Balancing data security requirements with end-user mobility and the cloud in the BYOD era is a new challenge that many IT pros are only beginning to tackle.
Rich Mogull, CEO and founder of security research and advisory firm Securosis, has
What’s been the biggest change for IT when it comes to BYOD?
The combination of cloud and mobility has become the biggest driver of security. So much of the corporate information is beyond the secured perimeter now. Mobility really made this too obvious to ignore.
How do IT departments deal with the reality of cloud and mobility security?
The first thing is to understand these new technologies: Don’t assume you know. That’s hard to do if you are a big enterprise, but learning what your employees are using and what devices they are using is the first step.
Second, come up with a plan for secure alternatives if you want to enable everything from cloud to consumer services. Dropbox on its own can be problematic, but there are secure ways to use it with encryption. Or there might be a similar service to Dropbox IT feels more comfortable deploying.
Then, be realistic. If you are only supporting one version of Android that meets the [National Security Agency] standard, it’s not going to work. If IT deviates too much from what people are doing and what they want to do, [employees] will just go around [IT blocks]. IT departments really need to understand workflows and then pick a mix of technology to enable employees that also works to protect that data.
Is there a one-size-fits-all approach to BYOD and security?
Unfortunately, there isn’t. For example, we’re a small business and we heavily leverage mobile and cloud and similar sorts of things. But we can remote into our desktops using a cloud-based VPN [virtual private network]. Some of our systems can only be accessed through that VPN. Then, some of our other servers are locked down behind a firewall in our data center. We use Dropbox, but for sensitive stuff we don’t, and the files are encrypted. It’s all about how you do your business.
When it comes to BYOD and security, what are the biggest mistakes enterprises make?
IT can’t keep mobile devices out. Not any longer.
Enterprises have failed to offer a fundamental way to get work done. It’s crazy what people are doing just to get their jobs done.
Five years ago, smartphones were just BlackBerries and you couldn’t do anything with that data: [Apple’s] iOS blew it all out of the water. If you manage a device and provide a secure email client, it doesn’t prevent anyone from sticking data into Gmail or Dropbox. Unless you remove all the apps on a device, there’s ways for information to escape.
Users want to be productive, and IT has to assume that information will get out -- not in a malicious way, but just in a way that people want to use that information to be productive. The big mistake is thinking you are in control.
If your strategy is to just educate your employees, you are going to lose. However, most devices and consumer apps can be supported a lot more than people realize. If you don’t understand how the data is being used, you’ll pick the wrong security solutions.
A lot of security strategies have been tossed around -- from mobile device management to network access management. Yet, there seems to be a shift recently that ultimately, it comes down to securing data.
MDM [mobile device management] vendors are talking about data security because that’s the most important thing. Think of it this way: The issue today is the absence of some sort of disruption.
What I mean by that is if someone breaks into my apartment and steals something of mine, I would know it. However, if someone simply makes a copy of my data that exists on a mobile device beyond a secured perimeter, people might not even know that data was compromised.
If you adopt an MDM initiative, you are solving a device management problem, not a data one.
What’s the best method for data security if employees use multiple devices?
It depends on the data, what services and what devices are being used, and how much you want to manage those devices.
One approach with user-owned devices is to fully manage the device, but most organizations won’t get away with that these days. Another approach is little to no changes or partially managing a device. You use controlled, sandboxed applications when sensitive data is in play. There are lots of tools out there to comprehensively deal with this risk.
What do you hope the future of data security holds?
More on data security
Enterprise mobile device security best practices
Mobile device security overview
Mobile application security best practices: Leveraging MDM, MAM tools
Information security has been infrastructure security for the past 30 years. But we can’t just protect a piece of data by protecting the servers and blindly encrypting the data. It’s never going to be perfect, but a long-term vision of what data security could look like is that data is self-defining and self-defending.
The ultimate vision is data can say, “Alright, I’m this type of data file and I serve this type of purpose,” and as a result it sets its own security policies and protocols based on how it’s defined and what the enterprise needs. That’s a long-term vision of what that should look like. It’s never going to be perfect or easy. The reality is, IT can’t keep mobile devices out. Not any longer.