MOBILE DEVICE/DATA MANAGEMENT
|
Before computers became mobile, securing office equipment was as simple as locking doors, and securing data was as simple as placing a firewall between the office LAN and the open internet. Today, business equipment and business secrets pass into and out of your offices at all hours. In such an open world, how can valuable corporate assets be kept under control?
First, Identify Your Greatest Vulnerability To Loss
Should a UPS employee lose that ruggedized "sign here" device he carries, the loss to UPS is limited mainly to the cost of buying a replacement device. At the opposite extreme, should an employee of the Pentagon lose his laptop with who knows what data possibly residing on its hard disk, the cost of buying a new laptop is the least of his problems. Banks and hospitals fall nearer the Pentagon along this line, while most commercial organizations fall nearer the middle.
Hardware owned by the organization
can be lost, stolen or broken
Hardware owned by an employee but used for business
can be lost or stolen (broken is his problem)
Data stored on organization-owned mobile devices
can be accidentally erased
can be corrupted by other apps on the device
can be stolen and used against the organization
Data stored on employee-owned mobile devices
can be erased, corrupted or stolen
can remain with the employee after termination
Organizational secrets shared with any mobile device
can be intercepted by middle man wi-fi attacks
can be accessed after theft of a device
Customers' vital records shared with any mobile device
can be targeted by identity theft rings
can be targeted by competing organizations
can be the overnight death of an organization
Device-focused Security
For businesses which do not allow vital data (customer credit cards, employee payroll, etc.) to be accessible outside the physical offices, the replacement cost of the hardware will likely be the largest vulnerability. Such companies benefit from a mobile device management (MDM) system which periodically pings each device to confirm status and location. Hardware tracking (a.k.a. inventory control) systems typically have the computer equivalent of LoJack installed on every mobile device. There are few things more satisfying than following a GPS signal straight to a stolen laptop.
In addition, such MDM systems let the organization centrally control mobile devices, both in forbidding the installation of unwanted apps and in assuring that wanted apps are kept updated to their newest revision. This is of most value when managing an organization's own inventory of mobile devices. Or, for that matter, immobile devices. Schools and libraries which maintain computer labs constantly need to restore their equipment to default condition after busy hands have been playing with preferences and settings.
Even more interesting complications arise when employees' personal mobile devices are introduced into the mix. Not being the property of the organization, such devices are potential wildcards both for data vulnerability and for continued good employee relations. On the other hand, forbidding the use of personally owned devices is increasingly unhelpful since it tends to be the organization's most productive employees who seek to establish such connections. What's needed here is a refocus away from hardware and onto data.
Data-focused Security
For many organizations, a data loss is vastly more costly than an equipment loss. Nations in the midst of diplomacy, and corporations in the midst of a merger, both face total loss should critical information fall into the wrong hands. Banks, law firms, hospitals and other organizations which act as custodians of other people's secrets face a black swan event should client information ever be compromised. Not a month goes by without the nightly news reporting that a laptop has gone missing which contained, for no excusable reason, a third of a million unencrypted credit card numbers or medical records.
The solution is to focus on compartmentalizing data rather than securing whatever hardware that data might reside on or pass through. Data stored in a fixed facility can be protected behind a firewall. Particularly vital data can be stored in encrypted form on the equipment within that fixed facility, either as encrypted files or on encrypted volumes. Conduits for remotely accessing that centrally stored data can be encrypted (https/SSL secured webpages being the best known example). At the user's equipment, web browsers can be configured never to store data from encrypted web pages.
But what of email, contact lists, calendars, and so forth? These forms of data are frequently stored on the user's equipment (in the persistent memory of the phone or tablet or laptop). The theft of a key salesman's top 10 leads might not destroy a business, but it would certainly be a major setback. A key motivator for organizations adopting the BlackBerry product line was that both its hardware and software were designed from first principles with data isolation in mind. Macs, iPhones, iPads and Android devices, in contrast, were designed with an eye towards consumer interaction, but they too can be secured by installing an app which keeps to itself. That app establishes an embassy compound within the memory of each device, isolating from the rest of the device whatever data is manipulated within it. Such data remains the property of the organization and can be remotely wiped as needed without injuring the rest of the device's applications or data.
Locally Hosted vs. Cloud-Hosted MDM Servers
Should the server component of an MDM system be installed within the organization's own network operations center? Or should it be run as a service from the network of the MDM provider? The decision comes down both to preference and to practicality. Many organizations prefer to keep their security in-house where they feel they can keep a closer eye on it. Conversely, other organizations feel much safer letting the provider be the server because the provider is in the closest possible position to catch and fix problems before they get out of hand. On the practicality side, a sufficiently large organization can afford to devote personnel fulltime to maintaining their own locally hosted MDM server. Smaller organizations which cannot devote fulltime attention are generally safer letting the MDM provider take on that task within its own network operations center.
The Right Tool(s) For The Right Job(s)
Organizations used to be able to minimize complexity by choosing one operating system and standardizing all equipment on it. With the advent of mobile, however, it is nearly impossible to remain a Microsoft-only or even Macintosh-only shop. Between BlackBerry, iOS (iPhone/iPad) and Android, the universe of platforms which must be supported is growing. This is nothing new to us, though. We've been in the business of cross-platform IT infrastructure since the Apple ][ era. We know how to keep things simple and safe in a complex world.
ComputerTree can help you appraise your organization's security vulnerabilities, then tailor a solution to your precise needs. Please contact our Enterprise Sales department (800) 467-9820 x4, or (336) 768-9820 x4, or nospam_sales@computertree.com) for more information.
|
|
 |
|
|
|
(800) 467-9820 x4
(336) 768-9820 x4
Email
|
|
