 | Issue: | Europe I 2016 |
| Article no.: | 8 | |
| Topic: | Focus on the data to have any chance of controlling it | |
| Author: | James LaPalme | |
| Title: | VP of Business Development and Cloud Solutions | |
| Organisation: | WinMagic | |
| PDF size: | 194KB |
About author
James LaPalme is the Vice President of Business Development at WinMagic with expertise in channels (VAR, VAD, OEM, Embedded, IPR, SI), alliances, eco-system and business development, mergers and acquisitions. His focus includes developing mutually, commercially successful global software alliances and channel partnerships. He is currently applying these skills to his role as the Vice President of Business Development at WinMagic. He held similar roles previously at Irdeto, CloudLink (acquired By EMC) and Counterpath (acquired by FirstHand).
Article abstract
Organisations are under enormous pressure to control sensitive corporate data. Most have to comply with overlapping laws concerning data breach notification, meaning in general terms that they must disclose the loss or theft of data that can identify people. Other organisations are governed by laws, data sovereignty stipulations, or industry-dictated rules regarding controls placed on data about individuals. The language, tone and jurisdiction of these schemes varies widely, but the overall message is the same: keep track of data on your corporate networks.
Full Article
DropBox takes the prize. IT departments block it more than any other mobile app, according to a customer survey by mobile device management vendor MobileIron. DropBox’s faux “honour” demonstrates how mobility is driving cloud computing and how cloud computing is crucial to the future of mobile work. The cloud where DropBox lives and stores data allows for easy mobile access to that data; and without Internet-facing mobile devices, workers would not have overly convenient reasons for wanting DropBox.
The rise of DropBox’s enterprise file sync and share service (EFSS), cloud computing and mobility scares many IT pros and security managers, hence the reason so many blacklist the app. Those security managers recognise that cloud computing and mobility are here to stay. First off, the productivity gains are too great to ignore. Thanks to mobile connectivity to cloud computing, employees can access corporate data anywhere and therefore can be productive anywhere. As a second related point, those productivity gains will drive employees to work around IT blockades. If DropBox is blacklisted on their corporate phones, they will install it on their personal phones. An example of “shadow IT,” the consequences of such DIY tendencies are as insidious as “shadow” would imply.
Cloud computing means far more than just DropBox, and the enormous popularity of EFSS (today there are more than 140 DropBox competitors) is mirrored via other cloud-enabled corporate applications, all of which can be accessed via mobile devices. Just about every significant enterprise IT solution can be delivered as a service (via models called software as a service, or SaaS and IaaS, or infrastructure as a service). This means that mobile devices can access those applications and resources, and the sensitive data they contain, from the cloud.
This predominance of SaaS and IaaS, like EFFS, further shows the synergistic relationship between mobile computing and cloud computing. And their unchallenged effects on business mean IT pros and security managers need to face the facts. With cloud computing here to stay, they need to address the risks posed by cloud computing. Fortunately the security industry is poised to help.
Evaluating risk of the Mobile Cloud
With mobile devices, for the first time in the history of enterprise IT, workers are using machines that IT doesn’t necessarily control or own—or even know about . More employees use their work devices, be them phone or tablets, to manage personal data. Or they use their personal devices for work, logging into mobile applications to view sensitive data. This clash of the personal and enterprise workspace creates a new and unique series of security risks.
Organisations are under enormous pressure to control sensitive corporate data. Most have to comply with overlapping laws concerning data breach notification, meaning in general terms that they must disclose the loss or theft of data that can identify people. Other organisations are governed by laws, data sovereignty stipulations, or industry-dictated rules regarding controls placed on data about individuals. The language, tone and jurisdiction of these schemes varies widely, but the overall message is the same: keep track of data on your corporate networks.
A data breach is expensive, costing by one estimate an average of US $3.8M, according to IBM-commissioned research released in mid-2015 by Ponemon Institute. Breaches severely damage a company’s reputation, and they mean significant investments to identify and remove a source of compromise, and then to make sure it doesn’t happen again.
Unfortunately, the intense desire to control data stored in the cloud, and accessed via mobile devices, runs contradictory to the needs of end users to access that data. As noted previously, IT is unable to stop many methods for their employees to access data in the cloud.
Users oblivious to cloud risks, or they just don’t care
Perhaps because of the convenience of cloud-based data accessed on mobile devices, most end users do not notice the security concerns inherent to data mobility. According to an early-2015 Harris Interactive survey commissioned by WinMagic in the U.S., 76 percent of adult EFSS users believe the data stored in the service is protected. That means they won’t hesitate to use the service on their own devices to store company data.
A WinMagic commissioned survey by CensusWide in September 2015 of 1000 office workers at companies with at least 50 employees amplifies risks related to cloud usage. A StorageReview.com story notes that “the survey found widespread employee use of cloud storage services that were at times either not sanctioned by employers or the employee had no knowledge of their companies [sic] policy of the use of cloud storage services.”
Given that a cloud storage services are top of the list of blacklisted mobile applications, IT pros are aware of the profound truth: Their employees use cloud services and think that data stored there is safe, in all likelihood with no regard for any sort of company policy regarding Cloud usage.
What are companies to do?
Mobile device management solutions are widespread, and they manage personal and corporate phones, tablets and other gadgets that access corporate data. These solutions set access control policies; e.g. they manage which devices can access corporate data and apply rules based on the user’s role or access privileges. IT pros use them to block usage of certain applications—such as EFSS—that might pose a security risk. From its origin as a method for preventing physical data “leakage” via USB storage devices, mobile device management must remain a mainstay of any corporate IT security strategy.
The conventional wisdom within corporate security circles recommends (appropriately) deploying a “solution tapestry” to protect sensitive data and critical infrastructure. Network-based offerings sniff for suspicious traffic. Firewalls, message gateways, and other perimeter solutions block the obvious and ward off denial-of-service attacks. Authentication and network access offerings check nefarious user behavior that might indicate insider attacks or bot-based attacks via privilege escalation.
And while the variety of company-deployed software solutions do their work, eye-in-the-sky type services apply what’s happening in the big-bad world to the corporate footprint. Threat intelligence vendors watch the bad guys and apply the learnings to corporate defenses, given the rise in company-specific attacks.
A well-executed security strategy relies on all these approaches, in concert, to provide protection, while security teams sit watching them work, hopefully in harmony, less the tapestry turn into a tangled mess of overlapping software deployments overwhelming response processes with false alarms.
But what of the data itself? Many security software solutions—while absolutely necessary to overall security—operate in their own silos with respect to the data that’s being protected. MDM solutions only affect data when it temporarily resides on a mobile device; companies must trust the security of the data as it traverses from PC, to mobile device, to Cloud service, to other areas where data needs protection (Internet of Things devices, etc.). While no one is blind to the fact data can reside everywhere today, the focus is heavily on securing the endpoint where data might reside rather than on securing the data itself.
Given the importance of the cloud and mobility to each other, companies must concentrate on a security strategy that considers both concepts, while focusing on the data. On the horizon are IT security solutions that encrypt the data and apply granular policy rules to manage how that data is decrypted. The policy rules can consider a variety of parameters potentially governed by other security or IT solutions, such as role, user, location, device, etc.
Certainly companies must evaluate risk ahead of considering data-centric security approaches. At WinMagic, we’ve authored an ebook that simplifies the risk calculation for EFSS. Inevitably, however, as more and more companies investigate cloud, mobility, and other paradigms transforming IT, they will discover that these paradigms create complexity that weakens security. From within that evaluation, the fundamental element of IT is data, and focusing on data security cuts through the complexity.
While it’s a cliché to say that the cloud and mobile devices are changing the world, it is true to say that imagination is the only limitation on the possible applications of the two concepts. This reality necessitates a renewed focus on security solutions, below the security software tapestry, that protect data wherever it resides.
