Data security on the road; by Dave Anderson, senior director, at Californian IT firm Voltage Security.
We all know the demands that executives have to always be available, to be able to access and share corporate data at any time with their staff and other stakeholders, and being on the road doesn’t alter this to any degree. Executives demand the ability to use mobile devices to continue to run the business. The challenge is not simply how to keep these devices and the data stored on the devices safe, but how to keep the data secure as it moves and is communicated across and through these devices. I was recently disembarking a flight, when the CFO I was sitting next to had to run back on the plane to retrieve her corporate iPad, which she had inadvertently left in the seat pocket. Most seasoned travelers have likely experienced a similar feeling of despair as they try to recapture their device that holds all the sensitive data.
The existence of security controls that help “lock down” the device have been available for some time, and are positioned to help protect against the loss or theft of the device. Access and authorisation controls are intended to limit access to the device to only the authorised user, and mobile data management (MDM) security solutions enhance the access controls by focusing on locking the device, making the device theoretically unusable by anyone other than the owner. These controls that secure only the “device” have a much stronger probability of actually working if the data on that device is static, and doesn’t move into, or out of, said device. The whole intent of a mobility platform is in direct conflict with this notion. Executives are using, and will continue to use, smartphones and tablets to access business systems and applications and send sensitive communications across and outside of their organisation, regardless of where they are in the world. Unfortunately, these “device-only” controls, those that simply try to place a protective wrapper around the device, are not effective in protecting the sensitive corporate and customer data as it is accessed and communicated across these devices.
Because data dynamically moves across mobile devices, the best way for anyone to protect sensitive data is through a data-centric security strategy, one which protects the actual data level itself through encryption, tokenisation or data masking capabilities. Data-centric security travels with the data, wherever it moves, both inside and outside of an organisation, which is something that traditional “endpoint” security technologies cannot provide. This ability allows any form of data, whether structured or unstructured, to be protected from the moment of creation through its entire lifecycle. Corporate or customer information that is accessed by a mobile device can be protected before it even reaches that device; any sensitive data that is created on the device and then communicated outward can be protected.
The efficiencies promised by adopting mobile initiatives are obviously real and valuable to most organisations and executives. This allows anyone to be “always on, anywhere and anytime”. It also allows your sensitive data to be always on and accessible anywhere and anytime. Effective data protection is not delivered through simply locking down the device, and especially not through the guidance of “use your VPN or avoid public wi-fi”. The only way to effectively protect any sensitive information is by protecting the data itself, not just the container or device where that data momentarily sits. This ensures the use of sensitive data can be secured and in compliance to security and privacy regulations, regardless of what country you are in and into which network you’re connected.
I’m sure that CFO understood that the simple access and authorisation controls that are generally implemented on these mobile devices weren’t going to be enough to protect her corporate and financial information from anyone who was intent on capturing it from her device. A simple data-centric protection strategy would likely have saved her from the panic and the potential risk caused by losing her tablet, and possibly exposing whatever sensitive data that was on it.
We will continue to travel, and continue to look for new ways to access and communicate information wherever we are, at any time. This is how most of us run our businesses. However, in doing so, we have to look at new ways that can effectively protect our corporate and customer data, and reduce our risk, and there are now effective ways to do so, which are seamless and fit into how we do business, which is a winning strategy that aligns the business, IT and security to jointly and securely move the business forward.
