Protecting data: An IT guide

Consumerization has changed the way people work, which means you have to look at protecting data differently now, too.

It's not enough to lock down devices and expect that corporate data won't leak. Just think about all the channels that information passes through now: email, the cloud, USB drives and more. Managing devices and locking them down can help with protecting data, but it's only one piece of the puzzle. Consider other ways to keep data safe, including encryption, remote wipe, secure data containers and access controls.

Table of contents:

What to protect

Crack down on endpoint security
There isn't a one-size-fits-all approach to endpoint protection because every environment is different. To do the best job of protecting data, you first need to know where sensitive information is and how it's at risk. You also need to determine if that data is actually sensitive or not. Otherwise, you could be wasting time securing data that doesn't need protecting. Finally, put the right policies and controls in place, such as User Account Control, whitelisting and/or full-disk encryption.

Why you should focus on protecting data, not endpoints
If you're trying to protect mobile data, then don't waste all your time trying to secure endpoints. There are two kinds of data: data at rest and data in motion. If you can make data secure when it's stored on a device and when it's traversing a network, then you don't need to worry so much about its exact location. Make sure employees enable the encryption capabilities that are native to their devices and use products that encrypt data in the cloud, such as BoxCryptor.

Use policies and agreements to improve mobile data security
When you allow employees to use their personal devices for work, data loss is a big concern. But there are policies that can help IT regain control of the corporate data that users store on their devices. Define data classes and then develop a policy that outlines which kinds of data users are allowed to store on their smartphones and tablets. Have users agree to an acceptable-use policy that states when and why IT can remotely wipe devices. Finally, use a mobile device management system that has data loss prevention applications to protect data through encryption and content monitoring.

Consider best practices for mobile device and data security
If a user loses his device before he enables its security features, there's nothing he can do to protect his data once the device is gone. It's important to work with users and encourage good mobile device security habits. Users should protect their devices with passcodes, screen locks and data encryption. Educate employees about how they can remotely wipe their own devices. And tell users to make it easy for a Good Samaritan to return lost devices by configuring smartphones and tablets to display contact information from the lock screen. Finally, use over-the-air activity monitoring and audit to keep track of what employees are doing on their devices without interrupting or intruding on personal usage.

Technology options for protecting data

What remote wipe can do for you
Remote wipe capabilities are a necessary part of maintaining mobile data security, and there are a few options available. You can use factory reset, full device wipe, secure container removal or secure app removal to wipe data from a device. But keep in mind that these methods only wipe data that's stored on a device, so it won't wipe data that's been transferred to email, the cloud or other devices, such as USB drives or SD cards. It's also important to encourage employees to sign up for services and enable settings that allow you to wipe their devices when they get lost or stolen.

How secure data containers separate work and play
Secure containers are third-party apps that create a storage area on a device that you can control. One of the perks of secure containers is that they keep users' personal information separate from work data on an employee-owned device, meeting a concern of employees and employers alike. And secure containers let you administer, back up and remotely wipe business data on a device without affecting users' personal information. But bear in mind that there are some costs to consider, including the up-front costs of implementing secure containers and the cost of ongoing maintenance.

Tackle BYOD security issues with data access controls
You can use virtual desktop infrastructure to help with protecting data from incoming attacks in a bring your own device (BYOD) environment. When users access apps from their personal devices, they're accessing apps that actually live on the corporate server. But to protect data once it leaves the data center, you need good access control methods. Port knocking, whitelists and intrusion prevention systems all offer some control over employees' access to corporate data.

Protecting data with encryption on devices and on the go
You have to tackle mobile data encryption from two sides: data on devices and data in transit. But there are so many different kinds of devices, each with different encryption features, which can make management tough. The best way to cope with this is to use the native encryption features that are available on some devices, then use third-party products to supplement them. For example, Apple iOS devices can encrypt some on-device data, but not all. For the portion of on-device data that iOS can't encrypt and for data in transit, use third-party encryption applications.

Use USB drive encryption to protect mobile data
Many employees still use USB drives, and encrypting those drives is just as important as encrypting devices. Some devices and operating systems have USB drive encryption capabilities built in, but there are also third-party options to get the job done. You can choose either file-by-file or full-disk encryption, but full-disk encryption is more secure and easier to use. Companies can choose to buy USB drives that come with encryption features or pick from one of the many software options, including TrueCrypt, BitLocker and FileVault.