Managing and securing the world of mobile computing is an evolving art, as a quartet of vendors showed at Mobile World Congress, each taking different approaches to the challenge.
Fixmo, Kindsight, ManageEngine and Symantec are creating new, or improving current, products to manage enterprise mobility, ranging from the device and its operating system, the data and apps it runs, to the networks it connects through.
Fixmo, founded in 2009, acquired technology originally developed by the National Security Agency (through the NSA's Technology Transfer Program). The NSA code was intended to actively monitor mobile devices and their operating system, and detect any changes in their state that would indicate they'd been compromised.
"How do you know, on an ongoing basis, that the device continues to be in compliance with your enterprise policies?" says Tyler Lessard, chief marketing officer for Fixmo, of Toronto. "We do this, by comparing real-time data about the device state to enterprise policies."
The first product in the company's offerings, commercialising the NSA technology, was Fixmo Sentinel, an application for managing mobile risk. More recently, the company added a second product, Fixmo SafeZone, which Lessard describes as a "sandbox for iOS and Android, keeping all corporate apps and data in a separate, encrypted workspace on the device."
At Mobile World Congress last week, the company announced it has merged the two formerly stand-alone products, with a common console that lets IT managers work across both.
Now, when Sentinel detects a change of state or some other indication of compromised security, it can alert SafeZone, which then locks down the container. Users can't access apps or data in the corporate safe zone on their smartphone or tablet, until the problem is fixed.
In addition, Sentinel's policy engine can now factor in location. If a device roams outside of a country, or connects to an unsecure Wi-Fi net, Sentinel can take actions such as turning off the camera or locking down data in the corporate safe zone on the device. When the device reconnects later at the corporate office or on a recognised secure network, it frees up access by the user.
The vendor is also introducing Fixmo App Zone, an app store for the enterprise to manage, distribute and monitor the growing list of mobile apps, regardless of how employees obtain them.
The new suite, including Fixmo Sentinel 4.2, Fixmo Safezone 1.0 and App Zone 1.0, will be released in March. Pricing starts at under $10 per device for the basic mobile device management features, and rises to about $95 per device the full suite of MDM, integrity services and the SafeZone secure container, with volume discounts for large deployments.
Kindsight is targeting its security platform to network operators, which can use the appliance-based software to monitor traffic on carrier networks for malware. The vendor says this is the first product that combines network-based malware detection with a client-side app that removes the problem.
Kindsight is a spinout from Alcatel-Lucent, which owns a majority stake in the startup. The company works with network operators to embed the Kindsight software into their core networks. The company also offers a range of tools and services that operators can rebrand to business and residential subscribers.
Kindsight's appliance, installed in the carrier network, monitors the subscriber's outbound traffic. "The malware is always communicating with a remote hacker or a command and control server. That's what we look for," says Kevin McNamee, Kindsight's security architect and director. Several carriers are piloting the product.
This week, Kindsight announced it was embracing mobile data traffic also. Executives say the combination of a client-side app, and the network-based monitoring and detection, is an optimal arrangement for mobile security, for almost any platform. Other MDM vendors will plant an agent or small app, but don't have a "network-side view" of the potential problems, according to Kindsight executives.
In a second announcement at MWC, Kindsight launched a mobile security service. Users download the relevant app (from iTunes or Android Marketplace), which then communicates with the Kindsight server in the carrier's network. The device-side app scans downloads for malware, sends a push-alert to your phone when one is found, confirms the malware and uninstalls it. Initially the new service is for Android mobile devices.
Carriers are likely to use the Kindsight service as their own, charging users a fee for the added security.
ManageEngine announced its first mobile device management capabilities in a new release of its Desktop Central product.
"Our customers say they don't need another screen just for mobile devices," says Raj Sabhlok, president of ManageEngine. "They want MDM integrated with what they already have for servers, desktops and other assets."
Desktop Central is a an application for managing Windows PCs, and their associated security, configuration, patch management and other requirements, now including a set of familiar mobile security features such as device lock and wipe, remote setup and configuration, and others. The new code works with Apple's device management APIs, and leverages Microsoft's Exchange ActiveSync protocol.
These capabilities are now part of Desktop Central, which in turn can be linked with ManageEngine's service desk/helpdesk product, to give tech support staff information on problems and on-device assets, and assign and manage trouble tickets for reported problems.
The initial release of the MDM features is for Apple iOS, and will be released in mid-2012, with Android support to follow later. Pricing hasn't been announced.
Symantec at MWC broadened its enterprise for mobile management with a series of announcements.
First, it announced that its MDM application, Symantec Mobile Manager, will in Version 7.1 due in March, integrate with Microsoft Systems Center Configuration Manager (SCCM). All enterprises with SCCM set up, can now see and interact with the Symantec application as if it were part of SCCM, and its administrative UI, itself.
Also new in March: software agents that can be downloaded to Android and Windows Phone 7 devices, as Symantec already provides for iOS devices. With its own agent in place talking to Symantec Mobile Manager, the vendor can expand MDM controls beyond what is possible by only relying on Microsoft ActiveSync and Exchange. Among other things, the agent can work with Symantec's policy manager to enforce centrally configured security and management policies on these devices.
Third, in a related announcement for Android, Symantec says it's bringing the technology of its consumer-focused anti-malware product, Norton Security for Android, to an enterprise version of this application. Working with a server engine and signature database, the software can detect malware, remove malicious apps, and reference a database of suspect websites and block the Android browser from surfing to them. This application will be released in late summer.
The company also announced that its Data Loss Prevention (DLP) for Tablets application is now generally available for Android tablets. The product was first introduced for the iPad to monitor the movement of corporate data to and from the tablet (for example, to a USB storage stick), through a variety of advanced algorithms and other technology. Symantec Mobile Manager first configures the tablet with settings that funnel all traffic through a corporate VPN to the Symantec gateway where it can be watched.
One change in the new DLP version for Android: The software verifies the settings on the device are correct and alerts the IT group if they're changed (for example, if the VPN is turned off). Also new is support of the key management service from Symantec's VeriSign group, which focuses on Public Key Infrastructure (PKI) for creating and managing encryption keys. DLP for Tablets is now available.
Finally, the vendor announced the release of a new feature in its Symantec O3 cloud service for information protection. The new O3 Cloud Identity and Access Control feature creates a single, secured point of access to cloud services. Users go through the combination of behind-the-firewall gateway and the O3 cloud in order to access a DropBox storage, for example.
Once the user is authenticated, O3 acts as a proxy to log in to various cloud services on their behalf. The enterprise can use this access control to prevent corporate data, for example on a new patent, from being stored in a user's online DropBox account. Symantec O3 is available as a hosted, on-premise or hybrid deployment.
Symantec also now offers, via a collaboration with Salesforce.com, O3 for Salesforce, which creates single sign-on, access management and strong authentication. It's built on Salesforce's Force.com social enterprise service.