MDM systems can help IT security managers secure the sensitive corporate data

that is frequently stored on those devices, but MDM systems by themselves fall
short of a full security approach. Thats because theyre blind to unmanaged
devices on the network, often only register settings on the mobile endpoint itself,
and are often operated as a separate IT management silo usually concerned with
smartphones and tablets, not the broader set of network devices. So, SAP set out to
do something about that for its own internal operations, with a security integration
with the ForeScout CounterACT network security platform. It worked so well, the IT
giant went on to test NAC and MDM interoperability to expand visibility and control.
For more effective endpoint and mobile security, its clear that IT security managers
need a unified approach for consistent policy management, access control,
compliance monitoring and reporting across all network tiers and endpoint devices.
In the combined solution, ForeScout network access control (NAC) provides network
visibility and control for IT managers; and SAP provides a way to implement and
enforce mobile device policies. The combination in total provides unified visibility
and reporting for all mobile endpoint devices, including PCs, smartphones, tablets
and laptops, for better managing of appropriate access to corporate resources, data
and applications.
The genesis of the solution was SAPs own unwieldy device landscape, which was
crying out for this kind of solution, particularly since the company has fully
embraced mobility from the beginning of the connected device era its initial
purchase of tens of thousands of iPads was one of Apples first big enterprise
purchase orders.
The goal was that we sell mobile solutions, so every employee should be mobile
themselves, said SAP Afaria product manager Don Coop, in an interview with
Infosecurity. But then we got into the BYOD era, and the realization that theres a
lot more to it than just determining whether to let a device on the network.
SAP's IT group had a clear use case for putting these things together and had done
that integration for themselves first, he added. Were a big global IT company with
about 50,000 to 60,000 employees and all of them have mobile devices. So our own
IT wanted a centralized place where they could make sure that every device is
accounted for on the network. That means mobile phones, but also Linux and
Windows machines, Macs, IP phones, printers, the projectors in the conference
rooms an our switches. All of that needs to be accounted for, which is challenging at
the best of times. Also, were a multivendor company that has grown through
acquisitions so theres added complexity there, plus, there are different rules for
governance and risk per geography. CounterACT brought all of these pieces
together.
Another key benefit for SAP given such a large user base was that the solution is
clientless, reducing overhead for IT. Putting software on all of these devices was a
non-starter, Coop said.
SAP also has very strict compliance requirements because it does business with
regulated industries, so anything it uses must be shown to be secure and within
regulatory parameters. To prevent unknown access and make sure were security-

compliant in handling our customers information, we have to make sure that for
every device that connects to the network, we have a process for quarantine and a
remediation process this does that, Coop explained.
While it has its own unique mobile challenges, SAP realized that the core of the
product integration (NAC and MDM) would be widely applicable to others and it
decided to make it an official part of its MDM ecosystem stragegy, working
alongside ForeScout and others, noted Chris Hazelton, research director for mobile
and wireless at 451 Research, in an interview. Hazelton said that there is certainly
pent-up demand. 451 Research shows that only 59% of IT decision-makers have any
kind of mobile policy strategy, while another 25% are in the process of establishing
one. That leaves 14% that dont have a policy at all.
And of those with a policy or developing one, when asked if theres anyone
specifically responsible for mobile strategy, only 53% said yes. The rest have no one
that guides and grows the mobile arena. Weve been seeing an era of austerity in
IT going back to 2007, and more often than not when they actually are investing,
theyre not investing in mobile, he added. This combination lowers some of the
barriers.
So far, response has been positive for the solution. What Im hearing from
customers is that managing network access works with a mobile device
management system to add a lot of value, and its very straightforward and
simple, Coop said. Our industries are converging to make CIOs sleep a little
better, basically. Security is top of mind for Fortune 2000 companies and it keeps
coming up and gets extended to more and more methods of access and more and
more devices. This is a straightforward solution that solves worries about how
employees are, say, accessing email, which is the app for every company.
The integration can be used to solve several common mobile security challenges.
For instance, IT departments can use CounterACT to see and detect all unmanaged,
corporate and personal mobile devices, such as iPads, iPhones and Androids and
other devices attempting to connect to the corporate network via Wi-Fi or over-theair thus providing better control over BYOD environments and security policies. It
can also trigger SAP Afaria to profile-check managed devices in order to detect
jailbroken, rooted and non-compliant handhelds and to restrict access until the
device adheres to policy.
Corporate IT can also use the combined product approach to readily apply security
policy based on user, role and device in order to automatically limit access, manage
as guest or enroll in SAP Afaria MDM; and can fortify a range of user, device,
application and data policies though network-enforced controls, such as password
strength, configuration, application use, encryption and data protection. And,
compliance rules engines at the device and network level support on-demand and
automated responses such as reconfigure, remote wipe and network reassignment.
Organizations are looking for an integrated approach to manage and secure the
invasion of employee-liable devices connecting to corporate networks, particularly
at a time when BYOD is so prevalent, said Hazelton. We see strong synergy
between network access control (NAC) and MDM in their capabilities to provide

visibility into devices regardless of ownership corporate or personal. The pairing of

NAC with MDM technologies offers organizations the means to easily identify who
and what type of device is connecting to the enterprise, to automatically enroll and
monitor roles-based controls for any device and user, and to secure the growing
movement of corporate data across smartphones and tablets.