Today's Mobile Device Data Protection Must Go Beyond Encryption

Wednesday, August 21, 2013

Cam Roberson


Not too long ago, ensuring data security was a fairly straightforward task for most companies: slap a password on every desktop computer in the office and call it a day. Sure, this may be a slight oversimplification – corporations have long had to protect against external security breaches, and they have never been immune to internal threats, either. But protecting data stored within the company's firewall wasn't nearly the tall task that it is today.

The generally accepted "encrypt it and forget it" strategy of recent years no longer cuts it. For a couple very good reasons. First, corporate data now lives not just on stagnant desktops, but on laptops, smartphones, tablets and is also routinely stored and transferred on tiny flash drives. Adding to that, employees frequently access and manipulate data while working on their sometimes-sanctioned, sometimes-unsanctioned personal devices. All of this activity takes place outside of local area network (LAN) protection, rendering even the most impervious firewall irrelevant.

Employers can be diligent in installing encryption protection software on the devices their employees use, but what happens if the password is compromised? Whenever the password is known, the laptop, smartphone or tablet is at no less security risk with encryption as it is without. Once the device is authenticated the contents of the device are de-crypted and the data is available for whomever has the device.  Even diligent employees write passwords down. Thieves steal computers while powered on (and de-crypted). Employees are transient and can leave the firm but still have the device and its password credentials. Then what?

Encryption is certainly a good start, but it's really just the baseline in today's data-security landscape. In selecting a data security strategy and implementing a system, companies shouldn't fret over which option provides the most robust encryption – they're likely all about the same. Rather, they should focus on the elements layered on top of encryption. They need features that will make their system flexible enough to corral widely dispersed data on many different mobile platforms and be able to protect that data under conditions where we must assume that the password is vulnerable.

Here, then, are four essential features of any corporate data security system. While some - or perhaps all - of the items on this list might have been viewed as luxuries not too long ago, they are fast becoming requirements in our rapidly evolving computing environment.

1. Flexible Encryption

With many data security platforms, encryption is an all-or-nothing proposition: You either encrypt the entire hard drive (system and all), or you don't encrypt it at all. As hard drives have grown larger, this situation has induced frustration in employers and employees alike. A 500-GB hard drive often takes not hours but days to encrypt, no matter if only a small portion of it is actually being used. Delays caused by encryption software can fray tempers and hamper productivity.

This binary encryption option will often be overkill in these situations, so companies should consider encrypting just the data – data files and locations – and not the system itself, with executables and applications that really pose no threat. A recommendation not to encrypt something might seem out of place, but they goal of any data protection implementation has to balance security with productivity. Encrypting what doesn’t need it will only lead to excessive boot times and slower performances on data-intensive applications. By leveraging a device’s built-in encryption systems with additional software that only controls what needs controlling, companies can have the best of both words: greater data security without compromising productivity.

2. Remote Monitoring

With the proliferation of sensitive business data on many different devices, both company and employee-owned, business leaders need to understand where these vulnerable devices may be and feel comfortable that they’re within the organization’s control. Evidence that encryption is in place. Assurance that employees are abiding by the company's data-protection policies – after all, employees often take shortcuts that may endanger company data in the name of efficiency.

Many of the data-security systems on the market give managers a way to follow up on these concerns, allowing them to modify controls in response to what they're seeing.

Such systems also allow administrators to establish different levels of authorization for different classes of employees, and to change those authorization settings on the fly. Authorization shouldn't be permanent, and these systems recognize this truth by allowing administrators to revoke it at any time – whether or not they have physical access to the devices the employee is using.

3. Remote Data Access Control

Passwords won't do much to protect information stored on a stolen mobile device from which an employee has failed to log out, or on a tablet that is still in the possession of a fired employee who should no longer have access to the data stored on it. So in addition to encryption, companies need the ability to remotely control access to the data on these devices remotely in the event of a breach.

The methodology to data access denial can be drachonian and permanent like a 7x overwrite to a DOD standard – appropriate when the organization knows a device is stolen (and highly unlikely to ever return). Data erasure is also a useful tool when it comes to retiring devices.  Shorter product lifecycles and the quickening pace of technological advances have caused devices to fall into obsolescence at a faster clip than ever before. While many companies find the task of deleting data on each retired device to be a daunting (not to mention costly) one, remote erasure makes the job as simple as point-and-click. And the fact that administrators can use a single console to track which devices have been erased and which haven't diminishes the risk that some devices will be overlooked.

A recoverable approach to data access control is the notion of remote “quarantine,” where the organization can utilize tools that temporarily deny access to the contents of a device. If and when the organization feels as though there is no longer risk to that device or its contents, it can again remotely restore access and use of the device. This technique is remote and immediate without harm to the contents of the device.

4. Automatic Security Features

The fact that administrators can now exercise more control over data on devices their employees use doesn't mean that they should be responsible for monitoring those devices at every moment. Accordingly, data-security systems should include automatic in-device features, as well. One common example of this type of feature are automatic responses to a string of invalid log-on attempts. A company might like to pre-determine what the device should automatically do in response to such a risk. Furthermore, it might like to choose responses that escalate in severity as the risk itself escalates. A device shutdown might even be appropriate after a few invalid log-on attempts. Or, quarantining the device might be the right response after 7 or 8 invalid log-on attempts. Well-designed automatic features can go a long way toward alerting administrators to issues and bottling up threats before they come to management's attention.

About the Author: Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.

Possibly Related Articles:
Enterprise Security
Information Security
Encryption Security mobile
Post Rating I Like this!
leijon 19 If you have been aggressively trying to get a girlfriend and you are still waking up alone every morning, it might be time to change things up a little.
Mike Keller Really awesome work with the blog. I do like your hard work on and will wait for more post as from you as post gave me pleasure and gives some helps to do same work right here.
Mike Keller Great website here, really useful and interesting information. Thanks a lot for all your efforts, and please keep the great work up!
abdul bari Chanessra Many thanks for the exciting blog posting! Simply put your blog post to my favorite blog list and will look forward for additional updates.
abdul bari Chanessra The post is written in very a good manner and it contains many useful information. how to get the desire system for free
Page: « < 1 - 2 - 3 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.