There is little doubt mobile devices have profoundly transformed today’s business world, with organisations now commonly making line-of-business applications accessible to their increasingly mobile workforce.
Once mostly prohibited by IT, smartphones and tablets are being used by hundreds of millions of employees worldwide to access, transmit and store corporate information in today’s 24/7 business environment. This ‘extended enterprise’ introduces new challenges and complexities for IT. Not surprisingly, security has emerged as the number one challenge posed by the BYOD (bring your own device) trend. IT organisations are concerned with device loss, data leakage and unauthorised access to corporate resources, as well as the growing use of ‘guest access’ to corporate networks.
In response to these perceived risks, organisations have begun implementing a range of data security measures. Traditional approaches involve perimeter-based security controls such as firewalls and smart screen filters. But no amount of perimeter defence can protect data accessed by, and subsequently stored and transmitted by smartphones and tablets, especially outside of enterprise control.
There are the three mission-critical areas in which mobile data must be protected without disrupting user productivity:
- Email applications which contain sensitive information and are subject to regulatory compliance
- Sensitive business files and documents
- Transaction data captured by new mobile payment methods
Even as security threats loom, informed organisations have an advantage. These five tips can make or break mobile data security efforts:
1. Go beyond device protection, home in on the data
In an ideal world, sensitive data travels in well defined paths from data repositories to a well understood set of applications. In the real world, however, data travels everywhere, anytime, with constantly shifting applications running on an evolving set of platforms. The data lifecycle is often complex, extending beyond the container and the application - even outside the enterprise into offsite backup services, cloud analytics systems and outsourced service providers. Not to mention the onslaught of user-owned devices making their way into the fold. So although armouring applications and devices is one dimension in establishing a defensive posture, it isn’t the entire answer — nor is the installation of security solutions from a wide range of vendors. There will be security gaps that eventually impede enterprise risk management and user productivity. Rather, data security is a multi-pronged risk challenge that requires a data centric approach across all dimensions.
2. Assume you’ve been breached
That’s the unsettling opinion of Shawn Henry, the FBI’s top cyber-security officer. Henry, formerly Executive Assistant Director at the FBI, told The Wall Street Journal that current approaches to fending off hackers are “unsustainable.” FBI agents increasingly come across data stolen from companies whose executives had no idea their systems had been accessed. “We have found their data in the middle of other investigations,” he told the Journal. “They’ve been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially.” The challenge is only compounded by the proliferation of smartphones and tablets. Henry said companies need to make major changes to avoid further damage to national security and the economy.
3. You don’t need an entirely separate strategy to protect your mobile data
Mobile devices are endpoints that require the same attention that is given to PCs and laptops. Many of the same processes and policies that are leveraged for PCs and laptops are applicable to mobile platforms. Still, mobile devices are built for connectivity; the personal nature of these devices, combined with the inability to regulate or monitor user activity, means that the focus of protection must change. Simply adding another “point solution” isn’t the answer. Enterprises need to make mobile data security part of their risk management strategy - consistent with desktop and laptop security - without compromising the user experience.
4. You don’t have to forfeit usability for security
The primary purpose of smart device adoption is to improve productivity for a geographically spread and highly mobile workforce. Security mustn’t be a barrier to productivity. Still, current mobile security solutions focus on creating boundaries within the devices on which data can be stored and accessed. When encryption is used, it’s typically non-user-friendly, non-application-specific and lacks granular policy controls. Additionally, it usually relies on a traditional key management approach that requires massive investment to scale in today’s environment. Security for mobile data must be as transparent as possible without losing effectiveness, and it must not intrude on familiar user experiences - yet it has to provide IT with the control it needs in order to ensure security at the data level.
5. Compliance doesn’t equal security
Compliance relevant to IT systems is now being extended to mobile devices - and for very sound data risk reasons. Companies must understand how these same data privacy, regulatory compliance and risk management practices should be applied to the mobile and cloud platforms. But being certified compliant or using solutions that help achieve compliance doesn’t always translate into effective data security. For example, a desktop computer stolen from a California health care organisation in 2011 was password-protected but unencrypted. The theft potentially exposed the personal information of nearly four million patients.
Mobile Security in the Real World
Over the years, companies have taken numerous approaches to mobile security. These have ranged from banning such devices altogether from the corporate network to remotely “wiping” corporate data in the event of the loss or theft of a device, to adopting a “container” approach to protect mobile apps and data. None of these approaches are satisfactory. In a data-centric approach to mobile security, data (both structured and unstructured) is encrypted as soon as it’s acquired. It remains encrypted as it is used, stored or moved across data centres, public and private clouds and devices, to be decrypted only by the intended party. The goal is to devalue or ‘kill’ data, so that even in the event of a breach, the encrypted data will have no value to cyber-criminals. And data is protected without disruption of user productivity.
Take Action Now
Mobile devices aren’t going away, and BYOD is not a passing fad. These trends are quantifiably improving corporate agility, but the security risk is real.
Traditional security approaches lock down the infrastructure, but that’s not the target for today’s cyber-criminals. They want sensitive data, which is valuable; easily monetised; and increasingly on the move, in and out of IT infrastructures. And they fully understand where and when to find ‘data in the clear,’ when it’s most vulnerable, and they’re willing to wait.
But waiting is one thing you can’t afford to do. Data is key and a data-centric approach to mobile security with encryption helps keep sensitive data safe wherever it goes, however it is used and throughout its lifecycle. Ultimately, it mitigates the risk of data breaches and other threats so mobility can be leveraged to its fullest potential. And isn’t that the goal of any security measure?
Dave Anderson is the Vice President of Strategy at Voltage Security