Information Security Today Home

New Books

Cyber Security Essentials
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World
Security Strategy: From Requirements to Reality
Adaptive Security Management Architecture
Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It

Protecting Mobile Data: When Is Enough, Enough?

Brian Tokuyoshi, Senior Manager, Encryption Group, Symantec

Mobility has been a key business productivity and IT theme for some time now, but never before has it been as high of a priority as it is today. The increasing bandwidth available on carrier networks - think 4G - and the constant stream of new and ever-advancing smartphones and tablets - think of any one of the dozen or so new devices that are seemingly introduced on a weekly basis - are feeding tech-savvy users' drive for enterprise support of every shiny new smartphone or tablet under the sun.

The productivity benefits these devices offer is unquestionable and they have business leaders salivating at the chance to be on the cutting edge of employee efficiency. However, this has resulted in a heavy burden being placed on CIOs and IT departments because they know the dirty little secret: the more bandwidth that becomes available and the more advanced the devices get, the more sensitive enterprise data will be put at risk.

Thus, mobility is constantly on their minds. This has left them asking the question, "When is enough, enough when it comes to securing enterprise mobility?" However, this is the wrong question to be asking. The better question is, "Is there ever enough?"

Picture this: An employee is traveling for business. Over the course of a single day, the employee might potentially ride on an airport shuttle, sit in an airport terminal, fly on an airplane, catch a lift in a taxi, present in a boardroom, take a client out to dinner and work from a hotel room. Then, the whole routine might play over again the next day. All the while, the employee is leveraging mobile devices to make calls, send emails, fine tune presentations and who knows what else.

At some point along the way, the employee leaves one of the mobile devices behind. Maybe a smartphone is forgotten on the floor of the airport terminal while rushing to board a flight, or maybe a tablet slides under the front seat of the taxi taken from the airport to the client meeting. However and wherever the device is misplaced, the fact of the matter is that it is no longer in his control.

It doesn't take long for a nefarious character to find the lost device and claim it as his or her own. Not one to let opportunity pass by, this character is not only giddy because of their new device, but also about whatever juicy bits of sensitive information the previous owner left on it- in the employee's email application, for example. All that has to be done is to crack the screen lock password - easier than some might think - and he or she is in.

It is possible that a mobile endpoint security solution is in use on the lost device. That would protect it well against attacks waged by malware, which is certainly a growing problem in its own right, but what protection will that offer when an attacker has physical access to the device? Is it enough?

It is also hopeful that the IT department uses a mobile device management (MDM) solution to add an additional layer of defense on it, but is it enough? With the capability to enforce security policies, this would indeed increase the security of the device and the sensitive data on it. However, this is assuming IT has sufficiently strong security policies to enforce. Such a tool would also provide IT with the ability to remote wipe or lock the lost device, which would essentially solve the problem. However, it could be hours before the employee notices the device is missing and it might be even longer before he thinks to report the loss to IT, if that crosses his mind at all.

These solution categories are the two most enterprises think of when planning their mobile security strategies - and they certainly should be part of such a strategy - however, the scenario outlined here demonstrates why these alone might not be enough.

So, CIOs and IT administrators must constantly ask themselves what else they can do to protect sensitive corporate data in this the age of mobile. One thought that should come to their minds is protecting the data itself, rather than focusing solely on the devices. In this vein, an additional layer of defense they should consider is extending their encryption policies to include mobile-specific implementations. In this way, sensitive enterprise information is protected no matter where it might end up.

Continuing the scenario from above, the attacker is past the screen lock password and immediately navigates to the email application - knowing this is likely where the majority of the sensitive information is on the device. Once there, the attacker scans through the emails subject lines looking for those with potentially valuable information. However, the attacker discovers that all emails containing potentially sensitive information are encrypted, preventing access to them. Thus, this situation, which could have had a disastrous outcome, is made inert because information protection strategies provided an additional layer of defense.

There are at least two things enterprises must keep in mind when implementing encryption to secure data being transmitted to and resting on mobile devices:

  1. Network Availability: Enterprises should consider the benefits of ensuring mobile access to encrypted data regardless of network availability. After all, mobile devices are designed to be used on the go, which means they might not always have network connectivity. This results in employees being locked out of their encrypted data. That is unless an encryption application is in use that runs natively on the mobile device's operating system.

    This approach ensures that messages stay protected from the time they're sent until the time they're received. At the same time, however, because the native application performs the encryption, it can operate even in offline conditions, thus ensuring that information is always available when the user needs it, regardless of network status.

  2. Enabling Users: The goal of enterprise mobility is to enable users to use their devices the way they want within the mandates that IT sets forth. There are approaches to encryption that place severe limitations on how the information can be used. One of these approaches is to put potentially sensitive documents and messages into a sandboxed partition - a veritable jail cell - on the device. With this approach, users are prevented from using their data within their own applications. These limitations tend to create animosity towards IT among users.

    This approach is obviously less than ideal. A better approach is to use encryption in a manner that is policy-driven and granular enough to work with existing applications under the proper conditions. The all-or-nothing approach to security is simply too rigid to match increasingly flexible mobile environments. What is needed is to blend data protection, such as encryption, together with the user interface and mobile applications for peaceful coexistence.

So, when it comes to is securing sensitive data in our increasingly mobilized world, is enough ever enough? That is a question each CIO and IT department must answer for themselves. However, there are certainly a few aspects of securing mobility that should be table stakes. Information protection technology, such as encryption, is one of them.

Related Reading

Finding a Definition for Mobile Data

Convenience over Security: Creating Effective Mobile Security Policies

Mobile Device Security: What Are You Trying to Protect?

Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World

Subscribe to Information Security Today

Powered by VerticalResponse

Share This Article

© Copyright 2011 Auerbach Publications