If there are any lingering doubts that mobile devices have profoundly transformed today’s business, one study finds that using smart devices for productivity is “now the standard.” Most organisations are now commonly making line-of-business applications accessible from mobile devices.
Once mostly prohibited by IT, smartphones and tablets—such as Android-based phones and Apple iPads—are now being used by hundreds of millions of employees worldwide to access, transmit and store corporate information in today’s 24×7 business environment. This “extended enterprise” introduces new challenges and complexities for IT. Not surprisingly, security has emerged as the No. 1 challenge posed by the BYOD (“bring your own device”) trend. IT organisations are concerned with device loss, data leakage and unauthorised access to corporate resources, as well as the growing use of “guest access” to corporate networks.
In response to these perceived risks, organisations have begun implementing a range of data security measures. Traditional approaches involve perimeter-based security controls such as firewalls and smart screen filters. But no amount of perimeter defence can protect data accessed by and subsequently stored on and transmitted by smartphones and tablets, especially outside of enterprise control.
Five Things to Know About Mobile Data Security:
There are the three mission-critical areas in which mobile data must be protected without disrupting user productivity:
• To protect e-mail communication that contains sensitive information and is subject to regulatory compliance.
• To protect sensitive business data and files.To protect transaction data captured by new mobile payment methods.
• Even as security threats loom, informed organisations have an advantage. These five tips can make or break mobile data security efforts:
1. It’s all about securing data.
In an ideal world, sensitive data travels in well defined paths from data repositories to a well understood set of applications. In the real world, however, data travels everywhere, anytime, with constantly shifting applications running on an evolving set of platforms. The data lifecycle is often complex, extending beyond the container and the application—even outside the enterprise into offsite backup services, cloud analytic systems and outsourced service providers. Not to mention the onslaught of user-owned devices making their way into the fold. So although armouring applications and devices is one dimension in establishing a defensive posture, it isn’t the entire answer—nor is the installation of security solutions from a wide range of vendors. There will be security gaps that eventually impede enterprise risk management and user productivity. Rather, data security is a multi-pronged risk challenge that requires a data centric approach across all dimensions.
2. Assume you’ve been breached.
That’s the unsettling opinion of Shawn Henry, the U.S. Federal Bureau of Investigation’s top cyber security officer. Henry, formerly Executive Assistant Director at the FBI, told The Wall Street Journal that current approaches to fending off hackers are “unsustainable.” FBI agents increasingly come across data stolen from companies whose executives had no idea their systems had been accessed. “We have found their data in the middle of other investigations,” he told the Journal. “They’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.” The challenge is only compounded by the proliferation of smartphones and tablets. Henry said companies need to make major changes to avoid further damage to national security and the economy.
3. You don’t need an entirely separate strategy to protect your mobile data.
Mobile devices are endpoints that require the same attention that is given to PCs and laptops. Many of the same processes and policies that are leveraged for PCs and laptops are applicable to mobile platforms. Still, mobile devices are built for connectivity; the personal nature of these devices, combined with the inability to regulate or monitor user activity, means that the focus of protection must change. Simply adding another “point solution” isn’t the answer. Enterprises need to make mobile data security part of their risk management strategy—consistent with desktop and laptop security—without compromising the user experience.
4. You don’t have to forfeit usability for security.
The primary purpose of smart device adoption is to improve productivity for a geographically distributed and highly mobile workforce. Security mustn’t be a barrier to productivity. Still, current mobile security solutions focus on creating boundaries within the devices on which data can be stored and accessed. When encryption is used, it’s typically non-user-friendly, non-application-specific and lacks granular policy controls. Additionally, it usually relies on a traditional key management approach that requires massive investment to scale in today’s environment. Security for mobile data must be as transparent as possible without losing effectiveness, and it must not intrude on familiar user experiences—yet it has to provide IT with the control it needs in order to ensure security at the data level.
5. Compliance doesn’t equal security.
Compliance relevant to IT systems is now being extended to mobile devices—and for very sound data risk reasons. Companies must understand how these same data privacy, regulatory compliance and risk management practices should be applied to the mobile and cloud platforms. But being certified compliant or using solutions that help achieve compliance doesn’t always translate into effective data security. For example, a desktop computer stolen from a California health care organisation was password-protected but unencrypted. The theft potentially exposed the personal information of nearly four million patients.
Mobile Security in the Real World
Over the years, companies have taken numerous approaches to mobile security. These have ranged from banning such devices altogether from the corporate network to remotely “wiping” corporate data in the event of the loss or theft of a device, to adopting a “container” approach to protect mobile apps and data. None of these approaches is satisfactory. In a data-centric approach to mobile security, data (both structured and unstructured) is encrypted as soon as it’s acquired. It remains encrypted as it is used, stored or moved across data centres, public and private clouds and devices, to be decrypted only by the intended party. The goal is to devalue or “kill” data, so that even in the event of a breach, the encrypted data will have no value to cybercriminals. And data is protected without disruption of user productivity.
Take Action Now
Mobile devices aren’t going away, and BYOD and “the consumerisation of IT” aren’t fads. These trends are quantifiably improving corporate agility, but the security risk is real.
Traditional security approaches lock down the infrastructure, but that’s not the target for today’s cybercriminals. They want sensitive data, which is valuable; easily monetised; and increasingly on the move, into and out of IT infrastructures. And they fully understand where and when to find “data in the clear,” when it’s most vulnerable, and they’re willing to wait.
But waiting is one thing you can’t afford to do. Data us key and a data-centric approach to mobile security with encryption helps keep sensitive data safe wherever it goes, however it is used and throughout its lifecycle. Ultimately, it mitigates the risk of data breaches and other threats so mobility can be leveraged to its fullest potential. And isn’t that the goal of any security measure?
About the Author:
Dave Anderson currently serves as the Senior Director for Voltage Security, where he is responsible for developing market strategy, delivering new technology solutions to market, and managing global campaigns and programs for Voltage’s data protection and encryption solutions. Prior to Voltage, Dave led marketing and program strategy for McAfee, SAP, and VeriSign.
Dave has 20 years of experience within business strategy, marketing, and product development at leading technology and services firms, including SAP, ArcSight/HP, KPMG, and VeriSign, and has worked extensively across Asia and Europe in delivering market and industry security solutions. His expertise focuses on strategy and planning, marketing, and operational governance.
Dave received his MBA from Duke University, the Fuqua School of Business in 2010. He has been published in multiple industry and technical journals, and is a frequent speaker on risk management, corporate governance, security, and strategy.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.