As BYOD becomes the new normal and employees increasingly move about with sensitive company data, security becomes a key issue for CIOs
By KTP Radhika
According to a recent survey conducted by Gartner among global CIOs, by 2017, bring your own devices (BYOD) programs will become so commonplace that half the employers would require staff to supply their own device for work purposes.
The trend is catching on even faster in India. Recently, a Dell-sponsored enterprise tablet survey conducted among Indian CIOs found that about 50% of them were considering a BYOD implementation within six months and 80% of organizations were considering a BYOD implementation in the next one year.
Despite the various advantages that mobility devices offer, BYOD brings in huge challenges in terms of security and corporate asset protection. One of the most significant risks is data loss. There is a great chance of confidential and private information getting stored on mobile devices in the form of temporary or cached files, sometimes even unknown to the owners. Additionally, employee-owned devices used for work introduces IT complexity since it is not always clear who owns what data on the device. Security risks soar up when such a device is lost or stolen. Employees who leave the company can take valuable corporate information with them unless businesses control which data is allowed on personal devices and have the means to enforce its policies.
Another threat is caused when users install apps on their device without giving much thought to user agreements. “The new, unsecured and possibly non-compliant mobile devices easily coming inside the walls and leaving with business sensitive information is creating a security and compliance hole which is forcing IT managers to re-think of how to best secure the organization and its business data,” says Srinivasa Boggaram, SE Team Lead – India, McAfee. “In a consumerized IT environment, the pre-existing security policies and processes would need to undergo an overhaul.” Further, there are various implementation level challenges that need to be addressed to ensure successful deployment of BYOD in an enterprise.
The business need to mobilize enterprise applications means it should allow the mobile workforce to access corporate information on an anywhere, anytime basis. This creates a data security challenge if the mobile end-points are uncontrolled and if there is no visibility on mobile devices. Therefore, BYOD is a balancing act for most CIOs and IT managers. “In many tightly regulated sectors, compliance to information security norms is a must and hence corporate data security on mobiles is emerging as an area of critical responsibility for CIOs. They should ensure security while giving flexibility to end users in the organization,” says Naveen Chopra, Director, Vodafone Business Services. “The non-standardization of mobile end points (i.e. the different make and operating system of the mobile handset/tablet) creates a heterogeneous environment, leading to numerous information security risks which need to be addressed.”
Unfortunately, some organizations make the mistake of ignoring the mobile data security loss. Even though the nature of data lost may very well differ from organizations to organizations and industry to industry, these threats apply universally. There are a number of things that a CIO can put into practice to mitigate security risks that can provide comprehensive, layered mobile security when combined. This starts with an effective policy-making that ensures the processes are in place and are monitored regularly.
The right policy
“Data protection is not only a technology concern, it is a policy concern as well,” says Surendra Singh, Regional Director, India & SAARC, Websense. To enable a successful mobile environment, the IT team at an organization needs to focus on scaling up to support an array of gadgets, operating systems, bandwidth and, most importantly, the security to ensure safe access of data. CIOs have to first ensure that there is a robust but not intrusive security policy in place. “The organization that allows BYOD to access company data has to have a proper agreement in the first place. The CIO has to understand the business objective in order to frame a good mobile data protection policy,” suggests Singh.
Good policy needs to consider different factors such as user’s role in the organization and his or her specific requirements, devices and applications. And for better data protection, there should be a flexible and scalable policy framework with a dedicated team to monitor. The IT team has to create a system for classifying data that helps to allocate the highest level of security to the most sensitive data. “Companies should establish and communicate effective guidelines to employees for working on personal mobile devices. They also have to define channels for reporting of data breach or unsafe practices,” stresses Philippe Inserra, Vice President of Identity and Access, APAC, Security Business Unit, Gemalto. Periodic risk audits should be the part of the data protection policy. The policy itself should be reviewed periodically to keep it up to date and amended to accommodate changes.
According to Diwakar Dayal, Head – Security Business, Cisco India and SAARC, CIOs need to look to evaluate solutions that offer a ‘holistic security policy’, where the controls can be applied securely to a device and location agnostic network. “This can be addressed with the adoption of an integrated, adaptive and collaborative security approach. Such adaptive policies, which are built into the concept of a self-defending network, should remain active at all times,” he suggests. IT managers should perform inconspicuously, minimize propagation of attacks and quickly respond to as-yet unknown attacks. These capabilities can reduce the vulnerability of networks, minimize the impact of attacks and improve overall infrastructure availability and reliability.
Tools to the rescue
To balance flexibility and security, a CIO has to decide on which data is the sensitive one and which are not. Chella Namasivayam,CIO, iGate says, “A CIO has to decide which is the most sensitive data and prevent access to that through mobile devices. It differs from industry to industry, though.” For example, in certain verticals such as banking, financial services and insurance (BFSI), only about 10% of their data can be exposed to mobile devices. iGate, which promotes mobility, is exposing almost 60% of their data to the mobile devices.
A policy not equipped with necessary tools to monitor and manage data traffic is no good. So vendors are coming up with many tools and technologies for mobile data protection. “Besides the policy framework, CIOs should focus on designing a next generation security architecture built on top of a multi-function platform, with deep network integration. Due to the evolving threat landscape, organizations require a new approach and strategy to deal with the ‘any to any’ challenges that arise,” feels Dayal. Enterprises need to better defend and more rapidly detect and remediate against increasingly sophisticated attacks.
One of the most important technologies in use is containerization of data. It is the most popular method used by most organizations. It will insulate corporate data on personal mobile devices in a safe data container. It will create an encrypted space or folder on the device to house more sensitive data and applications. Boggaram opines, “Using secure containers to access information from insecure and non-corporate deployed devices will secure the mobile data. Accessing email as an example within a secure container means the emails reside inside an encrypted container and if the device is ever lost, the information is encrypted and secure.” Today, OEMs have started building containerization capability within handsets allowing workforce to keep dual persona — i.e. separate profiles for personal and corporate — and allowing IT administrators to control the BYOD environment.
DLP and more
Deploying mobile data leakage prevention (DLP) software can help protecting corporate data effectively. “Mobile DLP gives users secure access to their business data, but with governance and control firmly in the hands of the enterprise,” says Nilesh Goradia, Head – Presales, Citrix Systems. Symantec’s data prevention software, Zenprise’s DLP solution is among some of the popular mobile DLP solutions available in the market. Anti-malware technologies such as mobile security solutions are technologies to watch out for as mobile device becomes a multi-purpose computing end point. Companies have to ensure that updated anti-virus software is deployed on every mobile device and should make it a standard practice. Security software giants such as McAfee, Symantec and F-secure are providing high end anti-virus and anti-malware solutions for mobile devices.
Identity and access management systems also help in securing mobile corporate data. According to Inserra of Gemalto, identity and access management system and software ensure that only the authorized employees are able to access confidential information. “These systems also reduce hacker threats and implement clear protocols providing cleaner access to cloud based services as well as enterprise resources on the go.” This solution includes one-time password (OTP) tokens and smart card ID credentials with digital certificates, providing secure remote access from a mobile endpoint and ability to work from an internet browser. Since this authentication is isolated from the mobile device, users are protected from unauthorized access.
Organizations also need a good mobile device management (MDM) solution, which can help ensure devices are kept up-to-date with the latest patches, and the ability to remotely wipe data from lost phones and manage apps using over-the-air technology. Many large and small vendors are working in the space of MDM and organizations can choose the most apt one for their business purpose. Companies also have started to use patch management tools and synchronization technologies to protect mobile data. Deploying an agent-less vulnerability management solution to provide round the clock visibility on every device that is trying to connect to the network and validating the compliance and risk that the device may bring to the network, can help secure corporate data.
An increasing number of data breaches exposing user credentials have raised the need for stronger authentication solutions. Enforcing remote locate, lock and wipe technology on mobile devices to protect data in case the device is lost or stolen will be helpful. “Secure elements such as SIM, UICC cards, MicroSD cards or embedded secure elements in next generation mobile devices are among the key elements strengthening security. These generate and store information using public-key cryptography and perform the associated algorithms needed for strong authentication,” explains Inserra. It can sign documents and emails digitally and encrypt data on mobile devices, providing protection against data loss and a high level of security. Additionally, there is also potential to use near field communications (NFC) to enable secure logical and physical access in future.
Apart from deploying latest security tools, CIOs have to back up the enterprise data residing solely on the mobile devices. There are numerous cloud based solutions available to back up mobile data. Once all security tightening measures are in place, the organization is very much ready to embrace mobility and the CIO can enable a much flexible work experience which will take the productivity of the organization to greater heights.
