Security strategy: Staff smartphones ring the changes

Employees' own devices at work must cause a security rethink...

...the ability to control the use of data, monitoring and controlling what is being sent by email and what is being copied where. It should also be used to control the printing of data, an often overlooked source of data leakage.

Data loss prevention, or DLP, tools are designed to track the movement of data and allow the enforcement of policies regarding its use, including the copying of data to mobile devices.

Two approaches to data on mobile end points

However, data loss prevention is not enough on its own for ensuring the safe use of data on mobile devices. One of two approaches to the use of data on mobile end points must be adopted. The first is to stop data ever being copied to them in the first place.

This approach involves only allowing access to sensitive data that is stored centrally, either through the use of virtual desktops - such as Citrix XenDesktop and Microsoft Remote Desktop Services - or via a secure file-sharing service, for example, Trend Micro's recently announced Safe Sync for Business or portal services such as Microsoft SharePoint.

If it is accepted that sensitive data will end up on mobile devices then a second approach to end-point security must be taken, through the securing of the device itself. This approach involves encrypted storage. Deploying and managing encryption has a cost, especially with a growing diversity of operating systems, and while encryption might sound like the only foolproof way of protecting data, it is not the be-all and end-all.

Remember that the devices are increasingly personally owned and therefore there are limits to what IT departments can do with them. Furthermore, encryption only protects stored data and data in transit.

Decryption and password policy failings

Employees must be able to decrypt data to use it, and then it becomes vulnerable again. Other points of vulnerability are if users select weak passwords or if strong policies result in passwords being written on a piece of paper that is held with the device.

There is no silver bullet for securing the use of data. It involves implementing a number of measures that add up to a compliance-oriented architecture. The range of measures required will depend on how a business approaches IT and its attitude to risk.

However, when broaching the subject of investing in technology to increase the security of data, it is essential to point out the value that any given investment will bring to a business as well as the risk it will mitigate.

Bob Tarzey is a director at Quocirca, a user-facing analyst house known for its focus on the big picture. Made up of experts in technology and its business implications, the Quocirca team includes Clive Longbottom, Bob Tarzey, Rob Bamforth and Louella Fernandes. Their series of columns for seeks to demystify the latest jargon and business thinking.

By Bob Tarzey

Bob Tarzey is a director at user-facing analyst house Quocirca. As part of the Quocirca team, which focuses on technology and its business implications, Tarzey specialises in route to market for vendors, IT security, network computing, systems manage...