Mobile Data: Are You Carrying a Suitcase or a Safe?
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
If you were packing for a trip and needed to take reams of documents with personal data, such as bank statements and medical bills, would you rather put them in a suitcase or a safe?
This example may seem exaggerated, but the reality can be even more daunting. Every time end users step out the door, they may be carrying thousands of dollars worth of corporate information in their pocket. Mobile devices such as smartphones and tablets are great for productivity, but one wrong move and all that sensitive information could end up in the wrong hands.
The key is for emphasis to be placed on securing the data, not just the device. While losing a mobile device might be a setback of several hundred dollars, the loss of sensitive customer data can cause tens of thousands of dollars of damage or more. That's where encryption comes in.
While it's not always possible to control where users take their mobile devices and the sensitive data on them, organizations can protect the data using encryption technology. By implementing comprehensive data encryption on all devices used to access corporate information, the potential damages will be greatly reduced.
There are several key points to remember, however, as an organization considers encryption solutions. The following suggestions will help you take full advantage of mobile devices while keeping them as secure as possible.
* Choose devices carefully -- Phones and tablets offer different security options, so you have to confirm each device or platform includes the needed security controls. An important aspect to understand is how strong encryption is incorporated. Is it built into the mobile operating system or into the device? In the case of device encryption, ensure that the encryption can be enabled across all risk areas, as some products encrypt data stored on the device, but not data stored on removable memory. Also, confirm strong algorithms and key sizes (a minimum of 128-bit AES) is used for encryption. Finally, as encryption is useless without good key management, ensure the key management policies comply with corporate standards.
* Limit sensitive data stored on devices -- Though it is unrealistic to eliminate storage of sensitive data on mobile devices, limiting the amount stored is an option. Doing so limits the risk surface. In such a scenario, access to encrypted information not stored on devices is achieved via recommending or requiring files be stored in a cloud-based service or corporate network.
* Implement a user-friendly solution -- Changing end user behavior is hard, so wherever possible tailor security to existing user behavior. This means encryption methods such as sandboxing that keep data isolated on the device and make it difficult to access and modify encrypted information less than ideal. To more effectively use encryption, organizations should look for business applications with embedded encryption capabilities to allow the user to securely access sensitive corporate data. [Also see: "Enterprise smartphone and tablet incursion to grow in 2012"]
* Balance security with availability -- Even the best encryption software can be left useless in the case of a network outage. And, since one of the hallmarks of the mobile workforce is travel, having no network availability is a real concern. It's important, then, to utilize a solution that will maintain constant security, whether the mobile device is currently connected or not. By implementing encryption technology that runs on the device itself, independent of connectivity, data will always be protected. If an email is being prepared while outside the service area, for example, the information will still be encrypted throughout the entire process, until it is sent. This keeps productivity as high as possible without sacrificing security.
* Educate users about keeping control of their device -- Though strong encryption goes a long way in protecting sensitive data, it is prudent to prevent potential attackers from having physical access to the data. Some recommendations to consider are:
• Require devices to have an idle time lockout -- a setting that locks devices after a set period of inactivity; locks on keypads/screens and voicemail should be considered, too.
• Recommend that employees store mobile devices in pockets, briefcases and purses, not on a table -- especially in restaurants, hotels and airports -- which makes it easy for a thief to distract people and walk off with a device.
• Create a lost device reporting process for employees so IT can react quickly.
• Consider employing remote wipe technology to safeguard data on lost or stolen devices. [Also see: "3 tips for avoiding tablet management headaches"]
Employing data encryption on mobile devices brings a new level of security to your sensitive business information, allowing IT to provide support while imposing as few restrictions on mobile workers as possible. You can rest easy knowing that wherever users are, they are carrying a safe, rather than just a suitcase.
Symantec provides security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. More information is available at www.symantec.com.
Read more about anti-malware in Network World's Anti-malware section.