This article offers a deep dive into Device Management, the mechanism by which an organization can see and manage devices within their organization, and ensure these devices are being effectively protected against cyber threats. This article will provide an overview of the basics of device management, and then will breakdown the key features you should look for in a best in class device management solution, effectively providing you with a resource for how best to select a device management solution for your organization.
Finally, we’ll take a step back, and tie device management into the wider context of an effective security strategy. Security tools work in harmony together to most effectively build a security strategy, so the ability to take a step back and look at the bigger picture is just as important as digging into the details!
Foundational Elements of Device Management
Device management is the pillar of cybersecurity that involves overseeing and controlling the configuration, usage, and security of devices (think laptops, tablets, and phones) within an organization's network, ensuring they adhere to predefined policies. Tools such as Intune and JAMF are examples of MDMs (mobile device management) that enable organizations to effectively manage devices. Device management is an extremely important component of risk management and mitigation for an organization, and there are several mechanisms and stages that are important to understand:
- Understand your device inventory. The first essential step in device management is enrolling devices into your chosen MDM. This is really the unlock that enables an organization to effectively manage devices, and ensure they are in a healthy state (have the right controls enforced and things like latest systems versions), and be able to take action if needed, around things like password resets, and device locking and wiping in case of theft or loss.
- Standardize your configurations & controls. Make sure you are setting up the controls that are relevant to your business and cover the range of threats. This includes controls such as encryption, firewalls, and screen lock features to establish a robust defense against unauthorized access and potential security breaches. It also covers the ability to facilitate the distribution of security applications, such as Endpoint Detection and Response (EDR). EDR tools are crucial for detecting and responding to advanced threats.
- Ensure automated patch managements. Automated patch deployment is essential in making sure controls are most effective and continually up to date. Here we can utilize auto-enrollment (version updates on computers, etc) to ensure on-going efficacy of your security strategy, and lighten the reliance on individual employees to make those changes.
Navigating the Selection Process
When evaluating tools, it’s important to think about the functionality of the tool and to assess tools against. So, what does a great device management solution look like, and what functionality should it offer?
- Seamless Onboarding and Offboarding of Employees: A robust device management solution is designed to streamline employee onboarding and offboarding processes, automating device enrollment (which as discussed above, is essential in the efficiency of device management), and ensuring secure device wiping when employees depart.
- Ability to Manage Lost Devices and Device Custody: device management enables remote tracking, locking, and wiping functionalities, which allows organizations to mitigate the risks associated with lost or stolen devices, safeguarding sensitive data and maintaining control over corporate assets.
Did you know? According to Forrester Research’s 2023 State of Data Security report, lost or stolen devices account for 17% of breaches.
- Automated Application Distribution: The seamless distribution of applications across devices is a key feature, enabling organizations to deploy essential tools and updates uniformly from the moment a device is enrolled in an MDM. This not only enhances the user experience but also ensures that the entire device fleet operates with the latest security measures in place.
- Efficient Patching of Applications and Operating Systems: MDM serves as a central hub for managing patch deployments, ensuring that all devices within the network are up to date with the latest security updates. This capability not only bolsters the organization's defense against potential threats but also enhances overall system performance.
- Reporting and Positive Control: Device management solutions offer robust reporting capabilities, providing organizations with a clear understanding of the state of their device fleet. This reporting is crucial for maintaining positive control over devices, enabling informed decision-making and proactive security measures.
One additional framing that is important to consider relates to the realities of your organization, and what management of your security stack will look like. Take the time to think about:
- The Technical expertise and security knowledge of who will be managing the tool. There is somewhat of a tradeoff between a tool that can offer you an ‘all in one solution’ and the tool that can offer certain functionality ‘best in class’. A UEM (unified endpoint management) solution, leans towards the latter, and can offer a more manageable offering for a non-security expert. Best in class specialized solutions offers unparalleled manpower and ability, but often can require a heavier management effort, and require greater expertise to operate. A useful way to approach this balance is to consider the level of technical management your organization can provide. Will you manage via API with dedicated technical staff or have less qualified staff do their best in the user interface?
- Integration with your wider IT + Security picture. MDM lives amongst other key security tools, such as the identity provider and your endpoint threat detection tooling. It’s worth prioritizing + assessing an integration strategy to ensure the workflows your MDM will enable can fit amongst your broader security program.
- The Timeline and long-term growth of your organization. Migration and changing tools is complex, time-consuming and expensive. It’s worth making the right long-term choice early in your company’s life to ensure that you are setting yourself up for success.
How to think about MDM in the context of your security program
On this blog, we continually emphasize the interconnectedness of different security tools when building an effective security stack (if you need a refresher, take a look at our article: What cybersecurity tools do you need to build and effective security strategy?). When thinking about an MDM tool as part of your security program you should consider the integration, and on-going management of your MDM in the context of your wider security stack. Let’s take a deeper dive into a specific example of how device management solutions and identity solutions can work together to enhance security for an organization:
A Modern perspective: Device Trust
Device trust is the idea that a user’s device must be secure before accessing an organization’s sensitive resources (such as networks, cloud apps, and data). The most powerful and effective security strategy is carefully crafted to cover a wide range of threats, and also to create a multi-faceted defense structure, to protect against a range of threats. Device trust perfectly exemplifies the intersection of device management and identity solutions (for a refresher on identity solutions, check out this article). Linking the identity of the user to the device that they are using, is a huge opportunity for an additional factor of authentication — possession of the device, that if done well can really limit the surface area for attack.
Regardless of the specific tool, when thinking about device trust, there are two security outcome to pursue:
- Only allow corporate devices to get an IdP session. The move from an on-prem based world (where organizations had a group of servers that were privately own and controlled) to a cloud and SaaS based world creates a problem: How do I control which devices can access my corporate resources? Traditionally the on-prem network was the perimeter. The shift to the cloud and SaaS apps forces us to let go of this security lever. Device trust presents an opportunity to gain it back by only allowing corporate devices to authenticate with the IdP.
- A device needs to be in a secure state: Once you’ve established that a device is known, the other half of the battle is ensuring that it meets an organization’s security requirements. These requirements ensure that a device is unlikely to be compromised and include things like: latest operating systems, OS security controls (firewall, remote access, disk encryption). Device trust solutions need to detect whether a device is in a secure state and restrict access to resources based on the device’s security posture.
In essence, device trust encapsulates a modern perspective on fortifying cybersecurity defenses. Device Trust integrates device management and identity solutions, in order to assess that both the device and user are authenticated and healthy before allowing them access to an organization’s network. This is incredibly valuable, and an exciting holistic way to further ensure
This article should provide a useful reference for how to navigate integrating an effective device management tool into your organization’s security stack. It’s important to evaluate the controls and features of individual tools, but also important to consider it in the context of your organization. Remember, that while device management is an essential component of your security, you should always be thinking holistically about your security toolkit. Malicious attackers try multiple avenues to find a vulnerability, and thus the most robust security strategies leverage the symbiosis of multiple tools to most effectively defend against these threats.
Interested in learning more on this topic? Check out our article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here. To stay up to date on Company news, follow us on LinkedIn.