WHITE PAPER

WHEN MOBILE DEVICE MANAGEMENT ISNT ENOUGH

OVERVIEW
The explosion of smartphones and tablets in the workplace means that confidential information is now not only spread throughout
your organization on servers and desktops, it is also being stored on mobile devices which are prone to loss or theft and being
transmitted from these mobile devices beyond the control of your organization. It is easy for employees to disseminate whether
accidentally or intentionally sensitive business data outside the organization with a simple action e.g., upload employee healthcare
records to the public cloud via a cloud storage app.
Traditional network security that protects private networks cannot prevent data loss from mobile devices, which are often on public
networks. Many organizations expected mobile device management (MDM) to be the panacea for enterprise mobile security but have
realized that it alone is not sufficient. MDM is about locking down devices e.g., restricting access to Wi-Fi networks; preventing use
of the camera, enforcing complex device passwords, etc. From a security standpoint this might seem perfectly reasonable, but users
dont like it and that matters these days. Restricting what users can do and threatening to wipe devices that are rich with personal
apps and content is a recipe for ill will.
Whats needed is technology that provides an organization with constant control over whats most important to them their data as
it is used in business workflows but without encroaching into the users personal realm. That control over data should remain whether
the device is corporate-owned, personally enabled (COPE) or bring your own (BYO), or managed by MDM software or not. Technology
that will secure your organizations confidential information, boost productivity and get users on your side regardless of device
ownership or MDM-management status whats not to love?

MDM: NOT SUFFICIENT BY ITSELF

MDM solutions leverage platform security services provided by the mobile operating system or device manufacturer. IT organizations
can then implement security controls such as device passwords, remote wipe and lock of the device, etc., in order to protect corporate
apps and data. However, an MDM-alone approach to ensuring security and preventing data loss has shortcomings, some of which are
detailed below.
MDM security controls are limited to device security services. As MDM solutions rely on the mobile operating system and each specific
device manufacturers services, security controls can vary widely. Companies with an environment of mixed devices such as iOS and
Android devices will find this especially challenging. For example, not all Android devices support hardware data encryption. An
MDM solution, no matter how robust, would not be able to add encryption to a device that doesnt support it to begin with. Without a
cross-platform standard that ensures consistent policies and/or control, IT will find it difficult to effectively protect corporate data in a
consistent manner across a heterogeneous environment.
MDM policies are implemented at the device level, which interferes with personal use. As an example, in order to prevent
unauthorized users from accessing an employees corporate email on the employees personal phone, MDM solutions require a
password to the device itself rather than the email application. As a result, the employee must enter a password every time s/he
uses the device, whether s/he intends to use the device for work or personal communication and collaboration. When faced with the
inevitable storm of complaints from users who find it to be a nuisance to enter a complex password every time they use their device,
IT will allow weak passwords, significantly increasing the data loss probability of corporate information.
Remote wipe, another device-level MDM policy, allows IT to erase corporate apps and data from a mobile device in the event a device
is lost or stolen. However, for employees that use their personal phones for work, a remote device wipe would erase personal apps and
data in addition to the corporate data and apps. Employees may feel their personal privacy has been violated and inconvenienced if
they have to re-create their personal information.

Consumer apps are especially challenging for most MDM solutions. Policy controls and data encryption cannot address potential
security risks that lie within the apps themselves, for example an app that was designed to directly or indirectly access and share
corporate data with other 3rd party apps and cloud services. Most corporate data leakage is due to the unintentional actions of the
employee who uses these consumer apps. Given that most MDM solutions are limited to security controls at the device level, most
MDM functions are also unable to address potential security risks at the app level.

WHATS NEEDED: A SOLUTION APPROACH TO SECURE MOBILITY

Companies and government agencies need to adopt a secure mobility solution that allows IT departments to set and manage security
policies at both the application and the device level.
Both the Apple App Store and Google Play each have over a million apps. That makes it challenging for users to select the right suite
of apps that helps them get work done and that also complies with IT policies. IT needs to first understand the needs of the business,
and then provide users with approved apps so that they can complete business tasks in the right mobile app workflows. Failure to
provide the right apps can result in users selecting any number of unapproved consumer apps and thats a risk to corporate data.
There is also potentially higher IT support costs if the apps do not deliver on their promise.
With the right suite of apps selected, IT can look beyond the basic provisioning capabilities of MDM and focus on containerizing
these mobile apps to ensure data protection app-level, device-independent encryption with policy controls over the container (e.g.,
authentication, sharing, wiping, etc.). Containerized apps also ensure the same level of data protection whether the device is under
MDM management or not. By providing security and control at both the device and app level, IT can further reduce the risk of data
loss, more readily embrace BYOD, and ensure an uncompromised employee experience.

THE GOOD COLLABORATION SUITE

For organizations that are looking to increase mobile productivity, the Good Collaboration Suite delivers on high usability and security.
It offers MDM-level security, but takes it to the next level with containerized Good apps that also deliver a powerful, business-class
experience. The Good Collaboration Suite includes Good for Enterprise, Good Share and Good Connect, all containerized mobile
apps that provide secure access to email, calendar, contacts, tasks, instant messaging, browsing and document sharing.
Good for Enterprise: Good for Enterprise is a Good-secured app that provides secure email, calendar information, contacts details,
browser access, task management and document data. It delivers a consistent and tailored experience across multiple devices on
Android, iOS and Windows Phone 8. Used by the majority of the Fortune 100, Good for Enterprise provides enterprise-grade
productivity enhancements that users expect especially legacy PC users when using Exchange and Domino, such as conference
call dialing from a calendar invite; attaching documents to meeting requests; forwarding of meeting requests; free/busy visibility in
calendar invites; and more. For certain regulated industries where encryption of the email content is mandatory for compliance, Good
for Enterprise supports S/MIME, securing access to the email through certificate-based authentication. Mobile email messages are
encrypted and signed to ensure privacy and integrity. With Good for Enterprise, IT can deploy an enterprise-level mobile email solution
that meets all their security and compliance needs while enabling a powerful business experience on mobile device.
Good Share: File sharing capabilities are considered critical for mobile collaboration. In Good Technologys Mobility Index Report for
Q2/Q3 of 2013, document editing came out on top as the largest single commercial app category, securing 56 percent of activations.
Good Share is a Good-secured app that enables mobile business users to securely access, download and share documents by
integrating with SharePoint and other network file servers using their device of choice. It enables secure offline synchronization of files
between the device and the corporate repositories.
Good Connect: When users are mobile, it is challenging to reach the right person at the right time. Good Connect is a Good-secured
app that enables mobile users to check the presence status (online, offline, away, etc.) of their colleagues and securely instant
message with them using their preferred communication tool (email, IM, phone call) thus improving productivity.

Mobile Device Management: Integrated device and application management capabilities provides IT with full visibility of devices
under MDM management. IT can easily provision new devices, enforce security policies and remote wipe just the organizations data
or the entire device.

SECURE CONFIDENTIAL INFORMATION AND BOOST PRODUCTIVITY

Unique Mobile App Containerization
The Good Collaboration Suite limits business risk associated with having your organizations data on mobile devices by leveraging
Goods unique app containerization technology that securely isolates the organizations data on a mobile device. Goods app
containerization enables creation of Good-secured apps that allows IT to control only the organizations data, leaving employees
private information untouched.
For example, attachments and other corporate documents accessed via the email client or secure browser in Good for Enterprise are
stored within the Good for Enterprise container and cannot be accessed by 3rd party apps. Because of the app-level controls enabled
by app containerization, IT can now require complex passwords only at the application level where it matters most rather than at
the device level. Users will not be inconvenienced when they when they want to use their smart device for personal reasons e.g., a
phone call, a Facebook update or a tweet.
To protect the app data at rest and in use, Goods app containerization uses FIPS-validated cryptographic libraries that are
independent of the device. This allows IT to ensure that highest level of data security, as all of the apps in the Good Collaboration
Suite encrypt any data that is stored on the device an email, a document, an IM. Additionally, since the encryption is deviceindependent, IT no longer has to worry about devices that may not natively provide encryption. With this container-based approach, IT
can allow users to have open access to their personal apps and data, confident in the knowledge that the organizations data remains
secured within the app container.
Benefit of Mobile App Containerization

Consistent security across multiple platforms. IT can rest assured that security policies are consistently applied regardless of

what security capabilities are available in the underlying operating system or device. Users will not be limited to a

single platform.

Respect employee privacy. IT can manage corporate data on personally owned devices while respecting employee privacy. By

applying policies at the app level, IT can implement and enforce strong enterprise-grade policies for passwords, timeouts,

and other security controls without requiring MDM and impacting the employees overall personal experience.

Freedom of choice. Since app containerization separates personal and work data and provides policy controls at an

application level, IT can more readily embrace BYOD programs. IT manages only the corporate data. For example, rather than

remote wiping the entire device, IT can wipe only the corporate data, leaving personal data and apps intact. Employees

can use their own mobile devices, confident in the knowledge that they will not have to compromise on their privacy or

personal use experience.

Secure Workflows
Instead of simply protecting apps in walled-off silos, Goods mobile app containerization supports secure app-to-app data sharing.
From each of the apps in the Good Collaboration Suite, it is possible to call app features in the other apps. For example, Good Share
integrates with Good for Enterprise and Good Connect, enabling easy and secure file sharing. Because of this integration, users can
easily attach a file accessible via Good Share when composing an email in Good for Enterprise or link to a file accessible via Good
Share from their Good Connect instant message. This app-to-app data sharing allows users to use the Good Collaboration Suite for the
workflows that they need in order to be most productive when using the organizations data on their mobile devices. At the same time,
because the data is shared securely between apps, IT retains constant control.

A Trusted Secure Architecture

In addition to unique mobile app containerization, Good also provides a trusted secure architecture that connects the containerized
Good-secured mobile apps to behind the firewall resources (e.g., the Good Share app in the Good Collaboration Suite connects to
the corporate SharePoint server). This is beyond the capabilities of an MDM-only solution as it provides end-to-end, wireless, realtime collaboration and enterprise application access supported by comprehensive security. Goods approach to secure mobility helps
IT overcome the shortcomings of MDM-only solutions and embrace consumer-owned devices, and consequently increase employee
productivity. IT can also continue to deploy corporate-owned smart devices, while maintaining high levels of security and assurance in
both device populations.
The Good Collaboration Suite provides mobile professionals with the apps they need to be productive while giving IT the means to
secure and manage a diverse fleet of smart devices. The data path through Goods trusted architecture is encrypted end-to-end: from
the enterprise servers behind the firewall, all the way to wireless handhelds.
Goods trusted secure architecture has five key elements:
1.
Authentication. Good provides IT with the administration tools necessary to define strong authentication policies, enforced

consistently across platforms. Also, IT can define policies to wipe any of the Good-secured containers and its data for failure

to provide the correct password after a set number of failed attempts. Strong policies let IT disable sequential numbers

in passwords, require special characters and more. When strong over the air (OTA) policies are deployed, only employees that

are authenticated can connect to the Good network operations center (NOC).

2.
Data Protection. With any of the apps in the Good Collaboration Suite, IT can be confident that the organizations data is

protected even when that data is on a device with potentially insecure consumer apps, downloaded from a public app store

such as the Apple App StoreSM or Google PlayTM. Its possible because all Good-secured apps encrypt the organizations data

with strong encryption. In addition to a secure container, Good-secured apps also encrypt any data thats in transit between

the device and servers behind your firewall. So data protection extends all the way from the firewall to the device

irrespective of whether the device is company-owned or employee-owned.

3. Enforcing Access Controls. With Good-secured apps, administrators can restrict access to Good servers, based on a particular

device OS and/or the version number of the client app. With Good for Enterprise, IT can distribute management tasks across

a hierarchy of administrators using role-based administration that offers a set of roles with varying permissions for

administering the Good for Enterprise server and any employee devices that are under MDM control. Routine tasks, such

as loading of software, can be delegated to a wider group of administrators across multiple locations. More restricted tasks,

such as setting global policies or remotely erasing a handheld when lost or stolen, can be limited to a smaller group.

4. Securing Network Access. A key component of Goods trusted secure architecture is that the behind-the-firewall Good server

establishes an outbound connection to the enterprise firewall, so theres no need to open inbound ports and expose the

enterprise network to attack. In addition, network traffic between the device and the server is always encrypted with AES

192-bit encryption. Good employs a network operations center (NOC) in its architecture, which brokers requests from

Good-secured apps to behind the firewall resources. The Good NOC only services encrypted packets, so it provides the

additional functionality of authenticating devices to the network, granting access only to devices that have been provisioned

to access their respective servers and servicesthus preventing rogue devices from gaining access to the network.

5.
Securing the Platform. Protections are available across platforms, with policy controls that include strong encryption of

data (OTA and data at rest), remote wipe of only the Good-secured container or full device wipe for those devices that are

under MDM management, and detecting jailbroken or rooted devices. Additionally, for devices under MDM management

there are policies available to impose app-level restrictions if thats what your business needs. For example, on an iOS

device, IT can disable use of FaceTime, YouTube, Safari, and more.

Good for Enterprise Security Assurance

With email perhaps being the most important tool for collaboration, the cryptography used to protect the Good for Enterprise client
app container and associated app data has been successfully validated to FIPS 140-2 Level 1 by NIST-approved labs. Data in transit
is protected with AES 192-bit encryption, all the way from the firewall to the device.
Additionally Good Technology has received Common Criteria EAL-4+ certification for Good For Enterprise. Covered in the certification
are the Good For Enterprise client apps for iOS and Android, and the Good Mobile Messaging Servers (for both Domino and Exchange)
and the Good Mobile Control server infrastructure components.
Intelligence agencies and defense organizations such as the Defense Information Systems Agency (DISA), the U.S. Army, the U.S. Air
Force, and the Department of Homeland Security (DHS) have tested Good for Enterprise and approved it for their most
sensitive deployments.

EMBRACE MOBILITY WITH CONFIDENCE

While many MDM solutions have shortcomings that could potentially lead to corporate data loss, organizations can be confident that
the Good Collaboration Suite provides security beyond basic MDM capabilities, while respecting employee privacy and enabling more
productive users.

ABOUT GOOD TECHNOLOGY

Good Technology is the leader in secure mobility, providing the leading secure mobility solution for enterprises and governments
worldwide, across all stages of the mobility lifecycle. Goods comprehensive, end-to-end secure mobility solutions portfolio consists
of a suite of collaboration applications, a secure mobility platform, mobile device management, unified monitoring, management and
analytics and a third-party application and partner ecosystem. Good has more than 5,000 customers in 184 countries, including
more than 50 of the FORTUNE 100 companies. Learn more at www.good.com.

Global Headquarters
+1 408 212 7500 (main)
+1 866 7 BE GOOD (sales)

EMEA Headquarters
+44 (0) 20 7845 5300

Asia / Pacific Headquarters

+1 300 BE GOOD

2014 Good Technology Corporation and its related entities. All use is subject to license terms posted at www.good.com/legal. All rights reserved. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR
ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD VAULT and GOOD DYNAMICS
APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners.
Goods technology and products are protected by issued and pending U.S. and foreign patents. 07/14 Rev. 07022014