A number of security issues demand attention the moment mobile workforces attempt to access enterprise information stored in cloud backups. Unfortunately, enterprises are making hurried cloud backup purchase decisions without measuring how Bring Your Own Devices (BYOD) and mobility can increase the risk to the enterprise information stores. The problems are compounded as IT Administrators hurry to buy into the cloud without actually being in possession of complete information about risks involved in mobile computing. There is an urgent need to understand how mobility plays into enterprise risk postures and what level of risk is tolerable to the enterprise.
What gets measured gets appreciated. Identification and evaluation of risks helps enterprises in deciding whether cloud computing will support their business goals, objectives and policies. The specificity gives clarity, especially, for something like password policies. For instance, risk evaluation can be as granular as deciding whether the organization will benefit by using a four digit password or a six digit one. This will attach some metrics to the risk definition.
Organizations concerned about risks associated with mobile workforces and mobile access to information store in cloud backups should focus their attention on three specific areas: – technology, policy and law.
The type and nature of devices connecting to the cloud backup, the network settings and configurations have an impact on the security posture of the organization. Technology based risk mapping studies must ask questions about the device types, network settings, and network configurations. They must aim to reduce technology related risks by measuring and reducing risks of unauthorized access. They should be thinking in terms of instituting authentication systems, data access authorization and encryption.
At the policy level, enterprises must re-evaluate their policies with reference to the changing environment of business. They must make the effort to understand how BYOD, mobility of workforces and mobile access to information will increase or decrease risk to the enterprise. Do they restrict access with role based protocols or device based protocols? What are the risks of insecure apps residing on mobile devices? Do they institute screen-lock and application use policies? How much of risk management is too much?
Finally, the risk evaluation process must consider the risks around law and deal with questions of how mobility affects compliance with regulatory mandates. Privacy laws can be tricky, especially, on BYOD devices. Should they use mobile device management technologies to have unrestricted access to the mobile device for backup and deletion of information on a company owned or employee owned devices? How does it violate the privacy of the employee owned data?