Domain 4 · 4.1 Securing Computing Resources

4.1.4 Mobile Solutions

MDM, BYOD, COPE, CYOD.

10 min

Mobile solutions involve the strategic management and securing of portable hardware to protect organizational data while maintaining user productivity.

Mobile Deployment Models - BYOD (Bring Your Own Device): Employees use personal smartphones for work. This reduces hardware costs but increases risk due to inconsistent security patches and a loss of organizational control. - COPE (Corporate-Owned, Personally Enabled): The organization provides the device but allows personal use. This offers the highest level of control over security configurations and updates. - CYOD (Choose Your Own Device): Employees select a device from an approved list of corporate-supported hardware. This standardizes troubleshooting and security deployments. - VDI (Virtual Desktop Infrastructure): Data remains on a central server while the mobile device acts as a remote display. This prevents sensitive data from ever physically residing on the mobile hardware.

Mobile Device Management (MDM) MDM software is the primary tool for enforcing security policies on mobile fleets. - Remote Wipe: The ability to factory reset a lost or stolen device via a central console. - Geofencing: Restricting device features (like the camera) or access to data based on the device's physical GPS location. - Application Management: Whitelisting approved apps and preventing the installation of unauthorized or "sideloaded" software. - Containerization: Creating a secure, encrypted "work" partition on a device to separate corporate data from personal data, which is essential for BYOD privacy. - Device Locking: Enforcing complex passwords, biometrics, or PINs to prevent unauthorized physical access.

Mobile Security Technologies - ECC (Elliptic-Curve Cryptography): An asymmetric encryption method favored for mobile because it provides high security with smaller key sizes, requiring less computational power and battery life. - MicroSD HSM: A hardware security module in a small form factor used to provide onboard cryptographic key generation and storage. - MAM (Mobile Application Management): Focuses on controlling specific applications and their data rather than managing the entire hardware device. - SEAndroid: Security Enhancements for Android, which uses mandatory access control (MAC) to isolate folders and prevent malicious apps from accessing system resources.

Quick recall - Storage Segmentation: Separates personal photos from corporate emails (logic for BYOD). - Onboarding/Offboarding: The process of adding or removing a device from the MDM system. - Jailbreaking/Rooting: Removing manufacturer restrictions; MDM should detect this and block access (OTA updates often fix these vulnerabilities). - USB OTG: A risk factor that allows mobile devices to act as a host for external storage; often disabled via policy. - Screen Lock: The most basic technical control to prevent local data theft.