The simultaneous explosion of enterprise mobility and cloud adoption has resulted in a “perfect storm” for IT. It’s the “everywhere data” side effect created by bring your own device (BYOD) programs — data is now coming from anywhere and everywhere, making it hard for IT departments to keep up.
Data traveling from corporate servers to unsecured personal devices to apps and into the cloud leaves a digital paper trail of copies everywhere along its route. Gartner vice president David Willis recently highlighted this phenomenon saying, “Some mobile devices are designed to share data in the cloud and have no general purpose file system for applications to share, increasing the potential for data to be easily duplicated between applications and moved between applications and the cloud.”
Mobile data presents a unique challenge to IT security teams. These teams previously built data security models to prevent data leakage, which is unfortunately like shutting the barn door after the horse has bolted. Even before enterprises are able to launch a formal BYOD program, their data has already leaked everywhere. In reality, BYOD programs present the first opportunity for IT to formally implement approaches that tackle data security properly.
When looking at a mobile security solution, you need to consider not just the lessons you’ve learned from previous leaks, but also the fact that your employees will not tolerate heavy IT endpoint software on their agile personal devices.
Let’s look at five approaches for securing mobile data:
Device-level containers or personas
This class of solution invokes the notion that with a “bring your own” device, business and personal use should be separated like “church and state.” To that end, IT can apply a separate zone on the user’s device within which some corporate apps and data can reside. In this way, policy controls apply only to what’s in the container, rather than to the entire device. This model works well for organizations that have previously implemented separation approaches for corporate-owned endpoints.
Another approach to data security is to secure company information indirectly through application management (mobile application management or MAM). Unlike mobile device management (MDM), which focuses on device activation, enrollment, and provisioning, MAM focuses on software delivery. This approach allows IT to present a catalog of corporate developed apps and vetted third-party business productivity apps that employees can use for work. A benefit to MAM is that it gives administrators the ability to update and potentially remove apps without having to physically touch the device.
The challenge for someone investigating these solutions is teasing out the features tied to data security from those tied to pure app management. Data security within these models generally comes through the whitelisting or blacklisting of apps.
Data lockers, also referred to as content lockers, invoke the classic “walled garden” approach to data security. Data lockers are often sold as add-on solutions to MAMs or containers with the purpose of channeling data into a central secure storage repository. Data lockers give end-users access to the corporate data within an IT-owned framework, keeping administrators in control of a broad array of data.
Virtual Desktop Infrastructure (VDI)
VDI gained traction as a solution shaking up how desktop PCs are delivered, but it’s also viewed as an option for BYOD. “Hosting” a desktop virtual machine on a shared server that is then accessed by a “client” device like a tablet can be a very useful approach for mobile users to securely access corporate apps. Data security comes into the picture because all corporate data sits safely within the confines of the corporate data center no matter where the client device is. You can use existing data security solutions with this model as well. It is worth noting that this approach will only cover the apps that reside on the desktop not apps natively designed for mobile.
Once data makes its way outside the bounds of the enterprise, IT needs to begin viewing data security as the first line of defense, not the last line. A newer philosophy is the so-called “data-centric security” approach, that provides IT with visibility into which data has crossed the bounds of the enterprise and where it has gone.
As Gartner’s Willis explained, “We’re finally reaching the point where IT officially recognizes [that] people use their business device for non-work purposes.”
Now with visibility into its everywhere data, IT can make informed decisions about control policies. Moreover, because controls are directly tied to the data, the mechanisms of enforcement have no impact on a user’s native device and app experience.
All five of the data-security approaches outlined here are backed by products on the market and should be aligned with the BYOD goals of your organization. The right approach will ultimately be the one (or a combination of solutions) that fosters the secure flow of corporate data while supporting IT and enabling employees to use the devices and applications they need to optimize productivity.
Caleb Sima is CEO of Bluebox Security. Engaged in the Internet security arena since 1996, Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC). He is also a Microsoft Most Valuable Professional (MVP) in Visual Developer Security. Prior to co-founding Bluebox, Caleb held leadership positions at Armorize Technologies, SPI Dynamics, and the HP Application Security Center.