How to maintain data and document security with a mobile workforce
Wednesday, November 16, 2016
Data and document security with today’s mobile workforce can be a difficult challenge. This is not a “one-size-fits-all” problem; one needs to weigh the risks to ensure that you are operating within a tolerable risk level or the opposite in which you put significant controls around devices, hamper productivity for no benefit. Take a pragmatic approach – you want the ability to clearly and justly answer the organization’s question of, “Why is this security measure necessary?” As security leaders, we want to allow your teams to move as fast as possible and not deploy a policy or technology because someone touts it as the best way to do something. Travis Howe, CISO at Conga, a CRM application provider for Salesforce users, provides these tips for that healthy balance.
Strategies to maintain security need to be in place before the data and documents reach a mobile device. In a workforce that is now constantly mixing mobile with more traditional PCs, understanding compliance requirements, as well as using controls like least privileged principals are critical to maintaining a high-level of data and document safety. These security measures help manage user profile privileges on computers, based on their job necessities, and can restrict access to highly sensitive data, documents and/or systems.
Nearly all of the high-tech workforces of today are leveraging SaaS applications. A key component can be to ensure that you are taking into account how data and documents are accessed remotely over a secure connection vs. data that may persist on a mobile device. A main area of focus when procuring new technologies is weighing the pros and cons of the offerings and how they will impact your security posture overall.
Here we understand what threat vectors remain, weighing the nature of the data, understanding the likelihood and impact of a breach. Are your critical data and documents stored in the cloud, on the device or both? For example, most organizational services utilize the cloud, outside of email, which is often the only persistent data storage on a mobile device. So being aware of both where content is stored and the risk that location possesses can prevent from a detrimental leak.
It’s important to determine your risk level when you choose to use something other than a company owned, managed and locked down device. A BYOD program based on company control of the device or a simple policy–based control can be helpful, but every new employee-owned device introduced to the organization presents the ability to leak classified information, so preventive measures and an understanding of risk tolerance are imperative.
Managed via mobile device management (MDM) or policy, you can employ a variation of controls depending on your specific requirements. Key controls like passwords, facial recognition and fingerprints are all staples in device management, but more advanced features such as encryption and remote wipe are becoming more and more mainstream. When it comes to device security it’s not one size fits all and often times frustration leads to no action, so an understanding of which measures are best for each device can help relieve some of the pain points that come with maintaining total security.
These technologies and needs evolved rapidly over a timeframe which jointly held a mobile device in the same class of protection needs of all corporate systems. As the evolution continues to move data to the cloud and nothing is stored on a mobile device, then IT technologies can eliminate the need for such solutions. The pace of the evolution of mobile devices creates a dog chasing its tail challenge with the intricacies of attempting to continue to manage at the hardware level on the mobile device vs. the user level within cloud applications.