James Maguire, editor-in-chief of eWeek, recently interviewed Jason Meller, chief executive officer of Kolide, a zero-trust access company for organizations that use Okta. In this interview for TechRepublic, they discussed the challenges businesses face with mobile device management as well as possible solutions. The following is an edited transcript of their conversation.
Challenges in the MDM market
James Maguire: The mobile device management market is pretty hot — it saw about $5 billion worth of revenue last year, and it’s growing about 20–25% a year. One pundit predicted that it would hit $21 billion by the end of this decade.
There’s a lot of growth, but not everything is perfect for those companies. What are some of the challenges involved with this fast-growing market?
Jason Meller: The mass amount of growth is primarily being driven by the new compliance standards that are really coming to bear. A lot of companies that are selling business to business, particularly SaaS companies, have to pass new style audits like SOC 2, which really require that devices are under some kind of management.
That’s where mobile device management really comes into play. For the first time — before they’re really needing to and from an IT perspective — they fundamentally need to pass these audits. They’re finding these devices, they’re putting them under management and they’re buying MDM style solutions for them.
When they go to look for those solutions, they’re looking to solve every single IT management and security challenge with this one thing. Unfortunately, MDM isn’t really good at solving everything. It’s particularly good at getting the device initially in the state that you want it in — from a security perspective, making sure that right out of the box it has disc encryption and the firewall is on. But once the end user gets to use it on a daily basis, that’s where the story starts to fall apart, and it happens relatively rapidly.
For instance, one of the most important things that you have to reason about in the security space is making sure that the computer has its latest patches, and not just the computer, but also the web browser and other critical software.
MDM doesn’t have a great answer to that. In fact, most of the companies that we talk to, despite rolling out MDM, still have significant lag time between when the device is fully patched from when the device is offered the patch. That lag time can often be in the order of weeks; sometimes, it’s even longer than that. These patches contain critical things that you need to install — otherwise, you could be the victim of a drive-by malware attack.
Reducing that lag time isn’t something that MDMs have been particularly good at. So far, IT admins have been faced with building their own solutions that rely on forcing reboots to make sure those things are happening, but that’s just one of many things.
Anything that requires nuanced, end-user consideration, where the user really needs to think “when do I want to do this? Is this a sensitive data device?” MDM just doesn’t have an answer for it. And those are things that are really important — just as important if the device itself is encrypted.
MDM security wake-up call
James Maguire: Those are some of the challenges in the market. Why is now such an important time for MDM? What issues are most urgent for companies to address?
Jason Meller: There’s a number of things that are driving the adoption of increasing the security and compliance of devices. I already mentioned these compliance audits like SOC 2 and GDPR. Those are things that are driving it.
There’s also this recent wake-up call. IT and security administrators have realized there are a number of companies right now that are getting hacked, and the way that they’re getting hacked is that these devices are being compromised because they’re not being up-to-date in a timely manner. Users are authenticating, usually via some sort of SSO provider, by signing in with their username and password and following that up with two-factor authentication.
It turns out that two-factor authentication isn’t good enough to resist the more recent attempts at phishing. We saw recently with one of the major hacks — Uber’s a good example of this — where the attacker was able to convince and trick that user into either sharing their passcode or, in Uber’s case specifically, to actually tap a button on their phone to confirm the two-factor access.
SEE: Mobile Device Security Policy (TechRepublic Premium)
If you had asked IT administrators just a year ago if two-factor authentication is sufficient, they would’ve all said yes and that it’s an industry standard. Since these hacks, suddenly people are thinking two-factor isn’t enough anymore. We really need to ensure that devices are the things used to tie-in with the authentication.
That’s what’s driving this idea of zero-trust methodology. These are major initiatives that many companies are taking on, and part of that is making sure the device is known to the company, trusted and in the right posture. That’s really driving the focus on this area right now.
Kolide’s MDM-related solutions
James Maguire: Let’s take a minute to drill down your company’s offerings. How is Kolide addressing the MDM needs of its clients? What’s the Kolide advantage in terms of the overall market?
Jason Meller: Kolide was founded on the premise of not trying to extract the end users out of the problem. The end users have the most context in what they’re doing, so how do we leverage their time and attention to get the device in its most secure state possible?
Now, this would’ve been a fool’s errand if you asked IT and security administrators. End users are typically perceived as the enemy, or at least the source of many of these compromises. We read about it all the time, but Kolide sees much potential in end users being able to assist IT and security teams.
Fundamentally, MDM software is constrained by one reality: In order for you to be able to fix the problem, it must be something that can be automated. It must be something where the end user isn’t involved at all, and you have to force it. that requires really careful coordination with the OS vendors, and it’s a limited way to ensure security and compliance on a device.
There are much more nuanced instances. We mentioned updates as one of them earlier, but let’s think about another one like sensitive data on the device. I can’t tell you the amount of engineers or customer service reps that have this treasure trove of sensitive information that’s just sitting in their downloads folder.
What’s the MDM solution for that? There really isn’t one. You can’t go in there and just try to find it automatically and delete it. What if the user was in the process of using it? What if they really needed it? You need the end user to collaborate with you to solve a lot of these challenges.
That’s what we’ve set out to do inside of Kolide. We endeavor to create a product that enables that type of conversation between the IT administrators and the end users. What are the components that make that possible? With Kolide, what we’ve stumbled upon is that if you use the authentication flow, when you’re signing in to anything, we say:
“Your device is not in the state that we would like it in before we let you access all of this sensitive data. Please do X, Y and Z, and if you do those things, only then can you sign in.”
That’s never been tried before in a meaningful way in our industry, and that’s exactly what Kolide does. We present you that message, we give the end user step-by-step instructions on how to fix it and then they do fix it. That’s the key, because if they don’t fix it, they can’t sign in and do the things that they need to do for their job.
What we found is that end users understand that. It’s a very transactional cause-and-effect type of thing. They understand if their device isn’t properly secured, then they shouldn’t have access to the company’s most sensitive intellectual property or data. If they’re not doing their updates on time, then yes, that makes sense, they shouldn’t be able to get access to the keys to the kingdom.
That simple nuance in how that interaction works can drive so many more compliance initiatives inside of your organization. If you can enumerate to an end user how to fix an issue, then Kolide can be the solution to get that metric to 100%. That’s never been possible before. That’s what’s so fundamentally different about our offering compared to a traditional automated MDM provider.
You can keep your MDM provider too. This isn’t an either/or. Use the current MDM for what it’s good for: Make sure that file vault encryption is on. Beyond that, get the end users to solve a lot of these issues. You’ll find that to be a much better long-term solution, and Kolide’s created a product to allow you to do that at scale. That’s really what we’re offering.
James Maguire: Kolide is requiring the users to be more involved and more invested in their own security process?
Jason Meller: Yes. In order for you to be able to communicate to an end user, you have to explain not just the what, but the why. Why is this important? Why does it matter that I don’t have my two-factor backup codes sitting on my desktop? The end user may not know why, but by getting them to fix it and then teaching them the why, the recidivism rate — whether they’re likely to do it again — is going to be extremely low.
We’ve also seen that on the update side as well. When customers have deployed this, users learn very quickly what the system is really looking for intuitively. Then, the next time they’re in their web browser and they see that little badge, they think: “Oh, it’s time to update.”
They don’t wait for it to turn crimson red anymore. They click it right away, because they know if they don’t, the company is going to eventually block their access to a number of different apps that they need to do their job. They start to learn to preemptively anticipate and do that.
That’s been the goal of IT security training since its invention. Now, with the right type of system and process in place to encourage that behavior, we can actually achieve it. That is novel, as far as I know. I don’t think that’s ever actually been achieved, not just attempted, but that’s what we’ve done.
Predictions about the future of MDM
James Maguire: Let’s look ahead to the future of MDM. What are a few key milestones we can expect, and how can companies get ready for them now?
Jason Meller: The future’s going to be really interesting when it comes to mobile device management. We’re already seeing a lot of these shifts. We’re in the midst of many of them.
The biggest shift that we’re starting to see is that the diversity and types of devices that end users are using to do their work is increasing. I can’t tell you the amount of companies that have come to us because they have an increasing number of Linux devices that are coming in, and they don’t have any answer for that. There is no MDM for Linux at all, so they’re asking how to solve the issue. The diversity of devices is going to continue to increase.
Since the pandemic, the amount of folks that are working remotely is like toothpaste that’s out of the tube — you’re not putting it back in. We need to be in a position as security and IT practitioners to enable these remote workers to be secure from any location with any possible device. As that becomes the challenge, trying to centralize all the management under one OS vendor or one type of MDM product becomes really problematic.
SEE: BYOD Approval Form (TechRepublic Premium)
What’s the common thread that runs among them? It’s the end user. The end users are the key to leveraging their own ability to change the settings on their computer to actually get their computers in the right state. We think that’s the future.
The thing that we see as a fundamental change in the future is how two-factor authentication is now being subverted by attackers. I mentioned this earlier. We think that’s going to increase over time, and what comes into consideration with that is how people are structuring their network security architecture and how they’re protecting these systems.
We may think of things like the VPN, which is the classic way of creating this strong, outer barrier, and then once you’re into the private network, you’re in. We think that that’s going away. We think that zero trust — or BeyondCorp, as Google has called it — will be the thing that actually drives more modern network-style architectures for accessing apps.
SaaS apps have taken over our world. We don’t see that going away. We think more and more apps you use on a regular basis for business are going to be SaaS based, and they’re going to be accessible potentially by any device. The future really relies on organizations understanding that they need to control which devices truly can access those apps. Zero trust is going to be the major initiative that organizations embark on to actually solve that problem.
Read more: Zero trust: Data-centric culture to accelerate innovation and secure digital business (TechRepublic)