Work From Home Security: UEM To The Rescue !

Top 10 Cybersecurity Memes
Disclaimer: This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated.

Introduction

The question I get nowadays on every single customer call is why do I need a Unified Endpoint Management solution to enable secure remote work from home (WFH) for my employees and how would that mitigate and satisfy the urgency to enable WFH under the current pandemic situation ?

Fair point to be honest ! Reason being, many consider UEM which incorporates Mobile Device Management (MDM), Mobile Application Management (MAM), and Mobile Content Management (MCM) under a single platform as cherry on top of the cake, it tastes really good but essentially is just an addon to the cake not a core requirement. This perception is demonstrated in the fact that many in the market still refer to UEM as MDM which just adds to the confusion in regards to the topic and unfortunately delivers a subconscious message that is completely false.

What is MDM ?

MDM in the context of UEM is all about policy control and management for mobile devices much like what group policy is to Windows. In itself, MDM is not a security component, its just a means of pushing and unifying policies to different mobile devices that have different operating systems. The policies we choose to apply dictates if MDM is used for security or other purposes such as management, compliance, support, or all for that matter. Pushing a VPN configuration to a mobile device is not security in itself, its automation of configuration for users mobile devices, yet when the VPN is used then it is for the means of better security. Restricting mobile devices connection to a specific Wifi network is not security in itself, that WiFi network might have enhanced security.  Forcing a specific theme on a device is not security, its simply  corporate policy being enforced on mobile devices.

But MDM can encrypt devices and containerize applications and data right ! Nop, MDM can push policies that utilize the underlying device technology to encrypt or containerize but MDM on its own is just a policy engine using a client to control a device settings.

The fact is, MDM can be used to reduce security, if intended, such as forcing the remove of any password requirements on a mobile device. The point here is that MDM is about policy not about security per se … We choose to use it for security and indeed it is a very powerful tool to control policies under a unified security baseline for different devices and different OS’s ! MDM has also evolved over the years to cover different type of endpoints other than mobile devices such as Desktops, Laptops, and Tablets and different Operating Systems such as Windows, MacOS, and Chrome. We cant keep changing names, although we still are, but that is why referring to UEM as MDM is misleading.

What is MAM ?

MAM on the other hand does have underlying security features in place that tackle specific security requirements such as, for example data at-rest, in-transit, and in-use encryption. MAM can also force specific settings on application level rather than device level which MDM cannot. MAM is a policy engine for applications in terms of delivery, installation, and settings but does also have containerization mechanism that could or could not take advantage of device OS intrinsic features. For example, BlackBerry, can containerize any standalone application on a device without enrolling to an MDM/MAM server or utilizing the containerization features on the endpoint OS such as IOS User Enrollment or Android Enterprise.

MAM adds a level of security to applications and data in terms of connectivity and containerization plus a level of application automation in terms of delivery and settings. Before other components came into play as well, MDM and MAM where jointly called Enterprise Mobile Management (EMM).

What is MCM ?

Data on endpoints is now protected via MAM and policy security baseline on devices is maintained via MDM, what remains to be secured is data that does not reside on the endpoint nor is secured in the backend, and thus MCM was introduced. Mobile Content Management is about securing the share, sync, and collaboration of data amongst not only different endpoints but also different recipients that could even reside outside the realm of our corporate network. Aside from the sharing and sync part, MCM incorporated Digitals Right Management (DRM) and Data Loss Prevention (DLP) to provide security and control for the data itself. DRM apply inherited intrinsic permissions to every file while DLP maintains control over the file after it leaves the network.

Unified Endpoint Management

The combination of MDM, MAM, and MCM is referred to as Unified Endpoint Management (UEM) and in my very humble opinion, referring to UEM as MDM has to stop because it is simply not true anymore and has been so for the last couple of years. Now that this has been established, how is UEM an enabler to WFH generally and what is the role of UEM in WFH security specifically ?

Unified Endpoint Security

Guess what ! Names are still changing and a new name is being introduced to the market because additional components have come to the picture. Mobile Threat Defense (MTD), Endpoint Threat Defense (ETD), Endpoint Threat Detection and Response (EDR), and Intelligent Security (IS) are now part of any security oriented UEM offering and thus the new name for this platform is Unified Endpoint Security (UES) . MTD intrinsically protects mobile device users from phishing attacks and malicious URLs so basically protects from advanced persistent threats such as social engineering and protects from mobile malware in its different forms. ETD offers threat protection for thick endpoints such as MacOS and Windows desktops/laptops from attacks such as viruses, malware, ransomware, rootkits, scripts, and more on top of intrinsic phishing and malicious URL attacks. IS is an AI/ML driven Zero Trust Architecture enabler in terms of continuously protecting people, devices, apps and networks.

Ideal Work From Home Technology

Under normal circumstances, ask me what is the ideal work from home enabler and I would, without hesitation, say Virtual Desktop Infrastructure (VDI) <period!>.  I have built my career on VDI and love the technology to the bones, this pandemic (unfortunately) solidified what I have been doing with my customers for the last 10+ years, and many of whom trusted me on this are reaping the rewards while those who came back to me with “ we don’t or will never need it “ are struggling to cope with WFH.

With all due respect to vendors and professionals out there, VDI is still way too complex to be adopted in harsh situations and under extreme circumstances. Cloud may have mitigated CAPEX cost of VDI and DaaS may have eased up complexity of deploying/delivering VDI, yet in itself, VDI is still a very big undertaking for organizations. VDI cannot be architectured, scoped, sized, designed, deployed, embraced, delivered, and supported under these circumstances, not a chance ! I have seen so many failed VDI projects under normal circumstances because of so many missed variables that lead me to believe that under this tough situation, a decision to adopt VDI is a recipe for disaster in whichever model that is or where-ever it is to be hosted !

UEM is a Must !

VDI, VPN, Cloud, SaaS, Browser and/or Reverse Proxy, regardless of the technology being used to enable Work From Home, UEM is a core requirement and security necessity. To elaborate, let me split WFH scenarios into two, one is users using their mobile devices and the second is users using their Desktops/Laptops (Ultimately users use both). Regardless if these devices are corporate owned or business owned, WFH dictates that users are connecting to corporate resources from outside the corporate network.

The fact is that most users still use Desktops/Laptops that being Windows or MacOS to conduct their day-to-day work. As much as we use Android and IOS for emails, browsing, and/or collaborating, users are still not comfortable doing most of the work on mobile devices simply because it is not practical. It could be for some but the majority of users out there cannot conduct most of their work on a mobile device, which also applies to VPN and/or VDI. Have you tried opening and working on a VDI session using a mobile device to do any kind of work, it is not practical nor convenient ! Yet most users out there, use personal phones for email and collaboration purposes, that is a fact as well, and hence the first step of enabling WFH is actually secure remote access to email which for most is either SaaS or published on the publicly.

WFH Mobile Devices

Let me start with the mobile device scenario because regardless of the current pandemic, it has become an ultimate productivity requirement for users to have access to their email from anywhere using any device under any situation. What are your options here ? Either publish your email service publicly which opens your attack surface tremendously or use a SaaS offering such Microsoft 365 then use any email client on the mobile to connect to the service. Either way, the device, data, application, and user cannot be secured or at least verified to meet the very least of our security baseline as a corporation. Even if that does not matter to you as an organization, it does matter to the law and certain security guidelines are enforced by regulations such as GDPR or IOS27001 (such as your emails having personally identifiable data) . Not only by law, but organizational security due diligence dictates that a security baseline is maintained regardless of any changing factor such as working from a personal mobile or connecting from an un-secure network, adopting the Zero Trust architecture as an example.

UEM, or even better UES, is the only way to deliver access to back-end corporate resources, that being email, browsing, or otherwise, in a secure and efficient manner. UEM will ensure that any connecting mobile meets the corporate security baseline in terms of compliance and will maintain the security standards dictated by security architecture or regulation such as end-to-end security and data/device/user integrity. UEM does not require extensive resources, designing, sizing, components, prerequisites, deployment so is easy enough to deliver under the current circumstances. Last but not least, UEM does not entail a high learning curve for both administrators and users so on-boarding can be automated from the administrator side and enrolling can be automated from the user side. Although this solves the part of mobile devices that is mostly used for emails and collaboration, we still have the biggest part of WFH to cover which is thick endpoints such desktops and laptops on which most of the day-to-day work will be conducted.

WFH Thick Endpoints

Thick endpoints are different in many aspects from mobile devices especially when it comes to security. The threat vector and attack surface is different so more security considerations are to be taken into consideration when dealing with Windows 10 for example which is the most used OS out there ( Not Windows 7 as many seem to still think is the case ). The fact is that many organizations and I even dare say most, still have client-server applications and/or executables that are needed to conduct day-to-day work so WFH scenarios here also split into two categories Corporate Owned/Personal Owned but still have a similarity in terms of establishing the connectivity to backend resources.

Corporate Owned

Corporate Owned thick endpoints have all the OS security and business applications installed on the endpoint itself. These are MacOS or Windows 10 laptops that employees are allowed to take home and thus the concern here for organizations for enabling a WFH plan is to figure out how to secure the connectivity to back-end resources since the security of the device is already established being a corporate device and all the required business applications are already installed. In this scenario, UEM helps deliver up to date over-the-air corporate policies to these devices without requiring them to connect to any domain controller or rely on Group Policy which will only apply when user is connected to back-end network. UEM will also maintain the corporate security compliance baseline over-the-air so that any connection established to back-end infrastructure is ensured compliance prior to connectivity ( Firewall status, AV Status, UAC Status, Services Status, Network Status, and So on …). I do not want to make this a vendor oriented post, but for the sake of the discussion, BlackBerry UEM specifically has created a containerized secure browser for thick endpoints that will also maintain containerization of data and security of back-end connectivity without the need for VPN or VDI for intranet web resources ( Check this post ). Even with Corporate owned devices, how are we to maintain file level security for corporate resources being access from remote networks, think about this in terms of users uploading corporate file to their own cloud hosted shares for example such Google Drive or attempting to bypass local security using a bootable USB … UEM can help protect and track security of files regardless of the connecting device or network being used.

Personal Owned

Personally Owned thick endpoints are the biggest challenge for organizations when it comes to WFH and this is where UEM thrives and has the most value. The problem with Bring Your Own Device (BYOD) or Bring Your Own Laptop (BYOL) initiatives is that we do not and cannot know or control the security posture of the device. We cannot verify if this device is secure or non-secure generally, or have any controls over applying a specific security baseline to the device since we do not own or manage this device, it is not on our domain controllers nor under our SCCM or SCOM for example. Because of this, not only do we need to secure the connectivity to back-end resources like the Corporate Owned Endpoint scenario but in this case we need to secure the applications, data, and device as well before access is granted.

UEM in general for this scenario would help first force the required baselines compliance security policies that would grant this device access to back-end resources such as an up to date Windows OS, specific Windows OS build, specific AV installed, specific software installed, and/or UAC running . UEM will also allow forcing security rules when back-end resources are being accessed such as no camera or no recording or disabling screenshots and so on … UEM in specific, one example is BlackBerry UEM, can create for thick devices (Windows 10 and MacOS) a secure container that will not only secure back-end connectivity in terms of access to intranet resources ( No VPN, No VDI, No Publishing ) with end-to-end encryption but more so secure the corporate data at-rest, in-transit, and in-use which means that regardless of the security posture of the device, connectivity and data are secured from the local OS in a secure container that is controlled by the administrator. Lets not forget man-in-the-middle (MITM) attacks that operate on rogue AP’s or public networks, because WFH does not restrict the user to a corporate network that has all the security solutions in place, we need to think of a way to secure this from the user side rather than the corporate network side and this is exactly what UEM can do protecting users from MITM and other attacks as well.

All of this is provided with minimal resources, no enrollment and top notch security so the question is not whether to use VDI or VPN or UEM . NO, UEM is a core component regardless of the connectivity technology but rather can a UEM solution solve my VPN or VDI requirements inherently or at least add to the security of both technologies. The answer is it can do both depending the use case and scenario, go over this post to understand more.

Conclusion

UES and/or UEM should not be referred to as only MDM and should be perceived as an end-to-end solution for securing work from home scenarios and initiatives. UEM is a core enabler to securely working from home and a core requirement for any organization when it comes to maintaining the security of users, devices, data, and applications regardless of the device, network, posture and/or situation.

May the Peace, Mercy, and Blessing of God Be Upon You

3 thoughts

  1. It is great to have you explaining how BlackBerry UEM and Digital Workplace help in securing a Work Remote solution.

    Also, companies should start thinking about, if not already, the next evolution step to the next higher layer, UES. (This Zero Trust Security layer can be put on top of any competitor UEM, so customer can keep their original UEM investment, and able to switch over to the BlackBerry UEM over time if desire.)

    I have a question at the other end of the spectrum – BBMe (the simple messaging app for Android and IOS).

    There are two types of BBMe offered by BlackBerry – Personal BBMe (individual users) and Enterprise BBMe (enterprise users).

    Enterprise BBMe has up to a 15-person video chat.
    Personal BBMe has only an one-on-one video chat.

    Is it simply a matter of turning on the 15-person videoconferencing feature on the Personal BBMe? If not, why not? Cost, bandwidth, quality…?

    The second question:
    is it possible to increase the number from 15 to 100, matching ZOOM, trading off something?

    Thanks.

    1. Yes agreed, UES is the future and is a very big topic so working on a separate dedicated blog for that. On your first question, Yes technically its just a matter of turning on the feature but like any other product out there, its about the cost and even use case, so for corporate users the enterprise BBMe is that way to go which will entail the feature and you are paying for that additional feature. Why the additional cost, its definitely more bandwidth on the BB infra/NOC side on top of more development and maintenance and support. On your next question, I am honestly not sure, Let me ask around and get back to you on this, as of now my answer would be no but let me check it.

      1. I have a followup question to your answer for the first question.
        Is it a big make over if the Personal BBMe traffic is a complete public cloud implementation, instead of using the precious BBM NOC (cloud)?
        There will be some cost of course, maybe or maybe not it can be totally covered by the BBMe subscription fees. Beside the money consideration, others are to keep BBMe relevant to the general public, and to promote the BlackBerry brand.
        In terms of use case, consumer ends are thirsting for it. This could be an alternative to the Zoom!!!

        Using a public cloud implementation, imagine it would make the second question (going from 15 to 100) a bit easier to do.

        Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *