In the new bring your own device era, companies are wrestling more and more with how to protect their most sensitive data from being compromised via mobile devices or consumer-driven apps. An expert discusses mobile data security and compliance challenges and how companies can handle cloud data protection.
What are the biggest security threats posed by employee-owned devices storing corporate data and accessing corporate networks?
One of the most significant risks is data loss, which is why mobile data security is so important. Private and confidential information may be stored on these devices -- sometimes in ways unknown to their owners, such as in temporary or cached files. When such a device is lost or stolen, private and confidential data can be lost. Employees who leave the company can take valuable corporate information with them unless businesses control which data is allowed on personal devices and have the means to enforce its policies. Employees installing apps on their device may not give much thought to end-user agreements.
But these agreements can have consequences for corporate information on a device. For example, a social-networking application may copy a user's contact list from the device; if your customer contact information is on that device, it could be incorporated into a developer's database.
Other security risks include opening your infrastructure to mobile devices without adequate monitoring, the potential for malware to enter your network via mobile devices, plus security and compliance challenges from potential inability to enforce compliance regulations if you lack mobile device management (MDM) or data loss prevention (DLP) systems.
What about the risks of consumer-focused cloud services, such as personal email and cloud storage services?
Again, data loss is the primary risk here. Like mobile devices, personal email can become a conduit for leaking corporate information. Allowing employees to use personal email creates security and compliance challenges. For example, policies enforced in a Microsoft Exchange Server may work well for your internal email system but not provide protection for email sent through personal accounts. Consider the difficulty of performing e-discovery operations if employees have emailed relevant material in their personal email.
If employees use personal devices and cloud services for work-related purposes, what are the compliance challenges?
Compliance protects information assets and ensuring devices meet minimal standards. Some regulations, such as the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act, include regulations about device security. Regulations do not define different standards based on who owns a device. If a regulation requires mobile devices to use a personal firewall, employee- and business-owned mobile devices should comply. In many cases, a business must not only comply with a set of regulations but also demonstrate that it is in compliance. In the BYOD era, this means monitoring and reporting on business-owned and employee-owned devices that are used in operations subject to regulations.
Personal cloud services, such as file storage services and personal email, introduce similar compliance challenges. For example, a regulation may require that confidential data be stored in encrypted form. Your company may enforce this now with full disk encryption, but how will you enforce the requirement if employees can use a personal cloud storage service?
What kinds of policies can organizations implement to ensure mobile data security and compliance?
Define a data classification policy. Not all data is equally valuable to an organization. Private and confidential information should have greater protection than public and sensitive information. These classifications can help organizations determine which types of data, if any, can reside on employee-owned devices and personal cloud services.
Business should register and monitor personal devices that are used for business operations. Employees should agree to an acceptable use policy when registering. This policy should address legitimate business concerns, including the right of a business to remotely wipe a lost or stolen device and the right to prevent mobile devices with unacceptable applications from accessing the corporate network.
Businesses should have access control policies in place but they may need to be updated to accommodate personal device use. In particular, the access control policy should address not only who can access particular applications and data but also which devices they can use to do so.
What technologies can IT implement to enforce and supplement these mobile data security and compliance policies?
Several technologies can help, including MDM systems with DLP applications.
MDM systems offer various functions to help with mobile data security, including mobile device inventory, remote configuration, data isolation on the mobile device, remote wiping, and rogue app detection and remediation. DLP systems focus on protecting data through encryption and content monitoring. With a DLP solution in place, a business can block an employee's attempts to send confidential information through a personal email account and enforce the use of encryption on personal devices.
MDM and DLP technologies can support policy enforcement and monitoring. As the market for these solutions matures, they will likely converge. The consumerization of IT requires businesses to extend the scope of policies and procedures to protect business data wherever it may go, whether to personally owned devices or to personal cloud services.