There are a number of Cloud based tools to ensure data security. But, have you evaluated device risks and application risks?
Device risks are risks associated with the Bring Your Own Device (BYOD) strategy that is being increasingly adopted by organizations. Consider the scenario. Your employees use their own SmartPhones to access and work with the enterprise data. They may have downloaded information on their devices for ease of access. They may have stored their passwords on the device for instant link up. If the phone is lost or stolen, the information contained in that device will be compromised; your database will be vulnerable. If the device does not have anti-virus software installed, any upload from the device may expose your data stores to malicious attacks.
Application risks stem from the installation of custom mobile applications that may have been purchased from third-parties, employee-developed or enterprise-developed. The security holes may be unknown and any flaws in the software construct may expose the organization network and databases to unauthorized access. A number of mobile vulnerabilities have been identified. These include insufficient transport layer protection, weak server side controls, insecure data storage, client side injection, poor authentication and authorization protocols, and broken cryptography.
Intelligent device and application security management may resolve many of the issues mentioned above without curtailing the freedom of the employee or putting organizational data in peril.
Given the proliferation of BYOD and the number of entities connecting to the network, obviously, perimeter security (while still necessary) is no longer sufficient. Organizations must involve their employees in security management. Employees, who are permitted to bring their own devices, must be trained to take security risks seriously. Physical security of the device and application level security of the data must be repeatedly emphasized to drive home the importance of ensuring that enterprise data is never to be compromised or exposed to malware or virus attacks inadvertently by employees using their own devices.
However, device lockdown will not be necessary if data level security systems are implemented intelligently. Data can be partitioned and enterprise approved applications may be made to work around this data. Sensitive data can be firewalled and content encrypted and mandatorily stored within an encrypted container on the employee device. The container can be malware protected and isolated from other applications on the device. This will empower the employees and also allow them the freedom to use their SmartPhones and other hand held devices optimally for personal and official work. The resultant agility will be to the advantage of the organization!