- Security TWENTY
- Women in Security Awards
Securing your enterprise data in a BYOD world; by Trevor Goldberg, Director of Strategic Alliances, Globo plc.
The press has been awash during the past few weeks, with speculation regarding Blackberry’s version 10 and their new devices. All was revealed during the worldwide unveiling yesterday and here at Globo, we didn’t see the news as too impressive or that dramatic.
It is well accepted that smartphones and tablets are changing the way in which an employee can interact with enterprise systems, services and data and the BYOD trend is certainly here and growing fast. It is also well accepted that employees are much more productive if they have access to their corporate data and given that the vast majority of employees are requesting this; it is of course a win-win situation.
However, BYOD strategies and the implementation of solutions to support this trend require careful thought and consideration, especially where the security and protection of corporate data is concerned. Aside from the obvious functional needs and expectations of a BYOD solution, security presents many challenges for the enterprise and I often see a number of the fundamental requirements overlooked, ignored or downplayed.
What happens if a device with access to corporate data is lost or stolen, or if an employee leaves? – there are, I believe a number of security features that should be considered as mandatory, when allowing an employee to have mobile access to systems, services and data that are ordinarily very secure, when access within a corporate environment. Mobile is very different and has a whole set of new challenges for security.
Communications should be proxy-based, the mobile device should not communicate directly with back-end systems; all communications should go through a host which resides in the DMZ. This eliminates the need for costly and complex VPN solutions. All data held at rest and/ or transmitted should be protected by end to end encryption, preferably using 3DES 192-bit encryption on the server and AES 256-bit on the device or when sent over the air. Authentication is an often overlooked topic and the support of an organisation’s existing login credentials is useful, for example via LDAP or Active Directory, thus removing the need for distinct user accounts for mobile access to be provisioned and managed.
I frequently hear our customer and partners talk about the security of data in terms of encryption; however it’s far less common for us to receive questions about the control and management of access rights and permissions to the data, which in my opinion are extremely important aspects of security too. For example access rights based on employee roles, procedures, policies, connection methods and device types. Furthermore, considerations such as allowing or denying access to enterprise data and services based on an individual’s actual requirements are paramount and this should include the ability to permit or deny functions such as copy / paste.
The ability to securely and effortlessly manage any data and applications specific to the enterprise on the device in a centralised manner (without the need for costly or complex MDM or MAM solutions) is a requirement we often receive at Globo, especially from our larger customers, as this allows an organisation to perform functions such as the removal of data and apps from lost or stolen devices, to lock-down access from specific devices, update security policies and user access rights and lock specific functionality or features to prevent data leakage. So, my personal recommendation to anyone looking to implement a solution to support BYOD, whilst ensuring full data security, is to strongly consider a secure containerised approach to their Enterprise Mobility plans. Such an approach seamlessly segregates personal and enterprise in a secure manner. This is also a view supported by Gartner, as noted in their recent Research Note on this topic.
My summary on the implications of security on Enterprise Mobility and BYOD is to choose any solution carefully; only after a thorough assessment and evaluation of your current and expected future requirements, whilst keeping a close eye on the emerging and ever changing technology advancements.
Globo plc. is exhibiting at Infosecurity Europe 2013, the information security industry event on April 23 to 25, 2013 at Earl’s Court, London. For further information – visit www.infosec.co.uk