Posted Date: 9/25/2007
Accidental Disclosure
By Peter Ferenczi
Everyone makes mistakes, but the
nature of the mobile enterprise means employees have more chances to make
simple mistakes that come with major consequences. Their mobile devices are
points of ingress and egress that introduce risks above and beyond "standard"
IT security concerns. Think sensitive corporate data, massive liability,
sitting on a table in a bar late on a Friday night. Laptops laden with customer
data connecting to oh-so-convenient, completely unsecured WiFi access points. "
Depending on who you talk to, the
percentages vary, but [I.T. security] problems are now more internal than
external," said Roy Balkus, senior VP and CIO of Naugatuck Savings Bank, who
noted that spam filters, antivirus software and firewalls do a decent job of
keeping external threats at bay. It's those inadvertent inside jobs you have to
watch out for.
Disappearing Gear
Statistics vary, but it's common
knowledge that thousands of mobile devices go missing every year in major
cities, whether left in taxis, stolen from cars or misplaced in airports. When
those devices contain sensitive data, it means real headaches for the
individuals whose information is compromised and for the companies that may
need to publicize the loss under disclosure laws, resulting in PR nightmares and
damaged customer trust.
People know they're not supposed to
lose their devices, but it's going to happen, and there are several strategies
for mitigating the damage when it does. According to Tim Sox, customer
enrollment technical manager for Colonial Life and Accident Insurance, data
encryption is critical. "Because of the nature of the personal information in
the insurance industry, we probably handle more sensitive data than [other
industries] as far as financial and health information," he said. Colonial's
3,500 independent contractor agents are constantly on the road. "The agents
have the laptop in and out of their car, they leave it in a conference room.
That was the risk we wanted to mitigate," Sox explained, when the company
adopted Sybase's iAnywhere Afaria solution. "We did full hard disk encryption,"
he said, a process that was accomplished remotely on 3,500 laptops over the
course of a month. "The encryption doesn't stop people from stealing the
laptop, but if it does get stolen they can't access any information," he said.
And if someone does manage to access
the encrypted drive with the right password (Sox noted that agents occasionally
tape their passwords to their laptops), Colonial can effectively kill the
laptop if it connects to the Internet, rendering the data unreadable. Known as
"remote kill" or a "poison pill," this critical feature makes doubly sure a
lost device can't be read or used to access corporate resources. The Sybase
solution, like those of many vendors, can also remotely lock handheld devices,
whose always-connected nature make them easier to terminate if required. It
also has a Data Fade feature that lets administrators specify that a device be
locked or wiped if it hasn't communicated with the corporate network for a
certain number of days.
Colonial has discovered that the
payoff for tight mobile security reaches beyond damage control. Sox related the
story of a "problem agent" who made a fuss about having another password to
remember. The day he finally allowed his laptop to be encrypted, a potential
customer pointedly asked him what steps the company took to protect data. "The
agent called us back that afternoon and basically apologized, saying, 'You guys
helped me get this account,'" recalled Sox.
Their Gear, Your Fear
"One of the biggest issues that
corporations have to deal with is users bringing devices from home, removable
memory drives, their own laptops even, and trying to connect them to the
corporate network," said IT security expert Benjamin Halpert. Besides carting
off sensitive data on unprotected storage, personal mobile devices may also
introduce malware that can infect devices across the corporate network.
As CIO of Naugatuck Savings Bank,
Balkus knows the smell of this fear. "Thumb drives are probably the scariest
thing because you can put gigabytes of data in your pocket-- and lose it," he
said. To address this danger, he deployed Centennial Software's DeviceWall, an
endpoint security product that provides control over how employees can use USB
ports, optical drives and other points of access on their PCs. Balkus said it
was the software's fine-grained control that impressed him most. "I could get
down to the device level, so I could say, 'You can connect a PDA but not a
digital camera.'" He also noted that he can schedule temporary access granting,
for example, a week of DVD-ROM read
privileges to an employee on the road with a presentation to deliver.
A remote worker can also request
special access if required (for example, an unexpected and legitimate need to
burn a CD-ROM), even if a laptop is offline. In such cases, device access can
be enabled with all activity being monitored for potential auditing.
If employees are allowed to use
removable mass storage, Balkus said that DeviceWall's mobile encryption minimizes
loss risks. "You're really being foolish if you're putting unencrypted
information on any kind of portable device," he said.
Sybase's iAnywhere suite also
supports removable storage encryption and enables read privileges to be limited
to just the user's device, a certain subset of an organization or the entire
company.
Wide-Open Worries
Connectivity is the lifeblood of the
mobile worker. But making connections without protection is as ill-advised in
networking as in other aspects of life. And yet people will do it. "If
employees are traveling and they need to connect and the only place is an
unsecured hotel network or a WiFi hotspot, they're going to use it because they
have a deadline," said Halpert.
"There is a real, valid risk from
using unsecured WiFi hotspots," he said. "There are people that set up wireless
networks that impersonate legitimate networks and try to trick individuals into
connecting to steal information. If a malicious individual can convince a user
to connect to their access point, they can extract information from the user. "
Halpert said the best practice is
just three letters long: VPN. A virtual private network provides an encrypted
tunnel between the user and corporate resources that's secure even if the
network connection is wide open. "If you're using an organizational asset,
launch a VPN as soon as you can connect," advises Halpert.
That's what Fiberlink's Extend360
mobility suite does, according to Jim Burris, IT network operations manager for
Kenco Group, a logistics service provider. This gives the company's 300 roving
laptops a safe way to call home.
WiFi hotspots get a lot of press,
but any Internet connection is insecure if unprotected by encryption.
Policy into Practice
Deploying solutions that protect
employees from themselves is important, but Halpert warned against blind faith
in product claims. "Organizations shouldn't place implicit trust in products
just because they're marketed as such. More often than not, they don't do what
they say they do," he said.
He also stressed the importance of
informing employees. "Organizations need a corporate policy in place that
delineates proper use of corporate assets so employees know their
responsibilities. To support that policy you need to properly educate
employees," said Halpert. "You can't just put it on paper. You have to put that
information in front of them and ensure they understand it."
Sox said Colonial implemented a
"security privacy certification" that agents had to pass in order to be issued
a laptop. "We forced all current laptop users to take the test, and we set an
aggressive deadline," he said.
Sox recognizes that teaching
employees isn't a one-off. "The training department is keeping a close eye on
the changing security environment to determine when people need to be certified
again," he said. "We realized once we got into this that security is a process.
The rules out there change daily, so we have to stay educated." //