Improving Data Security for Mobile and Cloud Computing

The advent of cloud computing and mobile devices has, of course, dramatically changed the way employees access, use, and share information, yet the related security risks continue to frustrate IT professionals.

In fact, a recent “Global Study on Mobility Risks” conducted by the Ponemon Institute reveals the degree to which mobile devices are circumventing enterprise security and policies. According to the survey of more than 4,000 IT practitioners in 12 countries, 77 percent said the use of mobile devices in the workplace is important to achieving business objectives, but 76 percent also believe these devices put their companies at risk.

“We are going through a massive transformation in our industry,” said Mark Benioff, CEO of Salesforce.com at the RSA Conference in San Francisco last month. This new workforce is “more open, transparent, and collaborative.”

At the same time, there are no easy solutions to solve the security risks, even while pressure mounts to mitigate those risks. “We're being required to offer more services, mobility, and access while at the same time dealing with more requirements around governance and compliance,” said Symantec CEO Enrique Salem at the conference.

A “lockdown mentality” is not the answer,” said Salem. “We need to stop saying ‘no' and partner with our user community. This new world cannot be a choice between social versus secure; it has to be both,” said Salem. The new world of doing business means enabling interconnectivity, as well as allowing for “strong governance, compliance, and controls.”

That push for access to social media platforms and mobile apps is driven by a young generation that has never been tied to a desktop system. Salem described how the “digital native” generation, in particular, has forever changed the way companies conduct business. Typically born in the 1990s, digital natives have never known a time before the Internet or mobile devices.

Digital natives readily turn to their mobile devices, social networking sites, and the cloud to solve problems, rather than obtaining information from a single source, such as a search query. “This is the future of business,” said Salem.

While security problems still abound, great progress is being made toward getting them solved. Salem offered a list of three questions companies in every industry must think about to move forward:

How do we manage online identities when our employees maintain dozens?

How do you protect information when the workforce shares information freely?

How do we keep track of a substantially higher volume of online activity?

“If we can't answer these questions, it will be a barrier to the new world of business,” said Salem. He described the need for an “advanced persistent protection” plan made up of four essential pillars:

Reliable early warning systems that allows you to understand when a new threat is potentially going to attack;

State-of-art protection, one that recognizes threats without affecting the corporate infrastructure;

Fast remediation, solutions that can move faster than the threat can spread across the company; and

A response plan that includes enforcement officials that can help with an ultimate solution.

Companies still have a long way to go, however, when it comes to adopting necessary security controls and enforceable policies. According to the study, only 39 percent have the necessary security controls to address the risks, and only 45 percent have enforceable policies.

“We need to stop saying 'no' and partner with our user community. This new world cannot be a choice between social versus secure; it has to be both.”

—Enrique Salem,

Chief Executive Officer,

Symantec

Part of the problem is that employees don't always follow the controls and procedures. In fact, 59 percent of respondents report that employees circumvent or disengage security features, such as passwords and key locks, on corporate and personal mobile devices. During the past 12 months, 51 percent of those companies experienced data loss resulting from employee use of insecure mobile devices, including laptops, smartphones, USB devices, and tablets. “It's clear that employees are deliberately disabling security controls, which is a serious concern,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

And the continued migration to mobile devices will only make matters worse. “Tablets and iOS devices are replacing corporate laptops as employees bring-their-own-devices to work and access corporate information,” said Tom Clare, senior director of Product Marketing Management of security provider Websense, which sponsored the study. “These devices open the door to unprecedented loss of sensitive data. IT needs to be concerned about the data that mobile devices access and not the device itself."

The study indicates that companies often don't know how and what data is leaving their networks through non-secure mobile devices, which increase rates of malware infections. Fifty-nine percent of respondents reported that over the last year, their companies experienced an increase in malware infections as a result of insecure mobile devices in the workplace, with another 25 percent unsure if they have or not.

“As mobile devices become more pervasive and more employees bring their own smartphones and tablets to work, IT is being challenged like never before,” said John McCormack, president of Websense, a data security firm. “They need to immediately protect data, and they need to establish and enforce security practices and policies.”

Traditional static security solutions such as antivirus, firewalls, and passwords are not always effective at stopping advanced malware and data theft threats from malicious or negligent insiders.

New Security Tools

To prevent security threats, Christopher Young,  senior vice president, Security and Government Group at Cisco described the need for more effective firewalls that can track data as it enters and leaves a company's systems. Authentication of data also needs to be altered, so that it is as close to single sign-on as possible, but flexible enough to work across a variety of platforms, added Salem.

MOBILE DEVICE RISK

Below is a chart from the Ponemon Institute study that shows respondents' perceptions about the use and risks of employees' mobile devices (strongly agree & agree responses combined):

Source: Ponemon Institute.

Companies already have available the tools they need to achieve greater visibility. “Today we can access standard language that is directly embedded in routers and switches that automatically enforces our policies,” said Young, who also spoke at the RSA event. By doing so, the network can determine several factors, said:

How is that device connected—via Ethernet or wireless?

What's the device: a PC, iPad, iPhone?

What is the posture of that device: Is it infected, or is it clean?

Where is that device connected from, and when?

“What makes all this context power is that now legitimate users can safely get access to the resources that they need on your network,” said Young. “This replaces that one size first all policy that most organizations are using today.”

Administrative burdens on users also must be reduced. Data that leaves the cloud should automatically be tagged, and cloud audit trails need to be set up and monitored, said Salem. Employees' access to accounts also should be disabled after they leave the company.

“In a world where uses are bring their own devices to work and where user names and passwords, even the strong ones, are easily compromised,” Young added, “our only way forward as an industry is to deliver increasingly granular, context aware, and forced control via the network.”