Consumerization has made employees more productive, but it has also created more risks for data leaks.
Users' devices and the services they use, such as app stores, email, the cloud, open Wi-Fi connections and even desktop virtualization sessions, provide avenues for corporate data leaks. In some cases, the IT department has recourse:
Take a look at six ways corporate data leaks and what you can do to mitigate some of the risks.
The bring-your-own-device (BYOD) explosion has empowered millions of users to pick their own devices and use them for both work and play. The consumer device of today is inherently mobile, small and light: an easy thing to lose or have stolen. Device owners may not want or know how to enable the security safeguards on their devices, and without these precautions, there is little IT can do to protect them.
MDM software can help enforce some basic security settings -- such as device encryption, remote wipe and requiring a PIN lock -- but it's important not to put too much stock in MDM. It has limitations in how effectively it can secure data and applications, and if you use MDM with a heavy hand, employees may view restrictions as over the top, too intrusive and counter-productive.
Consumers are free to pick from a dizzying array of applications in their devices' app stores, such as Apple's App Store or Google Play. With little to no control from the IT department, a worker can easily create a parallel, personal data center on his device that is chock full of sensitive corporate data. For example, someone in the marketing department could store valuable sales contacts in an application. If the app is breached, that data is unwittingly exposed to hackers or would-be thieves.
Mobile application management (MAM) can help IT control applications and their data. MAM tools such as Citrix's XenMobile or Good Technology's Good for Enterprise allow you to set up private enterprise application stores that deliver approved or recommended applications.
Many workers shy away from limited corporate email systems such as Microsoft Exchange. Instead employees turn to free email services such as Google's Gmail or Yahoo Mail. But users may be unaware of the lack of security that comes with these free consumer email services; it's easy for data to leak from attachments and consumer email services have been breached in the past. Plus, work-related emails and attachments sent from personal accounts may contain confidential information, which is often regulated or controlled by laws such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. When corporate data leaks, organizations may face stiff fines and other penalties.
Offering users a secure email client for work-related email can lessen the chances of a data leak. MobileIron, Citrix, Good Technology and other companies provide sandboxed email clients that give enterprise IT an option for enabling email on users' personal devices.
Dropbox, Box, SkyDrive and other cloud storage and file-sharing services are a part of many workers' toolboxes. Offering gigabytes of storage for free or low personal cost, these storage options tempt users to keep files in the cloud and access them from anywhere.
Citrix ShareFile and Dropbox for Business are enterprise cloud services that offer increased security and encryption at the storage and file levels, but even non-enterprise cloud storage can be secured with vendor-agnostic products such as Boxcryptor. BoxCryptor encrypts the local synchronized folder with an Advanced Encryption Standard 256-bit cipher that even the storage vendor can't decrypt. Plus, you can tightly manage specific documents with tools such as WatchDox and Moka5 for iOS. These products encrypt the documents and put rules around their use. In addition, employing expiration dates and remote destruction of documents are useful ways to prevent data leaks.
Many organizations use desktop virtualization to get corporate applications and desktops to workers' mobile devices, which create a new vector for evil-doers looking to reach the data center. If the virtualization isn't treated as insecure, then a worker can have his session compromised from the outside via zero-day exploits and engineered malware.
You can secure the infrastructure better by moving virtual desktop sessions to closely controlled subnets that require two-factor authentication. Products similar to AFORE's CypherX place the desktop virtualization or other Windows desktop session in a zone that puts applications in secure virtual containers, encrypting and managing access to files, sockets and clipboard data. This allows granular access policies about which users, apps, devices and virtual machines can access corporate data.
Practically every public place on the planet has open Wi-Fi access, and data can get picked off using common tools. Eavesdropping on unencrypted conversations or even poorly encrypted ones -- such as those that use Wired Equivalent Privacy or Wi-Fi Protected Access encryption -- is easy for hackers.
While most consumer smartphones and tablets have device-level virtual private network (VPN) capabilities, they are often too clunky to use. Device-level VPN puts the user's personal apps on the same plane as the corporate applications, setting up a window for organizational data to be exposed.
Apple's iOS 7 promises to make controlling apps that access the VPN more granular by providing app developers with access to private application-level VPNs. BlackBerry's Hub and Secure Work Spaces, Samsung's KNOX and VMware's Horizon Mobile dual persona approaches are different. They isolate the enterprise persona or virtualize it separately from the user's personal apps and data. The enterprise persona has a private VPN connection back to the organization that isn't touched by the less secure personal side.
This was first published in September 2013