Mobility is quickly becoming essential to business and must be integrated into risk-management and security programs. This is because critical and sensitive information can be accessed by mobile solutions, making mobile a prime target for hackers.
There are a number of information risk management and security considerations that business leaders, risk managers and information-security officers should consider as they embrace mobility: a data-focused approach, data inventories and classification models, and user-owned mobile devices are three key components.
Changing Your Mindset: Protect the Data First
Traditional approaches to information security have concentrated on protecting technology with the belief that data interacting with technology will be protected, as well. However, technology is usually only a vessel that stores, processes, transmits or uses information. That is not worth much until data, the asset with real and sustained value, is introduced. Until then, the associated value is the capital expense associated with the purchase of the technology and the labor costs associated with its configuration. By changing the mindset to focusing on data first and technology second, organizations are more likely to successfully protect their information. This is especially true with mobility where there is often limited control and visibility of how data and business processes are accessed or used.
Emphasizing data first will ensure that no matter where the data goes, it will be secured within the organization’s risk tolerances. This may mean restricting access to some information from mobile devices. For example, an organization may allow their financial data or customer nonpublic personal information to be accessed or stored on desktops or laptops, but not via mobile devices. The degree of restriction will depend on the probability and business impact of identified threats and the ability of available and implemented security controls to effectively mitigate them.
For instance, if the identified threat is an unauthorized individual accessing sensitive data, there may be a requirement for multifactor authentication to gain access to the data that may not be an option on mobile devices, but is for desktops and laptops. These control objectives and requirements will be driven by data inventory and classification policies, and standards. Then individuals and technology can better understand the characteristics of the targeted data and the necessary controls and handling requirements that should be implemented to meet the risk-management goals of the organization.
Data Inventory and Classification
Before you can protect data, you must know where it is and why you are protecting it. It is more difficult to maintain an accurate inventory of data assets and enforce classification models with mobile because of its transient nature. For example, one of the most widely used mobile applications is email. Many organizations transmit sensitive information through email without appreciating that those messages may come to reside on one or more devices that do not meet their requisite risk-management and security controls as defined by their data-classification policies. Or the devices may be brought into high-risk environments, such as airports or public arenas, where they can be easily stolen and messages retrieved without the device owner or organization knowing until it is too late to take protective actions, remotely wiping the device of the sensitive data for one.
With viable data-inventory and classification capabilities, the location of these emails and their associated data elements will be more apparent to the organization. This will allow it to take proactive measures, such as enhancing user awareness to the presence of this data on their mobile devices through alerts or messages in hopes they will be more sensitive to protecting them. A data-inventory and classification capability also allows an organization to take appropriate actions, including enforcing the use of mobile-security controls through authentication and encryption for data in motion and at rest. Sensitive material can be then accessed, stored or used by devices while still maintaining its confidentiality and integrity.
Securing the Bring Your Own Device (BYOD) Strategy
BYOD strategies for mobile devices have numerous financial and technological advantages, but also introduce risk and security concerns. It is important to remember in this model, the user has the authority and ability to modify the device’s configuration, applications and controls since they own the device. This is true even if an organization requires an individual to sign legal agreements that allows the company to enforce its defined security controls and to gain access to the device.
An organization’s best defense when using the BYOD model is to define which security controls must be present and operating on personnel mobile devices that are connected and interacting with its network and institute ways to verify that such controls are working as intended on an ongoing basis. An example of this would be the use of a group policy when using Microsoft Active Sync, which can be configured, to verify an organization’s security requirements are being enforced on a mobile device each time a user attempts to establish a connection to the company’s network.
An organization has more authority and control over mobile devices it owns and manages than those owned by employees. It should consider limiting the access of personnel mobile devices to low-risk capabilities—email, employee directories, internal Web browsing. Individuals who need to access sensitive data stores or applications for business reasons should be issued corporate-owned mobile devices. This will allow more control and flexibility in managing and securing devices for high-risk users while still realizing the benefits of the BYOD strategy for all others.
The balance of power has shifted, and the current technology-focused approach to information protection has proven ineffective against the capabilities and resourcefulness of an organization’s adversaries. Information risk management and security will always be evolving as long as attackers find value in exploiting an organization and its capabilities. The introduction and operation of mobility offers a great opportunity for organizations to change and mature their approach to information risk management and security to tip the balance in their favor.