Trustspace ; Digital Secure Workspace Based on 'Zero Trust'

TrustSpace ; Digital Secure WorkSpace Based on ‘Zero Trust’

TrustSpace ; Digital Secure I. Enterprise Mobility Trend Under increase their purchase costs and operating WorkSpace Based on Digital Transformation costs, therefore enterprises are certainly ‘Zero Trust’ 1 inclined to use the lower-cost BYOD mode In recent years, with gradual perfection of which is using staff’s existing personal the mobile communications infrastructure Research from Gartner: mobile device for working. The other driving (mobile device, 4G communication Market Guide for force is the staff’s spontaneous need of Mobile Threat Defense 7 network, Android, iOS, and other mobile using their personal device to work. The operating systems) and acceleration COPE/COBO mode will bring about a lot How to Successfully of the digital transformation process of of inconvenience and troubles to the staff Navigate the Hurdles of enterprises, the BYOD mobile working mode during mobile working. A typical case is Global-Scale is gradually becoming the main device that the staff have to carry two phones with BYOD Implementations 16 mode for enterprise mobility. Many industry them, where, one is the company phone for customers, such as those from finance, working, and the other is their own phones. enterprise, government, medical fields, etc., This is a bad experience to the users. The have started to encourage the staff to use staff also like to use their personal devices enterprise applications on their personal for mobile working. device, and allow devices to access the enterprise intranet at any time and any In their 2018 report Gartner reported that, place for mobile working. “…by 2022, more than 75% of smartphones used in the enterprise will be bring your The trend comes from two core driving own device (BYOD), forcing a migration from forces. The first one is the enterprise’s need device-centric management to app- and of continuously reducing the cost and data-centric management.”1 improving the efficiency. With COPE/COBO working mode enterprises will significantly

1 Gartner Inc., Define BYOD Ownership and Support Expectations in Contracts to Ensure Successful Implementation, 29 March 2018, G00351642 Figure 2. Changes in Device Ownership Over a Period of Time2 FIGURE 2 Changes in Device Ownership Over a Period of Time BYOD mobile working not only accelerates the process of enterprise mobility, but also brings new challenges to the enterprises in respect to IT information security, device management, etc. The core challenge is how to securely provide right users right applications and data with right devices at the right time and place.

II. Demand Trend and Strategic Recommendations on Enterprise Mobile Security • Demand trend of enterprise mobile security

º Enterprises no longer focus on device management; instead, they pay more and more attention on how to deliver mobile applications securely and efficiently and how to protect data.

º For BYOD and highly-compliant industry scenarios (such as the government, finance, etc.), the demand of mobile threat defense is increasingly stronger.

º Multi-factor identity authentication, dynamic identity authorization, and unified identity management are Base: n = 57 (Desktop) and 43 (Tablet and Smartphone) Gartner Research Circle Members Q: How are each of the following items in the equipment portfolio of the deskbound worker (office becoming the key points to be considered. only) provided today? Q: How do you expect each of the following items in the equipment portfolio of the deskbound º IT senior management pay more attention on mobile worker (office only) to be provided in three years? working user experience and protection of staff’s Source: Gartner (March 2018) personal privacy.

• Strategic recommendations on enterprise mobile security

º Enterprises upgrade the original device-centered mobile management strategy to the user-centered workspace strategy.

º Enterprises build a new mobile security model to cope with the security and compliance challenges under workspace strategy.

º Enterprises fully consider the difference between BYOD and COPE mode in respect to security management and user privacy, and make differentiated security strategies.

2 Gartner Inc., Define BYOD Ownership and Support Expectations in Contracts to Ensure Successful Implementation, 29 March 2018, G00351642

2 FIGURE 2 III. ‘Zero-Trust’ Security Architecture of TrustSpace Changes in Device Ownership Over a Period of Time TrustSpace secure workspace (hereinafter referred to as “TrustSpace”) is a brand-new digital secure workspace solution launched by 360 Enterprise Security Group. Based on ‘zero-trust’ and ‘zero-control’ concept, TrustSpace helps enterprises to fully activate BYOD working mode in both IT managers and final users perspectives. It builds a three- level trust system including system environment, identity boundary, and application data, makes the mobile working secure and reliable for IT managers. Moreover, zero management of device, zero collection of privacy, and zero cost of usage, are used to eliminate the mobile users’ privacy concern and stimulate the final users’ mobile working vitality.

TrustSpace ‘zero-trust’ security technology is to build a trustworthy workspace on open mobile device, to provide the general data protection scheme for enterprise-level applications and data and completely reduce series of safety risks due to enterprise mobility. TrustSpace ‘Zero-trust’ security is a new secure model built based on device, user, and application, respectively shown as follows:

• Trusted Device system environment Source: 360 Enterprise Security Group

Based on mobile security big data, TrustSpace MTD (mobile threat defense) technology provides device-level (such as Jailbreak/Root, system vulnerability, and system configuration compliance detection), network-level (such as Wi-Fi security detection), and application-level (such as malicious APP behavior detection) risk perception and threat detection on mobile device, to ensure that TrustSpace run in a secure and trusted operating environment.

Source: 360 Enterprise Security Group

3 • Trusted User identity boundary • Trusted Enterprise application and data

By deep integration of new-generation container technology and TrustSpace makes the enterprise application/data trusted by protecting identity authentication technology, TrustSpace re-divides the boundary the data in full-life cycle. The mobile device data full-life cycle model of enterprise applications. The boundary has two meanings. The first includes different stages such as data storage, data usage, data meaning is that the boundary is TrustSpace, which builds a basic sharing, and data transmission. At each stage, some core technologies boundary between enterprise applications and personal applications and security mechanisms are used to protect data. At the data storage by container technology and verifies the user identity by implementing stage, the application-layer transparent encryption and decryption basic identity authentication at the entrance of the boundary. The technology is utilized to create an independent secure area in mobile second meaning is the internal application boundary inside TrustSpace device to strong encrypt documents requiring local storage. The container. It is defined based on the different values and sensitivities encryption methods include AES and local cryptographic algorithm. of application and data. For some highly-sensitive applications, Meantime, the key information, such as the key used during data continuous dynamic enhanced identity authentication is required encryption, is subject to secure storage using the secure key box based on the time, position, behavior, and other factors, hence to technology. At the data transmission stage, the TLS-based application- guarantee that these highly-sensitive or highly-valuable applications level encrypted channel is used to realize the secure channel access. can be accessed securely by right users at the right time and place. At the data usage stage, in order to effectively prevent data leakage, it’s necessary to set policies, such as the screenshot protection policy, copy- and-paste prohibition policy, and application/document watermarking policy, etc. At the data sharing stage, the main work is to restrict the data sharing and exchanging between applications in the workspace, or between internal applications and personal applications.

The core of data reliability is the data storage reliability, where the key issue is to secure management and storage of the encryption key. TrustSpace secure key box technology is just the right method to realize the secure storage and management of key data such as the encryption key, certificate, etc. It provides the foundation for building a reliability and protection scheme for the enterprise application data through its full life cycle within TrustSpace.

Source: 360 Enterprise Security Group

4 5

IV. Functional Modules of internal mobile working application to the V. Application Scenarios of TrustSpace mobile users in a safe and effective manner. TrustSpace TrustSpace provide three different types TrustSpace console is the control and strategy In terms of the functional architecture of product components and function center, which provides a serial of secure and TrustSpace mainly consists of four parts, combinations for different mobile scenarios. compliance policies to users. including TrustSpace client, TrustSpace For a majority of small and medium-sized console, TrustSpace application portal, and enterprises and those whose mobility TrustSpace application portal is the key 360ID platform. applications are in public internet, TrustSpace control point for the enterprise application provides the total ‘zero-trust’ secure to access to the enterprise intranet, which TrustSpace client is installed on the mobile technology. For large and medium-sized provide application-level SSL VPN channel device, including three core areas, ‘zero- organizations and those whose mobility and authorization for the application, and trust’ core competence area, the secure applications are in enterprise intranet, in apply strong data encryption to the data working suite area and the enterprise addition to the ‘zero-trust’ secure technology, transmitted by the application. Furthermore, internal application area. ‘Zero-trust’ core TrustSpace provides the mobile application TrustSpace application portal integrates competence area provides the core secure remote access to the intranet by additionally seamlessly with TrustSpace client. With technology based on ‘zero-trust’ for enterprise increasing the TrustSpace application portal TrustSpace, mobile users can connect in the applications, such as MTD mobile threat modules. For the super large organizations enterprise intranet directly. protection, data protection, and multi-factor and some who have highly-sensitive mobile authentication, etc. The secure working application scenarios, in addition to the The 360ID identity platform is the suite area provides working suite which will ‘zero-trust’ secure technology and mobile authentication and authorization be used in all kinds of general application application remote access to the intranet, management center provided by TrustSpace. scenarios for the enterprise mobility, such as the 360ID platform is added to provide the It can set several authentication methods Secure Browser, secure cloud disk, secure enterprises with the function of multi-factor for the access to TrustSpace and implement e-mail, secure document reading, and secure authentication and continuous dynamic continuous dynamic authentication and instant messaging, etc. The enterprise internal application access authorization. application area will deliver the enterprise access authorization for application end users.

Source: 360 Enterprise Security Group

5 Furthermore, for BYOD and COPE mobile working mode, TrustSpace provide two secure strategies, ’zero-device management’ and ‘strong-device management’, to meet the differentiation secure strategies and compliance management demand from different enterprises.

Category Basic Edition Advanced Edition Enterprise Edition Scenario description Internet Scenario Intranet Scenario + Intranet Scenario basic authentication + advanced authentication TrustSpace secure √ √ √ workspace Module TrustSpace application √ √ portal 360ID platform √ Unified application √ √ √ gateway Zero-device √ √ √ management (BYOD) Strong-device √ √ √ management (COPE) Data Security √ √ √ Secure working suite √ √ √ Mobile threat defense √ √ √ Function description Identity authentication √ √ √ Container/Secure key √ √ √ box Application-level VPN √ √ channel Multi-factor √ √ authentication Unified Single Sign- √ on(SSO) Unified user center √

Source: 360 Enterprise Security Group

6 7

Research from Gartner Market Guide for Mobile Threat Defense

Mobile threat defense (MTD) solutions Market Definition describes these techniques.) In general, MTD have matured and can provide value The MTD solution market consists of solutions solutions collect and analyze indicators of to organizations looking to strengthen that protect organizations from threats on iOS compromise to identify anomalous behavior their mobile security. Security and risk and Android devices. and counter threats. To do so, MTD solutions management leaders should leverage MTD gather threat intelligence from the devices to address evolving mobile security needs. Market Description they support as well as from external sources. By observing the behavior of healthy Key Findings MTD solutions protect at the device, network devices and the behavior of devices under and application levels: • The MTD market continues to have attack, MTD solutions learn to recognize organic growth. Beyond a unified endpoint malicious and suspicious behavior and • On the device level, MTD tools monitor intervene to remediate it. management (UEM) security add-on, MTD indicators such as OS versions, security is also used to address use cases such as update versions, system parameters, Figure 1 illustrates how MTD solutions are mobile phishing, bring your own device device configuration, firmware and (BYOD), app vetting and compliance. typically composed of an on-device agent system libraries to identify security in the form of an app; a server component; misconfigurations, device vulnerabilities and an administrative console that enables • MTD solutions prevent or detect threats and suspicious or malicious activity. MTD against iOS and Android platforms enterprises to monitor, report and audit. tools check for modification of system The server component conducts analysis by employing a variety of techniques, libraries and configuration, as well as including machine learning and behavioral that can either reside in the cloud or on- for privilege escalation (such as jailbreak premises. Depending on the vendor, the analysis based on mobile threat or rooting). intelligence. detection engine can be split between the cloud-based server and the device, • On the network level, MTD tools monitor • Enterprises are still fine-tuning their risk or it can reside exclusively on the device. cellular and wireless network traffic for Although we see endpoint protection perception and maturity around mobile. unsanctioned, suspicious or malicious While they start to recognize the value of platforms (EPP) converge toward cloud- behavior. MTD tools can check for invalid based solutions to keep up with constant MTD solutions, they do not show particular or spoofed certificates, and for stripping urgency to adopt them. updates, the on-device agent provides a of Transport Layer Security (TLS) or Secure better likelihood of the protection persisting Sockets Layer (SSL), and can perform Recommendations over a compromised network. The console a variety of other customized man-in- provides identification and categorization To address mobile risks, security and risk the-middle detection techniques. For of riskiness of devices, suggests mitigating management leaders should: example, an MTD solution could identify measures, integrates with UEMs (see Note bidding-down attacks from a malicious 4), and allows the administrators using • Introduce MTD solutions gradually. Adopt network, where the encryption algorithm the console to prioritize intervention on MTD solutions sooner in high-security negotiated is intentionally weak to allow vulnerable devices. Depending on the vendor verticals, with large Android device fleets, for eavesdropping. and the options provided, the MTD app can or in regulated verticals, such as finance be either distributed as an enterprise app, and healthcare. • On the application level, MTD tools or downloaded and installed directly from identify grayware (see Note 2) and the commercial app store. An enterprise app • Leverage app vetting and device malware through application sandboxing typically makes up for the inconvenience with vulnerability management MTD and code analysis. MTD application having a few more privileges on the device. functionality first to demonstrate immediate security techniques include signature- value to the organization. based anti-malware filtering, code Market Direction emulation or simulation, application • Integrate the MTD solution with the UEM reverse engineering, and static and Apple and Google constantly add security tool. Prefer app-based deployment, dynamic app security testing. improvements aimed at covering the needs leaving proxy-based deployment options of their iOS and Android consumer users. Several signs, however, continue to indicate for corporate-owned business-only MTD solutions provide protection by that mobile security issues are growing in (COBO) scenarios. preventing, detecting and remediating both volume and importance: attacks (see Note 3). Different MTD solutions Strategic Planning Assumption employ different techniques. (Even though • Nearly one out of five business and By 2020, 30% of organizations will have MTD in focused on traditional endpoints, “Comparing industry apps leaks personally identifiable place, an increase from less than 10% in 2018. Endpoint Techniques for Malware Protection” information (PII).1

7 FIGURE 1 protection vendors as well as some endpoint Example Architecture of an MTD Solution Integrated With a UEM Solution management ones. Some examples are:

• Check Point acquired Lacoon in 2015.9

• Symantec acquired Skycure in 2017.10

• Microsoft integrated Lookout Mobile Endpoint Security with Windows Defender Advanced Threat Protection (WDATP) in 2017.11

• MobileIron partnered with Zimperium in 2017 and offers the MTD solution inbuilt in its UEM agent.12

These signs indicate that MTD could become a part of EPP offerings (or security-focused UEMs) before it reaches its full growth Source: Gartner (October 2018) potential. As PC platforms adopt a locked- down approach similar to mobile ones,13 this possibility becomes even more compelling. • Every year, 42 million mobile malware Gartner estimates the MTD market amounts Currently though, most enterprises deploy 2 attacks take place. to approximately $200 million worldwide at and operate MTD solutions distinctly from the time of writing. This is a fairly low number their EPP solutions. • 63% of grayware apps leak the device’s compared to other enterprise security 3 phone number. markets, such as the market for endpoint MTD vendors also use other channels to protection platforms. The main reasons for promote growth: Furthermore, enterprises believe mobile the slow adoption of MTD solutions are: malware attacks occur more often than is • Via partnerships with managed mobility reported. In a recent Gartner survey, 60% • Mobile platforms were built with the services providers of respondents stated they believe mobile countermeasures necessary to address malware incidences are underreported. To the typical endpoint security failures. • As consumer solutions, such as the same question for desktop malware Application sandboxing, app store freemiums and as part of carrier bundles incidences, respondents stated they believe curation and limiting of user privileges 4 only 16% are underreported. Mobile have delivered stronger security than that • Within consumer-facing banking and 7 security incidents come, for example, from of traditional computer endpoints. other high-security apps (see the Market eavesdropping over untrusted wireless Analysis section) networks and spyware apps.5,6 • The lack of highly visible and successful mobile attacks against enterprises has not All these avenues are not only meant to Even though the mobile security space is still encouraged organizations to go beyond grow revenue, but also to increase the fast-paced, MTD solutions have reached a UEM to protect their mobile devices. mobile threat intelligence that feeds the MTD 8 degree of maturity that makes them suitable Enterprises tend to focus on data leakage analysis engines. for enterprise adoption. Enterprises are risks during everyday usage of mobile adopting MTD solutions to augment the devices, rather than malicious threats Market Analysis security baseline that their UEM tools provide. against them. Enterprises have mastered UEM systems and Deployment Options want to go beyond the controls these tools There is great growth potential for the MTD MTD solutions can be deployed in four ways, offer them. The effort is not only to address market, if its adoption follows the footsteps as shown in Figure 2: advanced malicious threats, but also to simply of its endpoint management counterpart, improve their basic security hygiene (see the UEM. In the same Gartner survey mentioned • The most common option is MTD Market Analysis section for further discussion above, 64% of respondents estimated that integrated with UEM on managed of use cases). As MTD solutions mature, their mobile security spending will grow devices. MTD leverages UEM to enroll security departments become the main buying by 22% in 2019. As the market grows, it on the device, obtain information about center, rather than mobility or IT operations. attracts the attention of traditional endpoint the device and perform remedial actions

8 9

FIGURE 2 such as domain blacklisting and content MTD Deployment Options filtering. This option adds more visibility than all other deployment options, but the privacy implications of constant traffic monitoring make it difficult to suit anything apart from COBO scenarios. Enterprises that take this approach usually have iOS-supervised devices and higher- than-average security requirements. This approach differs from the secure transport enforcement feature that many MTD solutions provide (see Table 1), in that the traffic redirection is constant.

Use Cases Various use cases are emerging around the MTD space. In this section, we discuss some of the recurrent ones in the past year. These use cases go beyond the most obvious one, which addresses the need for a general mobile security solution and we have discussed throughout this report. This use case has had little variation from previous years. Among the efforts from vendors that we have recently seen is integration with Microsoft’s conditional access.14

One of the most discussed use cases in the past year has been mobile phishing.15 The Source: Gartner (October 2018) screens of mobile devices are small, and the presentation of information tends to leave out details to enhance user experience. on the device. UEM has an MDM profile • Some MTD solutions also come in the There are also numerous channels to reach installed on the device, which allows it to take form of an SDK to embed into an app. a mobile device that, unlike email, are not actions that a normal app cannot, such as Today, this method is mostly used to under phishing protection. It is, therefore, performing a remote wipe. The MTD app on protect consumer-facing apps, rather easy for users to fall victim to phishing on the device collects information that it sends than employee-facing apps, and is, mobile devices. MTD solutions can protect to the cloud-based engine to identify attacks therefore, not a focus of this research. from malicious URLs sent via email, text, and update the defense engine. When an The remediation actions take place in the social or instant messaging and other apps. attack or an indicator of compromise is app itself, rather than on the device. For Depending on the solution and type of identified, the engine sends an alert to the example, the app may decide to abort deployment, MTD solutions can remediate, MTD dashboard, which notifies the UEM operation if it identifies the presence for example, by blocking the URL or by dashboard. Action is then taken on the device of malware on the device. Some MTD alerting the user about the threat. depending on the organizational policies. vendors are partnering with app shielding vendors to provide broader functionality or Unmanaged devices is another use case • Devices that are not managed by a UEM extending their functionality to encompass that is increasing. Scenarios such as BYOD can host a stand-alone MTD. In this case, app shielding. sometimes make it impractical to manage the MTD can act as a privileged entity on employee devices via mobile device the device by running its own MDM profile. • The last deployment method observes and management (MDM). Users of unmanaged Stand-alone MTD is selected often when analyzes network traffic. In this case, the devices make choices that can put enterprise managing devices is not an option (for user MTD solution redirects the traffic to and infrastructure at risk.16 Security leaders need experience or other reasons). If it does not from the device to the analysis engine. a way to protect the enterprise infrastructure manage the device, the information around There, it can analyze the traffic, filter from these potentially compromised mobile the device and the range of remediation malware and provide functionality that devices. One solution is to deploy MTD on actions may be limited. is often found in secure web gateways,

9 BYOD devices. As discussed in the Market configurations and settings that can component and integrate it with the UEM Direction section, without an MDM profile, expose the device or make the device of choice to remediate noncompliant apps. device information and remediation actions vulnerable to attacks; for example, the Appthority provides on-premises integration/ may be limited, especially on iOS devices. device being set in developer mode, the connectivity with UEM systems leveraging a However, MTD vendors are coming up device being rooted or jailbroken, the OS UEM connector as a virtual appliance to be with innovative ways to remediate. For version being outdated. deployed inside the customer’s network. example, an MTD solution can set up a VPN that constantly redirects traffic back to the • Malicious apps: The solution allows BETTER device to avoid allowing a compromised malicious apps to be identified and better.mobi/mobile-threat-defense device from accessing corporate resources. blocked or blacklisted. This technique is sometimes referred to BETTER’s ActiveShield is an MTD solution that as blackholing. iOS, where it has always • Network attacks: The solution can identify, delivers continuous on-device monitoring. been more challenging to intervene with an block, prevent or remediate network It provides detection, prevention and unprivileged app, is starting to enable this attacks. Examples of attack techniques to remediation for mobile threats on the 17 sort of functionality via APIs and entitlements. be detected are SSL stripping, malicious iOS application, network and device level. On the profile, rogue access Wi-Fi point and badly application level, ActiveShield performs static Enterprises also leverage MTD to perform reputed IP addresses. and behavioral analysis to identify malicious app vetting. Certain mobile app reputation apps. For selected applications, it can block solutions (or mobile app security testing) have Vendors offer this functionality with varying exfiltration of sensitive data from the apps expanded their capabilities and have become degrees of efficacy and granularity, and this residing on the device. ActiveShield can also MTD solutions, while others have been research does not rank MTD products. All blacklist specific Wi-Fi or cellular networks. integrated in larger MTD suites. MTD solutions of the representative vendors support both Its dashboard can highlight vulnerabilities today can analyze apps and indicate which iOS and Android. Beyond the fundamentals as well as their severity for each device. ones are in conflict with the corporate policy. that make the basis for MTD and that the Remediation can take place via integration MTD, therefore, can be used to blacklist and representative vendors in this research all with UEM, and integration with SIEM is also whitelist apps. Some organizations use the support, Table 1 provides a summary of possible. BETTER also provides a separate MTD solutions not only to vet third-party apps, additional capabilities of the representative SDK for unmanaged devices. BETTER but also as a lightweight mobile app security MTD vendors discussed. integrates with ServiceNow for IT service testing solution for their own mobile apps. management. A recent offering from BETTER Vendor Profiles provides Microsoft Intune customers with 50 Compliance is another frequent use case. Appthority free licenses for 18 months. Gartner clients sometimes suggest the www.appthority.com/solution/overview reason they are looking for an MTD solution Check Point is regulation-related or related to the Appthority protects against leaky and www.checkpoint.com/products/sandblast- recommendations of an audit. In most of malicious apps, device misconfigurations, mobile these instances, the requirement is for an and active network threats. Compliance anti-malware solution to be present on all management can be enforced directly on Check Point’s SandBlast Mobile provides endpoints, mobile or otherwise. the device, using an optional agent, or MTD leveraging on-device functionality as well as Check Point’s ThreatCloud. SandBlast Representative Vendors through integration with UEM. Malicious and risky app behaviors are detected through Mobile offers application scanning and The vendors listed in this Market Guide do static analysis of the binary code, including cross-platform attack protection, combined not imply an exhaustive list. This section is third-party libraries, and dynamic behavioral with network and device anomaly detection. intended to provide more understanding of analysis via code execution. Appthority looks SandBlast Mobile also provides On-device the market and its offerings. for device misconfigurations as well as for Network Protection (ONP) for anti-phishing, malicious network addresses and vulnerable safe browsing and URL filtering. ONP also Market Introduction app back ends. Appthority integrates in allows it to have anti-bot and conditional In this section, we provide a list and Google’s Android Enterprise to automatically access in case the device is infected, all description of representative vendors in the whitelist apps for Managed Google Play independently of a UEM deployment. Part of MTD space. A common baseline of MTD based on corporate policy. It also provides the analysis takes place on the device and functionality that all vendors in this report offer an SIEM integration and reporting following a part of it occurs in the cloud. In the cloud, includes: publish-subscribe pattern. For organizations the app goes through a series of engines that do not wish to install an MTD app including advanced static code flow analysis, • Device-level configuration vulnerabilities: on their devices, Appthority provides the dynamic sandboxing (emulation) and The solution can identify device option to only access the application vetting machine learning. If a device is suspected

10 11

Table 1. Representative Vendors in Mobile Threat Defense

Vendor Device App Anti- Device Content Cellular Secure UEM/ SIEM Deploy- On- Vulner- Vetting Mobile attack Filtering network Tran- MAM Inte- ment Prem- ability Phish- protection attack sport Inte- gration Method ises Manage- ing pro- Enforce- gration (app, Option ment tection ment SDK, proxy) Appthority Yes Yes No No (only No No No VMware, Splunk, API Agentless Yes (Mobile device- Microsoft, (app Threat config- MobileIron, protection Protection) uration Citrix only), App vulnerabilities) BETTER Yes Yes Yes Yes Domain False Black- VMware, Splunk, App, SDK Yes (Mobile blacklisting base holing MobileIron, Hewlett Threat (no station (for Citrix, Packard Defense) roaming network Microsoft Enterprise- or 4G/ attacks), ArcSight, Wi-Fi policy VPN IBM options) (QRadar), LogRhythm, syslog/API Check Specific Yes Yes Yes Domain SS7, VPN VMware, Splunk, App, SDK Yes Point (Sand vulner- blacklisting False MobileIron, QRadar, Blast abilities, (no base IBM, ArcSight, Mobile) without roaming station Microsoft, Check Point severity or 4G/ (via Citrix, SmartEvent, indication Wi-Fi policy Vaulto) BlackBerry syslog options) Kaymera No Yes Yes Yes No False VPN VMware, syslog App Yes (Cipher= base MobileIron Watch) station Lookout Yes Yes Yes Yes Domain False Black- VMware, Splunk, App, No. (Mobile blacklisting base holing BlackBerry, ArcSight, SDK Option Endpoint (no station MobileIron, QRadar, to only Security) roaming Microsoft, syslog/API store PII or 4G/ IBM on UEM Wi-Fi policy server options) on- premises Pradeo Yes Yes Pradeo No (only Domain False Via VMware, Splunk, App, Yes (360° brow- device- blacklisting base Pradeo BlackBerry, QRadar, SDK Mobile ser, config- on Pradeo station browser Microsoft, ArcSight, Threat SMS uration browser MobileIron, syslog Defense) vulner- (no IBM, SOTI abilities) roaming or 4G/ Wi-Fi policy options)

Continued on page 12

11 Continued from page 11

Table 1. Representative Vendors in Mobile Threat Defense

Table legend: Device vulnerability management: The solution can show the mobile OSs and the vulnerabilities for each version and security patch level. App vetting: The solution has functionality that allows it to block, blacklist or identify apps that can perform actions or request permissions that are in conflict with enterprise policies and could lead to data leakage. These are not necessarily malicious applications. The enterprise administrator can customize these policies. Anti-mobile phishing: The solution can block malicious URLs. If only specific channels are covered (such as SMS or browser), this is specified. Device attack protection: The solution can identify, block, prevent or remediate OS or kernel-level attacks. Content filtering: The solution can blacklist specific domains or disallow connection through specific access channels such as cellular or Wi-Fi. Cellular network attack protection: The solution is able to detect threats deriving from cellular network vulnerabilities such as the ones in the SS7 protocol or the false base station (aka Stingray) attack (see Note 5). Secure transport enforcement: The solution can provide transport security during an attack (for example, by activating its own or a third-party VPN when it identifies a network or other related threat). Blackholing suggests that the solution can instead block traffic from the device toward the enterprise to protect the enterprise from a compromised device. UEM integration: Device management solutions with which the MTD solution functionally integrates. Additionally or alternatively, availability of an API for integration with further products. SIEM integration: SIEM solutions with which the MTD functionally integrates. Additionally or alternatively, availability of an API for further integrations or support of syslog or CEF formats Deployment method (e.g., app, SDK, proxy): App suggests that the solution can be deployed either stand-alone or integrated with UEM (see UEM/MAM integration), as shown in Figure 2. On-premises option: The solution can be deployed in the enterprise premises.

Source: Gartner (October 2018)

12 13

of being under attack, SandBlast Mobile Lookout uses the information gathered to Symantec can force communications into a closed/ create heuristics that allow it to detect and https://www.symantec.com/products/ quarantined tunnel as well as guide the prevent attacks. The dashboard allows for endpoint-protection-mobile user to remove the threats from the device. customizable policies and alerts, and alerts SandBlast Mobile integrates with Vaulto and advice are also sent to the user via Symantec Endpoint Protection (SEP) Mobile to protect from cellular network attacks. Lookout app. Lookout on-device remediation provides visibility and protection for managed SandBlast Mobile also provides a cloud-based inhibits a compromised device from and unmanaged mobile devices from management portal, an on-premises option exfiltrating data or contacting and infecting malware, network threats and app/OS and a managed security services providers the enterprise network. Lookout interfaces vulnerability exploits. SEP Mobile leverages (MSSP)-managed platform. SandBlast Mobile with UEM tools to facilitate remediation threat intelligence from Symantec’s Global integrates with major UEM and SIEM tools. and can also be deployed inside Android Intelligence Network (GIN), in addition to Check Point’s broader mobile security offering Enterprise and Samsung Knox containers, device- and server-based analysis, as well provides secure containment and device as well as an integrated feed for Microsoft’s as predictive malware detection techniques. management through its product Capsule, Windows Defender. Lookout also provides SEP Mobile provides an on-demand VPN and is featured in the “Critical Capabilities for an SDK deployment option that can protect to protect data in transit over unsecured High-Security Mobility Management.” unmanaged devices use cases as well connections and SMS phishing protection. as consumer-facing apps. While Lookout Its mobile network access control (mNAC) Kaymera does not provide an on-premises option, technology can selectively protect sensitive www.kaymera.com/mobile-threat-defense its privacy mode option allows personal corporate resources from risky devices, information to only reside on the premises- protect against fake corporate Wi-Fi networks, Kaymera CipherWatch provides MTD by based MDM server of a UEM solution. and block app and browsing toward known identifying attack patterns, indicators of malicious command and control servers. compromise and behavioral anomalies on Pradeo SEP Mobile’s main functionalities are initiated the network, app and device level. Kaymera’s www.pradeo.com/en-US/mobile-threat- on the device, providing protection in the solution takes into account the context in protection absence of network connectivity. SEP Mobile which devices are being used. Kaymera can integrate with other Symantec offerings, assigns a risk profile to the user (for example, Pradeo 360° Mobile Threat Defense such as Symantec Web Security Service based on seniority or the sensitivity of the data conducts application scanning to detect (WSS) to provide content filtering, and also residing on the device). Kaymera Adaptive and qualify behavior and vulnerabilities. The integrates with Android Enterprise. Mobile Threat Defense (AMTD) also integrates product also identifies device and network with UEM solutions to provide remediation. misconfigurations. Pradeo’s solution for Wandera To promote users following best practices, application scanning is based on an engine wandera.com/solutions/threat-defense the solution provides an individual score that leverages machine learning, and for each device that increases with best combines static, dynamic and behavioral Wandera combines network-based traffic practices followed. Kaymera’s broader mobile analysis. On the network and device side, monitoring and filtering with on-device security platform provides secure voice and the solution can identify misconfigurations threat detection. Wandera’s MI:RIAM engine texting and device management as well as that can lead to security issues and trigger uses a combination of behavioral analysis, its own hardened OS, and is featured in the remediation actions. In addition to iOS and application and domain classification, and “Critical Capabilities for High-Security Mobility Android apps, Pradeo’s solution can scan signature scanning to identify malicious or Management.” Windows 10 applications. Pradeo 360° suspicious network connections, zero-day Mobile Threat Protection can integrate with phishing attacks and risky apps. MI:RIAM Lookout UEM suites to blacklist applications. Its leverages machine learning to process lookout.com/products/mobile-endpoint- integration with the Knox platform allows it in the cloud threat intelligence data from security to block noncompliant behavior, still allowing Wandera’s supported devices as well as the usage of the application on Samsung from other sources. While Wandera’s main Lookout Mobile Endpoint Security detects Knox devices. The solution offers a secure setup is proxy-based, certain capabilities malware and grayware on iOS and browser and a secure email client. Pradeo such as device anomaly checks require an Android devices. Lookout’s detection uses also offers the solution in the form of an SDK optional on-device agent. Wandera can app binaries, OS fingerprints and network that can be embedded in apps, under the provide URL and domain policy enforcement connections to determine when anomalous name Pradeo Security App Self-Protection. to blacklist specific domains (such as a app, device, network or website behavior video on-demand service) when roaming occurs. It also leverages periodic code over 4G, but still allow it over Wi-Fi. Its proxy samples from monitored devices, including allows Wandera to block data exfiltration the ones using Lookout’s consumer offering. as well as phishing attacks. Wandera can

13 also be deployed as a stand-alone app should have a security baseline in place for undesired, device vulnerability management in enterprise scenarios where the proxy is their mobile devices, possibly enforced via can indicate unpatched devices and devices not an appropriate fit or where network- their UEM solution. This baseline includes: that carry severe vulnerabilities. Some security- based threats are not a concern. The aware UEMs are starting to develop device solution provides data anonymization for • Maintaining minimum OS and device vulnerability assessment capabilities, so organizations that wish to use the proxy while standards, and disallowing enterprise potential overlap between the two tools should ensuring user privacy. access to unpatched or older devices be evaluated before making a selection.

Zimperium • Forbidding app sideloading, and only Security leaders should shortlist solutions www.zimperium.com/zips-mobile-ips allowing the official app stores and the focusing on the core MTD capabilities. The enterprise store functionality analyzed in Table 1 will provide Zimperium offers zIPS, an MTD solution that further understanding of the completeness operates entirely on the device. zIPS analyzes • Prohibiting jailbreak and rooting of of a solution. “Comparison of Mobile Threat data on-device for good and bad behavior, devices, as well as unlocked bootloaders Defense Solutions” provides an evaluation of and then utilizes its machine-learning- MTD solutions against specific threats and based engine, called z9, on the device to • Enforcing a complex-enough passcode illustrates a sample methodology to evaluate detect attacks. z9 identifies malicious apps, (six character alphanumeric, at a solutions. Completeness of product will be tackles network threats and includes tracking minimum) and/or biometric-based as important, if not more, than efficacy of the of indicators of compromise for device- authentication, imposing encryption, as response. level attacks. zIPS provides an enterprise well as a passcode retry limit administrative dashboard that can be MTD tools, especially on iOS, have limited hosted in the cloud and can simultaneously • Enforcing a remote wipe procedure as well visibility on the system and background integrate with multiple UEMs. Zimperium as periodic encrypted backup processes. OS features such as app recently acquired Mi3 Security, with which it sandboxing that protect mobile devices from previously partnered to provide app scanning Organizations should gradually introduce attacks also inhibit security solutions from for grayware apps. Zimperium’s z9 integrates MTD solutions based on their industry, fully monitoring what occurs on the device. in the MobileIron MDM agent and is available applicable regulations, sensitivity of data Even though MTD tools can help, enterprises as MobileIron Threat Defense. Zimperium on mobile devices, use cases (for example, that require protection from targeted and is also part of McAfee’s Security Innovation frequent international travel in high-concern state-sponsored attacks should not consider Alliance, and zIPS integrates with ePO. countries) and organizational risk appetite. MTD as an antidote, and should recognize Zimperium offers zIAP, an SDK, that is also Organizations in high-security verticals, the complexity and high costs involved in part of SAP Fiori. Zimperium can integrate those with large Android device fleets or countering those type of threats. The “Market with SIEMs and also provides a Splunk App those in regulated verticals such as finance Guide for Secure Instant Communications” for viewing threat data. The vendor partners and healthcare should plan to adopt MTD illustrates some purpose-built mobile devices with a number of carriers to provide MTD as solutions sooner rather than later. that could be used for those use cases. part of mobility services as well as consumer applications. Security leaders should integrate the MTD Evidence solution with their incumbent UEM tool, and 1 “Mobile Leak Report 2017,” Wandera. Other Vendors enterprises should leverage UEM wherever possible. However, in the cases where they 2 A number of other solutions provide MTD “Mobile Malware Evolution 2017,” Kaspersky cannot apply device management, security functionality. Relevant products include Lab. leaders should contemplate MTD as a Corrata (Internet Security) and Usage Control, protection. Typical scenarios for this will be 3 Cisco Security Connector, Deep Instinct “2018 Internet Security Threat Report,” BYOD. The proxy-based deployment is not (D-Client), Kaspersky Security for Mobile (see Symantec. the most indicated for BYOD scenarios, and Note 6), Palo Alto Networks (GlobalProtect) should be selected mainly where strict device 4 and Proofpoint Mobile Defense. 2017 Gartner Mobile Security Research management is applied. Survey. This research was conducted via Market Recommendations an online survey in November 2017 among Security leaders should leverage the app members of the Gartner Research Circle – a Security and risk management leaders vetting and device vulnerability management Gartner-managed panel composed of IT should leverage MTD to address evolving MTD features to provide immediate value and IT-business professionals. In total, 85 and advanced mobile security needs. Before to their organization. While app vetting MTD members participated. Qualified participants investing in any MTD solution, security leaders functionality can indicate which apps are included business end users with either an IT or IT-business focus as a primary role.

14 15

5 “How the Copycat Malware Infected Android Note 1 Note 5 Devices Around the World,” Check Point. Representative Vendor Selection False Base Station Attack The vendors named in this guide provide The false base station attack (also known 6 “HIDE AND SEEK: Tracking NSO Group’s the fundamental functionality of mobile as Stingray) is a network attack that affects Pegasus Spyware to Operations in 45 threat defense solutions on device, network and leverages the cellular connection of Countries,” The Citizen Lab. and application levels, as well as additional a device. Similar to a rogue access point mobile threat defense features. Gartner attack for Wi-Fi, a false base station pretends 7 “Program Overview,” ZERODIUM. As one estimates that there are more than 15 to be a legitimate cellular base station to example, an exploit against iOS today is vendors in this market. allure connections from one or more cellular valued three times as much as one for devices. Under certain circumstances, a false Windows. Note 2 base station can act as a “man in the middle,” intercepting traffic, and can, at a minimum, 8 “Dozens of iOS Apps Secretly Collect Location Grayware obtain a permanent identifier of the cellular History for Data Monetization, Analysis Says,” “Leaky” apps are apps that are not device, called IMSI. A false base station is also AppleInsider. necessarily malicious. However, they can be called an IMSI catcher for this reason. in conflict with enterprise policies or even put 9 “Check Point to Acquire Lacoon Mobile enterprise data at risk. Note 6 Security for Industry’s Most Advanced Mobile Threat Prevention,” Check Point. Note 3 Kapersky Lab Definition of Mobile Threat Defense In September 2017, the U.S. government 10 “Symantec to Acquire Skycure, Providing Terminology ordered all federal agencies to remove Customers With Comprehensive Mobile Kaspersky Lab’s software from their systems. The name mobile threat defense suggests Threat Defense Across iOS, Android and Furthermore, several media reports, citing these solutions provide not only prevention, Windows,” Symantec. unnamed intelligence sources, have claimed but also detection and remediation. that Kaspersky’s software was being used by “Defense” alludes to the fact that MTD 11 “Lookout to Offer Microsoft Windows the Russian government to access sensitive focuses on malicious threats, rather than Defender ATP Customers a Comprehensive information. Although the U.S. government managing a device or protection from Mobile Security Integration,” Lookout. has not given any official explanation for the simple user mistakes. ban, Kaspersky Lab vehemently refutes the 12 “MobileIron and Zimperium to Deliver First unsubstantiated claims and stresses that Note 4 Real-Time Detection and Remediation for there has yet to be any evidence produced of Mobile Threats,” MobileIron Unified Endpoint Management (UEM) its alleged wrongdoing. Kaspersky maintains The term “UEM” is replacing the notion of that the actions lack sufficient basis and 13 “Windows 10 S Is the Future (but Not the enterprise mobility management tools. are unconstitutional, and has initiated legal Present) of the Desktop PC,” ZDNet. Information on the component pieces of UEM action against the U.S. government. Gartner can be found in “Prepare for Unified Endpoint clients, especially those who work closely 14 “What Is Mobile Threat Defense Integration Management to Displace MDM and CMT.” with U.S. federal agencies, should continue to With Intune?” and “What’s Conditional monitor this situation for updates. Access,” Microsoft. Source: Gartner Research, G00341580, Dionisio Zumerle, 15 “WhatsApp: Mobile Phishing’s Newest John Girard, 30 October 2018 Attack Target,” Dark Reading.

16 “Fortnite Will Require Android Users to Allow Unknown Sources. Time to Rethink MTD and EMM Policies?” BrainMadden.com.

17 “NetworkExtension,” Apple Developer.

15 Research from Gartner How to Successfully Navigate the Hurdles of Global-Scale BYOD Implementations

Bring-your-own-device initiatives offer the • Use incentives to achieve business goal- expanding mobile access to as many users opportunity to cost-effectively extend mobility based optimum participation in BYOD as possible for maximum benefit; however, enterprisewide. However, no single BYOD programs. doing so by traditional means is prohibitively approach works in all geographies. I&O expensive for most organizations. leaders must learn to navigate the cultural, • Make local personal device preferences, risk, cost and legal/regulatory hurdles of and those devices’ ability to meet security In most cases, a “hybrid” program, consisting BYOD to expand mobility across the globe. and manageability requirements, primary of a mix of organizationally owned and user- factors in determining ownership models. owned devices, is the most cost-effective way to Key Challenges provide mobile access to the largest number of • Regional economics drive significant Strategic Planning Assumption users in an organization (see Note 1). variability in mobility costs, complicating By 2020, 90% of global enterprises will subsidy programs. have implemented business processes that Device Ownership and depend on a mobile device. Management Models • Robust labor and privacy laws in some Various mobile device ownership and countries inherently favor organizationally Introduction management models are shown in Figure 1. owned models or specialized approaches The improved efficiency, access and employee (For additional information, see Note 2, Note that blur the line between ownership engagement that mobile computing 3 and Note 4, as well as Table 1.) models. enables makes it fundamental to digital transformation. Such transformation requires • Users’ participation in bring-your- own-device initiatives can erode an organization’s buying power with carriers for company-owned lines, increasing costs for non-BYOD users. FIGURE 1 Device Ownership and Management Models • Affordable devices preferred by users in some countries may not meet security and data protection requirements.

Recommendations I&O leaders focused on mobile and endpoint strategies should:

• Segment the user roles that could benefit from BYOD in their organizations based on business need for mobile devices.

• Tailor ownership models and policies mix on a regional and countrywide basis, using a phased approach and working in collaboration with HR, legal, finance and line-of-business stakeholders.

• Cost-optimize subsidy investments by Source: Gartner (January 2018) factoring in the impact of labor laws, regional consumer mobility costs and cultural attitudes.

16 17

Table 1. Common Mobile Policies and the Management Systems That Can Apply Them

Available With Available With Stand- Comment Enterprise Mobility Alone Mobile Application Management (EMM) Management (MAM)1 Screen Lock Timeout √ Passcode/Complexity √ Enforcement Device Data √ Encryption Full Device Wipe √ Not recommended for bring your own device (BYOD) initiatives (Factory Reset) Selective Wipe √ √ of Enterprise Applications and Data Per-App Virtual √ √ May require compatible VPN or gateway product Private Network (VPN) Single Sign-on √ √ May require supported identity and access management (SSO) for Managed (IAM) infrastructure Applications “Open-in” App √ √ Restrictions for the Containerization of Enterprise Data Enterprise App √ √ Capabilities variable between products License Management

1 Stand-alone MAM requires software development kits (SDKs) or app wrappers to instrument apps for policy management. Stand-alone MAM has limitations for managing public app store applications. App store vendor end-user license agreements prohibit the wrapping of public apps. Independent software vendors (ISVs) don’t commonly accept requests for custom versions of their apps compiled with MAM SDK libraries. This may limit the scope of enterprise-enabled apps. It’s the primary reason EMM is the recommended approach, when possible, although vendors such as AppDome and DronaHQ are working to change this.

Source: Gartner (January 2018)

Expanding mobile access in the most cost- place to another. In some areas, BYOD is Accordingly, this research provides guidance effective way will require most organizations well-established and mature. In others, to infrastructure and operations (I&O) leaders to adopt elements of two or more of the BYOD simply isn’t practical or cost-effective. planning to implement BYOD on a global scale above models. This mix will vary from Cultural, legal, economic and device to extend mobile computing to as many users region to region. In most cases, some mix of availability issues collectively have a major as possible, without exposing the organization traditional/choose your own device (CYOD) impact and make simple answers and to undue financial, legal and security risk. and BYOD will provide the optimal results. one-size-fits-all approaches impractical. This makes implementing a mixed ownership Analysis However, although traditional models and model – especially one that spans multiple Segment the User Roles That Could CYOD (essentially, traditional models with regions – highly challenging to implement. Benefit From BYOD a degree of limited user choice among standard devices) are well-understood, The optimal mix of models will differ Implementing a hybrid ownership model outside a small number of countries, BYOD significantly across organizations, and of enterprise-owned and BYOD wherever is much less so. Despite popular perceptions across geographies within multinational practical allows for lowest-cost expansion to the contrary, BYOD is not common in organizations. There’s no “right” combination of mobility to the greatest number of users. every country or region of the world, nor that can be prescribed. A quick look at the most common approach is it practiced in the same way from one illustrates why:

17 • Users who have a qualified “business In many organizations, this latter category of • Data Privacy Laws/Regulations – In need” for a mobile device are offered an user (convenience-oriented/unsubsidized) areas with strong user privacy protections, organizationally owned device by default. is the largest of the three. (For detailed such as the EU, BYOD as commonly This group often includes executives, information on how to segment users by practiced may make compliance difficult. frontline sales, field service and IT device ownership model. The EU General Data Protection Regulation personnel responsible for the high-impact (GDPR), which takes effect in 2018, is not support of business systems. They can Tailor Your Ownership Models and yet well-understood in terms of BYOD opt in to the BYOD program and use Policy Mixes on a Regional and impact. It’s a major reason BYOD adoption their personal mobile devices to fulfill this Country Basis has slowed in EU countries in recent need. The organization may or may not months. As organizations have expanded access compensate them for the costs associated to mobile computing globally, approaches with the business use of these personal • Labor Laws/Labor Contracts and to mitigate some of the most problematic devices (which are highly variable, based Works Councils/Labor Unions – In some aspects of BYOD have evolved. However, on the country involved). countries, states or provinces, labor laws best practices for many places where BYOD compel organizations to provide subsidies has not been common have yet to emerge. • Users who have a less-compelling for work-related use of devices. In others, I&O leaders launching multinational BYOD business need for a mobile device may Works Councils and Unions may object initiatives or expanding mobility programs qualify for the above group based on to BYOD on privacy or financial grounds, cost-effectively will need to work closely manager approval, or they may only get making it challenging to implement with the HR, legal, finance, and security and mobile access by participating in the BYOD where such organizations are strong. risk groups, region by region in a phased program (this varies). This group often Stringent labor laws/regulations or labor approach, to build successful programs, includes salaried knowledge workers and contracts complicate BYOD. Places such while mitigating risk. supporting roles. If this group receives a as Scandinavia have spawned alternative subsidy, it’s often at a lower rate than those forms of BYOD (e.g., “SIM swap”). Common challenges to establishing a BYOD in the above group. program in different geographic areas include: • BYOD Practices Counter to Mainstream • Those for whom mobile access is Patterns – In China, BYOD for PCs (BYOPC) • Availability/Popularity of Enterprise- considered a convenience may get mobile is common, but BYOD for mobile is not. Friendly Devices – Android dominates access only through participation in the This is the opposite of the rest of the many areas worldwide; however, older BYOD program. This is typically “everyone world. In addition, as practiced in China, versions of that OS (prior to Version 6) else,” including task workers and hourly BYOPC may not meet the security, risk can present management and security workers. Specific policies such as those and support requirements of global challenges. These older versions are still in related to overtime work may restrict when organizations. widespread use in many countries. and how these users use their mobile access. These users typically receive no • BYOD Simply Not Commonly Practiced • User Privacy Concerns – Users may subsidy (in countries where subsidies are – In some countries, such as Japan, be initially resistant to the requirement common). Because mobile access for conditions would appear to be favorable to enroll devices in EMM systems these employees is for convenience, rather to BYOD, yet BYOD is rare. This creates as a condition of access. Alternative than for strict business need, no subsidies cultural barriers to adoption, as user management approaches to EMM, such are typically provided (in countries where demand for BYOD may be low. In addition, as MAM, have limitations that may be subsidies are commonly used). lack of experience with BYOD in such problematic for many organizations, countries means a lack of understanding especially those deploying public (i.e., app In this widely adopted hybrid model, the of country-specific issues that may arise. store) applications. organization still pays for devices owned and issued by the company for those who qualify. This list should make it obvious that a single, • High Consumer Mobile Costs – Device However, all other employees are given the uniform set of BYOD policies across even a and carrier costs for consumers vary option to opt in to the BYOD program, if they handful of countries is unrealistic. widely from region to region. In areas choose. The primary motivator for those where these costs make up a significant employees to opt in initially is mobile email Figure 2 summarizes the key challenges to percentage of the employee’s annual access; however, organizations frequently implementing BYOD globally. This map makes earnings, BYOD may be unrealistic, unless make all but sensitive/regulated, data-oriented it apparent why multinational organizations subsidies for business use are provided. business apps available to them as well. have struggled with implementing global Historically, this has been a major barrier BYOD programs across all the geographies to adoption in many countries.

18 19

they do business in. The varied issues In the U.S. and, to a lesser extent, Canada, It’s assumed that SRAs need to cover only a illustrated here amplify why a phased subsidies for monthly carrier fees associated portion of the carrier fees. There’s no need to approach to planning could be key when with BYOD are common and should be subsidize the cost of the device itself (unless BYOD is a fit for your organization. A cross- considered for deployments there. Such it’s viewed as a benefit, as in parts of Europe), functional team – with representation from IT, subsidies are less common in the U.K., and many users may fall into an unsubsidized HR, legal, finance and business stakeholders Ireland and Australia. Be prepared to category. Nonetheless, BYOD still provides a – is essential to evaluating the desirability of re-evaluate the need for subsidies in each mechanism to make mobility pervasive at a implementing BYOD in each region of interest. region on an annual basis, because the need reasonable cost in these areas. for subsidies may change in a given area, Start with geographic areas in which BYOD along with the amounts subsidized. Since Although BYOD has fairly strong uptake is widespread and well-understood. This 2014, subsidies in the U.S. and Canada, for (although much less than in the above includes the U.S., Canada, the U.K., Ireland, example, have declined by more than 30%. countries) in Western Europe, the imminent Hong Kong and Australia/New Zealand. implementation of GDPR has slowed adoption in recent months, as organizations struggle to understand its implications. In addition, strong privacy and employment FIGURE 2 laws make deployments in this area tricky. Primary BYOD Challenges Across Regions and Countries Consider traditional models or CYOD for these countries, if BYOD proves too problematic or complex to implement. If you go this route, then re-evaluate the feasibility of BYOD once GDPR’s impact is better understood.

In other areas, such as Russia, India, Turkey, Brazil and Chile, BYOD is widespread, but local device preferences and common BYOD management practices may create challenges. The versions of Android that are popular in these countries tend to lean heavily toward Version 5.x, with a substantial amount of Version 4.x as well, although Version 6 is on the rise. This, combined with lagging investment in EMM tools, can make it difficult to meet security and risk requirements, especially if enterprise apps are to be deployed. In countries such as these, infrastructure investments may be required, and acceptable device policies will have to be carefully tailored to balance consumer preferences with enterprise risk mandates.

Challenges such as these should make it clear that one-size-fits-all approaches to implementing a hybrid of ownership programs are impractical. Engage with stakeholders and take a phased, country- by-country approach. Position the right mix of CYOD and BYOD to provide the right model in each geography, based on local conditions. BYOD will not be a good fit for some areas. When this is the case, consider whether a corporate-owned, personally enabled (COPE) CYOD approach is a good fit Source: Gartner (January 2018) to achieve many of the end-user benefits of BYOD, thus sidestepping the challenges. At

19 times, depending on requirements, a purely South America, where the carrier fees are Economic factors should be evaluated as traditional approach will also be the right exceptionally high, users may not participate well. In large parts of Africa, Central America, decision. in a BYOD program without them. Oceania, Southeast Asia and Eastern Europe, the cost of using a personally owned Cost-Optimize Your Subsidy In other words, subsidies may be a clear mobile device can be from 5% to 50% of Investments requirement for success with BYOD in some a user’s monthly income. Compare that to geographies, but the opposite may be true in well below 1% in the U.K./Ireland, Western Cost-optimizing your subsidies – should others. A global program must consider the Europe, China, Japan, the U.S., Canada and your organization deem them necessary question on a country-by-country basis or, at Australia. In high-cost areas, BYOD without a or desirable – is a major key to success. minimum, by region. subsidy is usually a nonstarter. Ultimately, the question of whether or not to subsidize certain BYOD users for the business The primary driver of the expansion of Other economic and cultural factors include use of their personal devices – and how subsidy implementation in the U.S. was a the regional job market. When India much – is a question not for IT, but for your 2014 California court ruling. This came in was the hottest tech job market on the legal, HR and finance departments. Ongoing response to a suit by an employee who planet just a few years ago, the devices a engagement with these groups – along with successfully claimed her organization’s hiring organization offered the user were your business stakeholders – should be lack of a subsidy for BYOD users violated commonly factors in acceptance of job offers. central to your efforts to define policies across California Labor Code 2802.This caused Companies offering better (and more types all aspects of a BYOD program. many U.S. organizations’ legal departments of) devices often had an advantage when to rethink their position on subsidies. Because recruiting talent. Factors to consider include: wording similar to California Labor Code 2802 exists in several other U.S. states, and • Those related to risk – State/provincial, Use Incentives to Achieve Business- similar mandates may be buried in various local and country labor laws, union/works Goal-Based, Optimum Participation statutes and be hard to uncover, many U.S. council issues, and employment contract in BYOD companies have decided that a token stipend requirements. A desire to save money should not be the is worth the cost for offsetting this risk. primary justification for adopting BYOD. • Those related to organizational Despite declining subsidies for BYOD users Gartner estimates that about 65% of U.S. and local societal culture – How the (even as the use of subsidies have expanded companies with BYOD programs offer a organization wishes to be perceived greatly in North America), BYOD might not subsidy to that portion of their user base by employees and the impact of this cost you less than organizationally owned/ with a business need for a mobile device. perception on recruiting, retention and issued devices for users who qualify for Average amounts, user segmentation and employee satisfaction; larger cultural them. Savings will depend on the nature of payment management approaches can be attitudes about the rights of individuals/ your business and the types of users you found in “How to Manage BYOD Stipends, employees versus businesses. must serve, as well as the mix of ownership Reimbursements and Allowances, 2016 models that suit a given region. The Update.” The use of subsidies in Canada • Business-IT strategy goals – Cost opportunity to save money has increased as has grown since this ruling as well, but at a sensitivity/savings goals; transformation subsidy amounts have declined; however, slower pace. versus optimization through mobile given the geographic variables, realizing computing; desire to encourage or limit actual savings remains far from certain. In parts of the EU (in particular, Scandinavia), participation in BYOD programs. offering a subsidy for BYOD use amounts to a As Type 1 users (who qualify for benefit to the user, and becomes ensconced Subsidies for BYOD device use for business organizationally owned devices and in the employment contract between the user have become widespread in the U.S. and, to plans) opt in to the BYOD program, the and the organization. If the company decides a lesser degree, in Canada, where they are organization’s “attainment tier” (i.e., buying in the future to modify the program, change viewed by many organizations as required power with carriers) is eroded for the devices/ eligibility requirements or alter stipend due to legal risk (see below). In countries plans it still owns and issues. However, this amounts in line with industry averages, the such as Australia and the U.K., they are doesn’t necessarily mean higher costs overall user must agree to the changes, and the used, but by a much smaller percentage for mobile. You can mitigate this and strike contract must be amended accordingly. of organizations than in North America. In a balance between loss of buying power For this reason, “mainstream” BYOD is not parts of continental Europe, they can actually and, through incentives and disincentives, common in that region. Instead, the “SIM- be problematic, because subsidies could influence demand for BYOD. To drive the card swap” approach (refer to Note 2) is be viewed as employee benefits that can’t right level of demand, you must determine commonly used. be easily modified or taken away. In many your goals and know your per-user costs, of the countries in Africa or Central and something into which most organizations

20 21

with large numbers of company-issued Modern Android (since at least Version 6/ and Android 6.0 (or, even better, Version lines have good visibility. Offer appropriate Marshmallow) has evolved enterprise- 7.0) or higher, which has greatly improved incentives based on these goals/costs: To friendly controls, such as Android for manageability, compliance and TCO. Similar get more users to opt in to BYOD, offer older, Work APIs and Zero Touch deployment approaches enable a mix of iOS and Android less desirable devices as your organization- capabilities (available on Version 8/Oreo devices from a particular manufacturer with owned phones and tablets. and up, and on prior versions with Samsung enterprise-friendly features. Knox). Managing these versions is on par To limit BYOD participation, restrict access to with managing iOS devices, given a well- Although limiting device eligibility solves only a few business-related mobile apps or maintained EMM product. However, older the TCO and support problems identified offer lower support levels, where possible versions are a different story, and acceptable above, I&O leaders must account for the (this is cost-effective only for the largest device policies that don’t account for this can needs of different users and their varying cost organizations with the greatest buying power). invite problems. sensitivity, when developing an acceptable To understand the key cost levers for CYOD, device policy. Some users may be able to see “U.S. Enterprises Should Separate Wireless As an open-source OS, Google allows afford only the least-expensive devices, Device and Service Purchases to Optimize Android to be modified significantly by device and these are often based on out-of-date Costs,” “Toolkit: Best Terms and Conditions manufacturers. Prior to changes made since versions of Android. To extend mobile for Enterprise U.S. Cellular Service, 2017,” Marshmallow, the same nominal version computing across the enterprise, balance a and “Best Practices for Optimizing Mobile of Android on devices from two different sensitivity to device cost with manageability Contracting the European Way.” original device manufacturers could behave and data protection requirements. very differently when managed using EMM In some regions, particularly the U.S. and or other tools. Essential features, such as Evidence Canada, carriers have adapted to BYOD. encryption, might be missing altogether This research is based on Gartner client They often try to offset attrition of corporate on less-expensive phones, some devices inquiries and client engagements in which lines by offering some credit for user-owned could not be updated with critical security Gartner has assisted clients in their work- lines or adding value to contracts via deeply updates and some devices would be difficult around BYOD and CYOD plans and policies. discounted devices or other services. to impossible to enroll with EMM. Moreover, However, even these efforts often can’t organizations found that older versions Note 1 make up for lost buying power. Therefore, of Android had no capability for applying Glossary Terms it’s important to know the levers available for security and data-leakage policies to achieving the right balance, and to use them business apps, making secure enablement BYOD is a program (most commonly today, to good effect. of a mix of business and personal data on a formal, governed one) that allows an the same device all but impossible. All of employee to use an approved, personally Make Local Personal Device this resulted in higher total cost of ownership owned device for work purposes. This Preferences a Primary Factor in (TCO). A fragmented Android environment device may be a substitute for a similar organizationally owned device or a device Determining Ownership Models could cost as much as five times what iOS does, and result in an inability to meet basic type that normally would not be issued to BYOD implies that I&O leaders increase security and compliance requirements. that particular employee by the organization, the diversity of devices in the organization but that the employee wants to use for to adapt to support such an environment Starting with Android for Work (AfW) in business purposes. effectively. However, it should not mean that 2015, Google has taken steps to address users can choose any device they want. these issues. Google has since rolled AfW CYOD is the traditional model by which the Historically, it was common to implement a functionality into mainstream Android organization owns and issues devices to fairly liberal BYOD acceptable-device policy. versions, starting with Version 6.x. Gartner eligible users, but with the addition of choice The most common policies allowed for iOS advises I&O leaders to add support for from among a selection of similar devices devices (typically current minus one revision Android devices and to set a minimum offered to that user. Contrast this with the or higher) and any Android device running threshold for acceptable devices (i.e., Android more-rigid model, in which IT selects a single, Android 4.2 or higher. This usually was 6.x or later). They should also conform to standard model for a particular device type workable when the only business access Google’s certification (largely identifiable by or a particular job role. available was email via Exchange ActiveSync. the presence of Google Play out of the box). However, as organizations started deploying Corporate-owned, personally enabled (COPE) more mobile apps for business and deploying As organizations became aware of this, initiatives allow users a degree of personal EMM to support more-complex use cases, the they started adapting their policies. It’s now use of organizationally owned devices. flaws of this approach became apparent – the common for a BYOD acceptable-device most prevalent of which was the “Android policy to allow for iOS (current or current-1) fragmentation problem.”

21 Note 2 Update” for details on the scope and nature offers organizations the added benefit More on Device Ownership and of best-practice policies.) BYOD devices that employees will not be carrying two Management Models may be subsidized, where the organization smartphones and turning off the corporate- compensates the user for monthly carrier owned one at the end of the business day. The traditional model is the historical, costs associated with business use of the This factor has, in practice, become the industry-standard approach to device device, or unsubsidized. primary motivator for users to opt in to BYOD. ownership and management. The organization owns and issues devices to Regional laws and conditions have spawned Contrast this with PCs, which historically have users, based on business need. Devices a variant of BYOD, commonly seen in no built-in facilities for keeping business and are procured, provisioned and managed Scandinavia, which may eventually be used personal data separated, and it’s easy to throughout their life cycle by the organization. in other areas as well. Once an unapproved, see why BYOD for mobile has proved much Devices may be strictly controlled or “locked “underground” practice on the part of end simpler to implement than bring your own down,” such that users are not permitted users, the SIM-swap approach has become PC (BYOPC). This is reflected in the adoption to use or modify the device for personal, an accepted and policy-governed model numbers: Although nearly 70% of users nonbusiness purposes (e.g., install apps, use for some organizations. In this model, users across the U.S., U.K. and Australia bring personal email accounts or change certain are issued an organizationally owned their own smartphones to work, BYOPC configurations). Increasingly, organizations device, because this is the easiest way for numbers have hovered at or below 15% for permit policy-governed personal use of the the organization to comply with local labor years. The primary mechanism to enable device, allowing users to select and install laws or regulations. However, users are secure access for user-owned PCs has been personal apps, check personal email or subsequently allowed by the organization to client virtualization; however, this may soon change certain configurations, as desired. take the SIM card from that device and install change. The latest generation of PC OSs This effectively enables users to carry a single, it in a compatible personal device of their enables a mix of business and personal data company-owned mobile device for both choice, enabling them to carry a single device to coexist more securely. This evolution will work and personal use. This usage model is for both work and personal use. Business continue to progress in future OS versions of commonly known as COPE. access from this device is then governed Windows and Mac OS. by the same rules as a “mainstream” BYOD A variation on the traditional model device. However, for the present, BYOD remains is CYOD. With CYOD, users choose an largely a mobile device phenomenon, and organizationally owned and issued device Hybrid models combine two or more of the this research focuses on mobile accordingly. from among two or more standard device above approaches. models, based on job requirements Note 4 and/or personal preference. This model Note 3 arose as an alternative to BYOD for some Why Enrolling Devices With EMM Is geographies or organizations in which BYOD More on COPE Preferred Whenever Practical is impractical to implement. At the same Historically, many organizations prohibited Because most organizations have a fiduciary time, the organization wants to provide the the personal use of devices issued for responsibility to safeguard corporate users the specific benefits associated with business. These restrictions were often information, regardless of who owns BYOD by letting the users choose the devices implemented as part of an effort to minimize the device from which the information is with which they feel most comfortable or voice, data and text costs, or out of concerns accessed, security policy or implementation productive. In accordance with this motivation about data risk. Of course, this was prior to should not be based on device ownership. on the part of the organization, CYOD devices today’s common mobile device management are also typically COPE devices as well. (MDM) standards across major mobile When it comes to managing and securing platforms. However, carrier costs have mobile devices – regardless of ownership BYOD devices are user-owned and allowed declined significantly in much of the world, – IT should look for the simplest, most- to access business resources (e.g., email, with a corresponding reduction in the cost TCO-friendly approach possible that meets apps and data), as long as the user impact of typical personal use. In addition, security, data protection and user privacy agrees to a set of organizationally defined modern, sandboxed mobile devices were risk requirements. The major mobile OSs are policies. These may include a degree of IT designed to facilitate a mix of business and being built on the premise that organizations management of the device via enrollment personal use on the same device securely will use EMM to manage them. From zero- in EMM or MAM tools, compliance via containerization. These factors have touch provisioning services (for example, with business-use policies, accepting opened the door for organizations to allow Apple DEP and Google Zero Touch) to certain subsidies in lieu of receiving an for the convenience of a mix of business enterprise mobile app licensing via Apple organizationally owned device. (See “Toolkit: and personal use mobile devices. Allowing VPP and similar programs, EMM is assumed BYOD Mobile Device Policy Template, 2017 personal use on corporate-owned devices and is required for maximum scalability and integration capabilities.

22 23

Ideally, all devices would be enrolled in EMM, Enterprises should carefully explain the Gartner has created Toolkits for and policies would be applied consistently need to push policy to personally owned organizationally owned and BYOD policies. across organizationally owned and BYOD devices to safeguard corporate information. These templates contain best practices devices, with the exception of device wipe They also must be transparent about what accumulated over the years and can speed policies. (Commonly, organizationally owned information from the device will be available the process of developing and/or checking devices are fully wiped, whereas user-owned to the company as a byproduct of the device your mobile policies for completeness. (See devices are “selectively” wiped of enterprise management paradigm, and how that “Toolkit: BYOD Mobile Device Policy Template, apps and data only.) information will be handled (if at all). Failure 2017 Update” and “Toolkit: Enterprise Owned to be transparent about what information Mobile Device Policy Template, 2017 Update.” However, there are times when enrolling will be available to the organization and how For best practices on addressing user privacy user-owned devices isn’t practical or even it will be treated often results in employees concerns, see “How to Gain the Trust of possible. In these cases, a mix of EMM suspecting that the organization may be Sophisticated BYOD Users.”) and stand-alone MAM, with or without a “snooping” or “eavesdropping” on their secure email application (depending on personal devices. This lowers the attach rate Source: Gartner Research, G00341580, Bryan Taylor, Leif-Olof Wallin, 29 January 2018 requirements), typically meets requirements. for a BYOD plan. Consistent application-level policies across EMM-managed and stand-alone MAM Additionally, enterprises must explain to devices should be enforced. Refer to Table users what remedies exist for IT (for example, 1, which summarizes the policies commonly full device wipe) in the event the device is used by most organizations to secure mobile compromised. It is critical to consult legal and devices, and the management approach to HR teams to ensure that controls pass legal which they are applicable. and ethical rigor, and that the policies used to acquire user consent are defensible.

TrustSpace ; Digital Secure WorkSpace Based on ‘Zero Trust’ is published by Qihoo360. Editorial supplied by Qihoo360 is independent of Gartner analysis. All Gartner research is © 2018 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Qihoo360’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.