From MDM to MDM: From Managing Devices to Apps to Data
Mobile operations management (MOM) is one of the top priorities of today’s modern enterprise. From a functional standpoint, MOM solutions attempt to enable different levels of management and operational readiness for mobile solutions adopted in the enterprise. While the first generation of MOM solutions evolved around the management of mobile devices and applications, organizations have quickly realized that an effective enterprise mobile infrastructure requires addressing a more difficult challenge: managing mobile business data.
While the management of devices and applications addresses an important group of the operational requirements of enterprise mobile solutions, the security and management of business data opens brand new horizons for the mobile enterprise. Think about it, if an organization is able to effectively manage and secure the business data used by mobile applications, it can enforce levels of access control and security not available with existing device and application management solutions.
Let’s try to explain this concept in the context of a fictitious enterprise called Contoso.
Phase I: Contoso Implements a MDM Strategy
Like many other modern enterprises, Contoso employees started leveraging their mobile devices for work activities. Trying to enable new levels of productivity, particularly for email and calendar, enabled by the use of mobile devices while still preserving the correct security and compliance levels, Contoso decided to implement a bring your own device (BYOD) strategy. At the center of the strategy, Contoso decided to roll out a mobile device management (MDM) platform as the main mechanism to secure and manage the all the users’ smartphones and tablets in their organization.
Contoso’s decision is a clear example of the initial steps organizations take when implementing an enterprise mobile strategy. In order to control the proliferation of consumer devices used by employees for work activities, organizations turned to the most obvious alternative: manage the devices. This choice was a great catalyst for the mobile device management (MDM) space moving it from a “nice to have” to a “must have” technology in any enterprise infrastructure. With MDM technologies, enterprises are able to apply different security and access control policies that manage both personal and corporate-owned mobile devices used within an organization.
The lightning fast evolution of the MDM space resulted in an explosion on the number of technology vendors offering some sort of MDM capabilities. These days, we can find over 100 companies offering MDM technology solutions including incumbents such as IBM, Microsoft, SAP, Citrix or VMWare which have entered the space via high profile acquisitions or by launching their own products. As a consequence, the MDM space has been highly commoditized during the last few years and we can certainly agree that it’s passed its best days according to Gartner technology adoption curve.
In addition to the commoditization of the MDM space, we need to add the fact that enterprises quickly saw the need of expanding its MOM capabilities beyond the device. If we look at the MDM space from a Gartner hype-cycle indicator perspective, we can see that the market has evolved passed it’s peak to a level of consolidation that has allowed incumbents such as Citrix, SAP, IBM, BlackBerry, VMWare enter the market with highly commoditized solutions. In the case of Contoso, as soon as the company started building multiple mobile applications, it realized that different applications might often require different levels of management. To address that requirement, Contoso started to focus on another level of enterprise mobile management capabilities: mobile application management.
Phase II: Contoso Starts Managing Mobile Apps
As explained in the previous section, after Contoso started developing various mobile applications the IT team was faced with the challenge of managing those individual applications which required capabilities beyond what was provided by their selected MDM platform.. Suddenly, IT departments were not satisfied with managing mobile devices but they needed to provide security and access control capabilities across the mobile applications developed in different parts of the organization. For instance, imagine the scenario on which Contoso’s IT department wants to enable micro-VPN login for a specific mobile application but keep that capability disabled for the rest of its enterprise mobile solutions. This is a classic example of app-specific policies that can’t be enabled at the device level by MDM technologies. To address the increasing need of mobile app management requirements organizations turned to a familiar analogy: an enterprise app store. An enterprise app store offers a centralized catalog of mobile applications and enables IT departments to apply access control and security policies at the application level that could be ubiquitously enforced across any devices hosting the mobile applications. Vendors like Apperian led the charge in the MAM space proclaiming the death of MDM solutions. While technologically the argument makes sense, reality turned out to be slightly different. MDM solutions had become an intrinsic part of any modern IT department and, with the commoditization of the space, MDM platforms started expanding their capabilities into the MAM space. As a consequence, the footprint of MAM technologies has shifted from a standalone category to a feature of MDM platforms.
The proliferation of MDM and MAM technologies in the enterprise now have IT organizations like Contoso finding themselves trying to extend the capabilities of those platforms with new security, privacy and access control models to protect the enterprise data accessed by mobile applications. While MDM and MAM platforms allow security and access control policies and the device and data level respectively, there is no easy way for organizations to protect that business data assets used by mobile applications. In our opinion, this irequirement will be the origin of the next evolution of mobile operations solutions: mobile data management.
Phase III: Contoso Switches from Managing Apps to Managing Data
After implementing a few mobile applications and deploying an operationally ready enterprise app store, Contoso started facing compliance and security challenges about the way those mobile applications were using enterprise data sources. From data stored in mobile devices to restrictions on the carriers and locations from which the enterprise data source could be accessed, Contoso IT department started looking for an alternative to expand their MOM strategy from applications to data.
Even though mobile business data management (MBDM) is not a well-established buzzword in the technology industry, it is becoming an increasing need of the mobile enterprise. While MDM and MAM platforms provide very well defined capabilities to manage mobile devices and applications, they fall short of protecting and managing the most precious asset of enterprise mobile solutions: enterprise business data . For instance, let’s take the scenario on which Contoso’s IT department wants to guarantee that customer information is always signed and encrypt when used by mobile applications. That simple scenario is really difficult to enable with today’s MDM and MAM technologies.
As any other enterprise software trend, enterprise mobility solutions will require more and more granular levels of management and access control in order to satisfy the needs of enterprise deployments. MDM and MAM platforms provide management capabilities at the mobile device and application level respectively and mobile business data naturally represents the next level of granularity in an enterprise mobile infrastructure management evolution. The following figure illustrates that concept.
Mobile Operations Management Maturity Scale
The Contextual Nature of Mobile Business Data
Despite the rapidly growing and somewhat obvious need for managing and securing the business data accessed by enterprise mobile applications, the technical models required to enable that capability can be extremely complex. Part of that complexity relies on the nature of mobility that introduces new challenges in order to consume traditional enterprise data sources. From the many differences we can list between traditional and mobile enterprise data sources, we can quickly summarize those differences under a single principle: mobile business data must be context-aware.
By context aware we refer to the characteristic of mobile business data to behave differently depending on contextual aspects that are not related to the data itself. To explain this with an example, consider a mobile application that is accessing financial data from an enterprise resource planning (ERP) system.
When enabling access to enterprise data sources from mobile apps, organizations should take into account some of the following contextual elements:
- Offline Storage
Each one of the previous elements add different dimensions to business data from the mobile access standpoint. For instance, a financial data source should behave fundamentally differently when accessed from an insecure cellular network in a country overseas than when accessed within the corporate firewall. Similarly, we can think of an example on which a customer data source can’t be accessed from Windows Phone devices and can’t never be persisted to a phone storage. Examples like these might help to illustrate how the notion of contextual computing is a fundamental principle in order to secure and manage the business data accessed by your mobile apps.
Managing Mobile Business Data Using Mobile-First Data Security Policies
The principal element in order to enable the management of business data relies on executing mobile-first, context-aware security policies against a data services API. In that model, the data services API is responsible for enabling the access to the underlying enterprise data source from mobile applications while the security policies will represent access control conditions that should be met for the mobile consumer to access the target source. The following figure illustrates that concept:
(Click on the image to enlarge it)
Figure: Access Control Model for Mobile Business Data
Mobile data access security policies are a series of condition-action rule that restrict the access to a specific data source. Those rules will factor contextual mobile elements such as carrier, location, network, etc. The following list illustrates some potential examples of mobile data access policies.
Figure: Mobile Data Access Policies
As illustrated in the previous list, providing condition-action rules based on mobile contextual elements provides a very simple model for securing the business data accessed by your mobile applications. This type of models will serve as a complement to the access control mechanisms provided by MDM and MAM platforms providing an end to end mobile operations management pipeline:
Figure: Mobile Access Control Pipeline
Leveraging this type of pipeline, will allow organizations securing and managing the three main pillars of the enterprise mobile ecosystem: devices, applications and data. More importantly, enabling mobile data management models extends MDM and MAM security and access control capabilities to a level that is currently prohibited to them: business data.
Mobile data management represents the natural evolution of the mobile operations management space. In principle, mobile data management represents a series of access control and management mechanisms that control the access to enterprise data sources from mobile applications complementing existing MDM and MAM policies.
The key to mobile data management models relies on enabling access control rules based on contextual aspects of enterprise mobile solutions such as location, devices, people, carrier, networks, etc. The implementation of mobile data management models is a natural complement to the capabilities provided by MDM-MAM platforms and will allow organizations to enable end to end mobile operations management infrastructures that enable security from the device all the way to the business data level.
About the Author
Jesus Rodriguez is a co-founder and CEO of KidoZen, an enterprise mobile-first platform as service redefining enterprise mobile solutions. Also, the co-founder to Tellago, an award-winning professional services firm focused on enterprise software trends. Under his leadership, KidoZen and Tellago have been recognized as an innovator in the areas of enterprise software and solutions achieving awards like the Inc 500, Stevie Awards’ American/ International Business Awards. A software scientist by background, Jesus is an internationally recognized speaker and author with contributions that include hundreds of articles and sessions at conferences. He serves as an advisor to companies such as Microsoft and Oracle, sits at the board of many technology companies. You can gain insight on business and software technology through Jesus blogs at http://jrodthoughts.com and http://weblogs.asp.net/gsusx .
Gilad Bracha Aug 27, 2014