Wooden Spoon: Blog

Understanding Mobile Application Management (MAM) for 365 - Zero Trust

Understanding Mobile Application Management (MAM) for 365 – Zero Trust

For those who may not consider themselves tech-savvy, the terms “mobile application management” and “zero trust” may mean nothing. Even some business owners who have a grasp on the foundations of cybersecurity may not fully understand these terms because they are somewhat new. However, understanding mobile application management or MAM for Microsoft 365 and knowing how to implement that in a zero trust model is actually very important. This form of security can help you protect your data and prevent unauthorized access. Let’s break down these individual concepts and then look at how they come together to boost your network security.


What is Mobile Application Management?

Mobile application management is a technique used to protect data on an identity and application level. MAM is made up of a series of policies that protect specific data via encryption and authenticated user access. These policies can cover everything from where the data is stored to who has access to it.

When you implement MAM for 365, the relevant policies are downloaded (or updated) to the user’s device. They are then applied to the different Microsoft 365 applications that the user has access to. If the user opens Microsoft Word and attempts to access a document stored in the cloud, their access is checked against the relevant policies. If they are not authorized to access the document, their access will be denied. This is a very simplified example of how MAM for 365 works, of course, but it does provide an idea of how the process operates.

Managed IT services also employ MAM as a security measure for stolen equipment. It allows you to remotely erase any data from a device that has been stolen or compromised. You can even erase specific information rather than all data. This means you can remove company data off someone’s personal device without affecting their data.


Mobile Application Management vs. Mobile Device Management

The use of personal devices for work was one of the driving forces behind the development of MAM for 365 and other applications. Before managing data on the application level, it was managed on the device level. Mobile device management, or MDM, is used to manage computers, laptops, and, most importantly, mobile devices. It can be used on devices the company owns, but it can also be applied to devices brought into the office by employees.

Instead of securing applications and data, however, MDM is focused on securing the device. It involves tools such as strong passwords, two-factor authentication, and auto-device locking to prevent authorized users from gaining access to a device. MDM can be used to lock devices remotely or to even wipe data from them, though it is more of an all-or-nothing option rather than removing specific data.


How They Differ

MAM and MDM both offer system security, but they do so in different ways. MDM is primarily used to secure devices your business owns. You can lock down or remotely wipe these devices as needed. You control the device. Those who have access to the device have access to the apps and data stored on it. Users authentic at the device level.

MAM, however, has users authentic at the app level. Passwords and other credentials are presented when accessing specific apps or features within those apps. This allows your employees to use their own devices. You can remove your specific company data without affecting the rest of the device.

Because they work differently, many companies have elected to implement both MDM and MAM security. This applies several layers of protection to your systems. They allow you to control who has access to what data, who can use what apps, and how devices can be secured if lost.

You can use MAM to add security to Microsoft Office 365. When a user accesses a 365 app, your MAM policies are checked on the server or back end of the system. The server will look at the username and check it against the list of policies. If the user is listed, the system applies those policies. This determines what actions the user can then take. This can be done on any device. The user may be using 365 on a computer, tablet, or even their own mobile device. It doesn’t matter—the policies and data are never installed on the device itself.

The security, then, comes from the user logging into the server and to the active policies, not to the device itself. Even if someone were to gain access to the device, they might not be able to access the server. Even if they can, they will be very limited in what they do.


Setting MAM PoliciesIt Is Easy To Start Using MAM with Microsoft 365

The basis of MAM is its policies, so it’s vital that you and any managed IT services partner you work with understand how to set them. With 365, you first configure Office to allow you to control how users access files. Once this is done, you can begin creating and configuring your policies.

These policies can be fairly broad or very specific. Specific policies are stronger and provide better security by limiting what the user can access. For example, you can prevent data from being copied over into other unprotected apps. You can prevent data from being backed up to specific backup services. You can even lock out screen capture or print options. You can configure options specifically for Windows, Apple, and Android devices, too.


What is Zero Trust Security?

Now let’s look at what zero trust architecture is and how it works hand-in-hand with MAM to protect your data. As the name suggests, zero trust security involves trusting absolutely no one. That may seem paranoid, but there is no such thing as being too secure when it comes to sensitive information. The foundation of the zero trust model is the identity authentication or verification process. Everything revolves around ensuring that only the correct individuals have access to the specific data or applications. Users are also protected from viruses and other threats that could come from the internet.

Older security methods were more focused on perimeter security. This model could be visualized by thinking of a wall built around a vault. Only authorized people could go through the door into the vault. The walls kept out the rest. However, once inside, there was little to no additional security. If someone could get in the door or somehow breach the wall, they were free to do whatever they wanted.

Zero trust architecture shores up the weaknesses in the wall by adding security throughout the vault. In our illustration, the walls and vault remain. However, now every item in the vault is guarded by a security officer. If you want to take the item out, you have to show the officer your ID. If the officer doesn’t have you on their list, you cannot take the item.

This additional level of security is necessary for today’s workforce because more and more people are working remotely and using their own devices. With more people coming in from other locations, it’s harder and harder to know whom to trust. In the zero trust model, you don’t trust any of them until they verify their identity.


Deny Access by DefaultDeny Access by Default

Another part of the zero trust architecture is the policy of denying everyone by default. This means no one gains access to any information until you approve them. The other approach, approve by default, requires you to be proactive in denying people access to what they shouldn’t see. The chance of accidentally allowing someone into sensitive data is greater because you could forget to lock them out. With a deny by default approach; however, that will never happen.


Log All Activity

Finally, zero trust involves logging all activity that occurs. This provides you with a log to check in the event that a data breach does occur. You can determine what accounts were active, when the breach occurred, and what was accessed. You can use this information to react much more quickly to the breach than you may otherwise be able to. Monitoring all of this traffic may give you other insight into your network, allowing you to make better decisions on system architecture in the future.


Work with the Right Partner

MAM for 365 and zero trust architecture are newer concepts that some managed IT services may not have fully embraced. However, implementing these security methods is vital if you want to keep cyberattacks, viruses, and other threats at bay. That’s why you need to find the right partner to handle your IT services.

Wooden Spoon IT Support is constantly learning about and adopting new policies and ways of securing data and networks. We have fully embraced zero trust architecture and are ready to implement this policy through mobile application management. If you would like to learn more about how we can assist you in securing your data, reach out to us today.



Network Security Solutions in California - Wooden Spoon IT





Zach Mesel

Zach Mesel

Technology is in Zach’s blood. Zach spent much of his youth in his father’s cardiac research labs, either as a test subject for his father’s research, or playing games with his older brother on mainframe computers. Zach earned his BS in Management Information Systems in 1988 from the University of Arizona, and then worked for IBM in Boulder, Colorado, and Palo Alto, California until 1995. He started Wooden Spoon in 2002.