BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Focusing on endpoint security as a means to address consumerization is a lot like chasing rainbows. You'll feel good doing it, but ultimately, you'll come up empty.
As consumer smartphones and tablets increasingly access corporate data -- often without IT's knowledge -- security is a serious challenge. Some organizations overreact by trying to ban these devices or even specific functionality in the workplace. (IBM infamously prohibits the use of Siri on the iPhone.) These strategies are laughable, because organizations can't really stop anyone from using these devices -- unless pat downs, body scans and office Faraday cages are to become the norm. Many end users work out of their houses and/or on the road, with a phone and/or tablet they own, on any network that gets them to the Internet.
The endpoint is only part of the security equation. Securing data should be the priority.
Why focus on securing data?
As IT consultant Shawn Bass wrote last month, there are only two types of data: data at rest and data in use. When data is made more secure at rest and in use, having absolute control over the endpoint becomes a lot less important.
With iOS and Android, securing data is an afterthought at best. Even when technology such as encryption is available, it is often not enabled by default. Many mobile devices don't even ask users to turn on basic access controls, such as a four-digit PIN to lock the device when not in use. That means it's up to IT to fill in the gaps.
Securing data at rest
I am routinely amazed to find people -- including very smart, technical people who should know better -- carrying devices that contain their lives' work, with zero security whatsoever implemented. It's the equivalent to parking your car downtown with the keys in the ignition. Using mobile device management or Microsoft Exchange ActiveSync to enforce data encryption and passcode requirements should be a given.
Unfortunately for IT, mobile devices are not the only places where data rests. According to the Ponemon Institute, which conducts research on privacy, data protection and information security policy, 85% of businesses use thumb drives, plain-text email and cloud services such as Dropbox to store and share files. Restricting corporate data from these potentially unsecure areas is important, but it is not always possible.
There are products that help protect data at rest outside the firewall, such as BoxCryptor, which can encrypt data in Dropbox on iOS and Android. And enterprise-grade products such as Watchdox are becoming available to enforce digital rights management of corporate data on consumer devices.
Products that focus on securing data instead of devices address truly solvable security issues. Sadly, however, most organizations have not caught up with these technologies.
Securing data in use
It takes more analysis and effort to secure in-use data, especially when that data traverses external networks, such as a coffee-shop Wi-Fi. Without proper protection, anyone who can listen to that traffic can extract data from it.
More on securing data
Securing data in the cloud
Common methods of securing data
Securing data at rest vs. data in transit
But corporate networks aren't immune either. Organizations have built many networks around the increasingly false premise that the private network is a safe place with only safe devices connecting to it. These days, users connect their own unmanaged devices to corporate networks all the time. In response, IT must redesign these networks to be more like public networks, where insecure and unknown devices can and will connect.
The data must move to a more privileged network, where access is more tightly controlled and data traffic is largely encrypted with Secure Sockets Layer, Internet Protocol security and so on. IT can also monitor the data network with data leak prevention software.
Email is another easy target. Consumerization makes it drop-dead easy to connect to corporate email systems from anywhere, but less than 1% of business email is protected from interception, according to ZixCorp, an email encryption provider. Ideally, employees should have the option to encrypt email sent outside the organization, and all email should be scanned for content that is required to be encrypted by law or policy.
There's an emerging trend toward notifying end users that email contains potential hazards before they send them. Microsoft Exchange and Outlook 2013, for example, have a feature called Policy Tips that proactively alerts users of possible policy violations.
By focusing more on securing data instead of devices, organizations can embrace the consumerization of IT safely.