As more staff use their own devices to access corporate data, firms should be devising a security architecture that is as much about creating business value as about cutting risk, says Bob Tarzey.
There’s little doubt that employees want to use a growing range of devices to access data. Recent Quocirca research shows that while Windows-based desktop and notebook PCs still dominate, they are fast being supplemented by a diverse range of alternative form factors and operating systems.
In the new survey, which was sponsored by Trend Micro, 88 per cent of small and mid-sized businesses say at least some of their employees are using smartphones for business purposes and 43 per cent report at least one or more of their employees use tablet PCs.
These devices are not always owned by the business. Some 74 per cent of the firms questioned say some of the devices used belong to staff.
Respondents to the survey cite more efficient business processes as the biggest benefit of enabling access to data from mobile devices. However, whatever the benefits, such sharing creates security headaches for IT managers, especially as most of the sharing is over public networks.
Only if data can be shared safely will businesses have the confidence to embed mobile users and their chosen devices into business processes. That is the message of a recent Check Point-sponsored report by Quocirca called A value proposition for IT security, which is available for free download.
Creating a compliance-oriented architecture
The report advocates putting in place a compliance-oriented architecture, or COA. The justification for any investment required to achieve a compliance-oriented architecture is as much about creating business value as it is about reducing business risk.
Discussions about IT security usually focus on reducing the risk posed by outsiders or malicious insiders. Mitigating these risks remains paramount but it is also important to make sure that a compliance-oriented architecture protects well-intentioned employees from themselves.
The most common way data leaks occur is through the accidental actions of employees. They need to share data but may accidentally share the wrong data with the wrong person by email or some other communication channel.
And of course they may, if it is not controlled in some way, store data on mobile devices that are subsequently lost or stolen. Theft, accidental loss and erroneous disclosure are by far the most common reasons for self-report data breaches, as data in the report shows.
High-profile data loss incidents
The irony is that while data loss is a common problem, despite the many high-profile incidents – not least the recent problems at Sony – lost data is actually rarely compromised. The thief who steals an iPad is more likely to be interested in the resale value of the device than the data stored on it.
Yet that fact does not cut any ice with regulators. Good management of personally identifiable information is obligatory. Organisations must comply and be seen to comply.
A compliance-oriented architecture involves putting in place…
…the ability to control the use of data, monitoring and controlling what is being sent by email and what is being copied where. It should also be used to control the printing of data, an often overlooked source of data leakage.
Data loss prevention, or DLP, tools are designed to track the movement of data and allow the enforcement of policies regarding its use, including the copying of data to mobile devices.
Two approaches to data on mobile end points
However, data loss prevention is not enough on its own for ensuring the safe use of data on mobile devices. One of two approaches to the use of data on mobile end points must be adopted. The first is to stop data ever being copied to them in the first place.
This approach involves only allowing access to sensitive data that is stored centrally, either through the use of virtual desktops – such as Citrix XenDesktop and Microsoft Remote Desktop Services – or via a secure file-sharing service, for example, Trend Micro’s recently announced Safe Sync for Business or portal services such as Microsoft SharePoint.
If it is accepted that sensitive data will end up on mobile devices then a second approach to end-point security must be taken, through the securing of the device itself. This approach involves encrypted storage. Deploying and managing encryption has a cost, especially with a growing diversity of operating systems, and while encryption might sound like the only foolproof way of protecting data, it is not the be-all and end-all.
Remember that the devices are increasingly personally owned and therefore there are limits to what IT departments can do with them. Furthermore, encryption only protects stored data and data in transit.
Decryption and password policy failings
Employees must be able to decrypt data to use it, and then it becomes vulnerable again. Other points of vulnerability are if users select weak passwords or if strong policies result in passwords being written on a piece of paper that is held with the device.
There is no silver bullet for securing the use of data. It involves implementing a number of measures that add up to a compliance-oriented architecture. The range of measures required will depend on how a business approaches IT and its attitude to risk.
However, when broaching the subject of investing in technology to increase the security of data, it is essential to point out the value that any given investment will bring to a business as well as the risk it will mitigate.
Bob Tarzey is a director at Quocirca, a user-facing analyst house known for its focus on the big picture. Made up of experts in technology and its business implications, the Quocirca team includes Clive Longbottom, Bob Tarzey, Rob Bamforth and Louella Fernandes. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking.