption numbers: Although nearly 70% of users across the U.S., U.K. and Australia bring their own smartphones to work, BYOPC numbers have hovered at or below 15% for years. The primary mechanism to enable secure access for user-owned PCs has been client virtualization; however, this may soon change. The latest generation of PC OSs enables a mix of business and personal data to coexist more securely. This evolution will continue to progress in future OS versions of Windows and Mac OS.

However, for the present, BYOD remains largely a mobile device phenomenon, and this research focuses on mobile accordingly.

Note 4Why Enrolling Devices With EMM Is Preferred Whenever Practical

Because most organizations have a fiduciary responsibility to safeguard corporate information, regardless of who owns the device from which the information is accessed, security policy or implementation should not be based on device ownership.

When it comes to managing and securing mobile devices – regardless of ownership – IT should look for the simplest, most-TCO-friendly approach possible that meets security, data protection and user privacy risk requirements. The major mobile OSs are being built on the premise that organizations will use EMM to manage them. From zero-touch provisioning services (for example, Apple DEP and Google Zero Touch) to enterprise mobile app licensing via Apple VPP and similar programs, EMM is assumed and is required for maximum scalability and integration capabilities.

23

23

Ideally, all devices would be enrolled in EMM, and policies would be applied consistently across organizationally owned and BYOD devices, with the exception of device wipe policies. (Commonly, organizationally owned devices are fully wiped, whereas user-owned devices are “selectively” wiped of enterprise apps and data only.)

However, there are times when enrolling user-owned devices isn’t practical or even possible. In these cases, a mix of EMM and stand-alone MAM, with or without a secure email application (depending on requirements), typically meets requirements. Consistent application-level policies across EMM-managed and stand-alone MAM devices should be enforced. Refer to Table 1, which summarizes the policies commonly used by most organizations to secure mobile devices, and the management approach to which they are applicable.

Enterprises should carefully explain the need to push policy to personally owned devices to safeguard corporate information. They also must be transparent about what information from the device will be available to the company as a byproduct of the device management paradigm, and how that information will be handled (if at all). Failure to be transparent about what information will be available to the organization and how it will be treated often results in employees suspecting that the organization may be “snooping” or “eavesdropping” on their personal devices. This lowers the attach rate for a BYOD plan.

Additionally, enterprises must explain to users what remedies exist for IT (for example, full device wipe) in the event the device is compromised. It is critical to consult legal and HR teams to ensure that controls pass legal and ethical rigor, and that the policies used to acquire user consent are defensible.

Gartner has created Toolkits for organizationally owned and BYOD policies. These templates contain best practices accumulated over the years and can speed the process of developing and/or checking your mobile policies for completeness. (See “Toolkit: BYOD Mobile Device Policy Template, 2017 Update” and “Toolkit: Enterprise Owned Mobile Device Policy Template, 2017 Update.” For best practices on addressing user privacy concerns, see “How to Gain the Trust of Sophisticated BYOD Users.”)

Source: Gartner Research, G00341580, Bryan Taylor, Leif-Olof Wallin, 29 January 2018

TrustSpace ; Digital Secure WorkSpace Based on ‘Zero Trust’ is published by Qihoo360. Editorial supplied by Qihoo360 is independent of Gartner analysis. All Gartner research is © 2018 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Qihoo360’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.