Risk
8/29/2013
11:10 AM
Dave Anderson
Dave Anderson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Secure Data, Not Devices

As government goes mobile and makes greater use of cloud services, IT leaders must adopt a more data-centric, not device-centric, security approach.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
In Gartner's latest quarterly PC sales analysis, it's hard to miss the enormous shift away from desktop and laptop PCs toward tablets and smartphones. Worldwide PC shipments in the second quarter were down 10.9% from the year before, marking the fifth consecutive quarter of falling sales.

U.S. government agencies are following this trend and, in some cases, even leading it. According to a Mobile Work Exchange report released in May 2013, many federal IT executives say they have launched new internal and customer-facing mobile applications, including apps for timecards, document sharing, inventory tracking, and weather watch and warning systems. A solid 59% of agencies has developed an enterprise-wide inventory for mobile devices and wireless contracts.

The good news is that these federal users say their agencies are realizing the benefits of access to mobile devices, including improved communication with colleagues in different locations, employee productivity and availability to constituents.

The shift toward tablets raises an important issue that promises to change the data governance dynamic for most agencies. Since iPads and other tablets have limited on-device data-storage facilities, we must ask: What about the data? Where is it stored and how is it protected?

According to the Mobile Work Exchange report, 73% of government respondents admit security and the ability to protect sensitive information across devices is the top barrier to going mobile.

[ After two major breaches this year, you have to wonder whether the DOE is serious about security. See Department Of Energy Cyberattack: 5 Takeaways . ]

So while many agencies are adopting tablets and other devices and moving to the cloud, which supports anytime/anywhere computing, doing so without the proper data protection strategy and controls puts that data at risk.

The challenge this creates for government IT is significant, as very few legacy endpoint security technologies can reliably extend their protection into the cloud. Not only this, but there are regulatory hurdles to be met when it comes to moving data into and across the cloud, as well as storing or replicating data on mobile devices.

A report published in March from the Department of Defense inspector general's office on the effects of BYOD on U.S. military data security found that the military command was unaware of more than 14,000 commercial mobile devices in active use across the Army. The report's findings are a classic example of what happens on the data security front in very large organizations.

Just like a large enterprise, not only do government agencies need security policies, they need the technology in place to enforce those policies and ensure the proper governance surrounding the data as it flows into, across and out of the organization. A lack of technology to both enforce the required security policies, as well as control what happens to the data, whether it is held in a local or cloud environment or even across a mobile device, creates a huge data exposure risk that exists across all unknown devices.

Effective data security is already a complex issue for most IT and security departments, but adding mobile access -- with all the challenges this entails -- changes the ballgame significantly. As more agencies embrace mobile access to corporate data, it is imperative that the information governance systems they use take a data-centric approach to business security.

That's one of many reasons why encrypting the data as it is used and moved across a network, through the cloud and over mobile devices assumes significant importance. Encryption takes data protection to a completely new level.

As we've seen, it only takes one email and attachment containing sensitive materials to fall into enemy hands to create a breach that's difficult to contain. Given current budget pressures and the challenge of getting users to willingly encrypt their data and overcome their worries that data encryption will hamper productivity, there is plenty of resistance to properly managing data over today's mobile networks. However, the stakes for not adopting a more data-centric security approach are high -- and growing higher -- as more workers turn to mobile devices to do their work.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/14/2013 | 7:55:06 PM
re: Secure Data, Not Devices
I think the answer lies both in securing data through encryption and authentication and point defenses on the devices themselves. A layered defense is always the best option as nothing is invincible. A couple of smart phones and tablets firms are now integrating software and hardware applications for BYOD. It is a trend to follow.
WKash
50%
50%
WKash,
User Rank: Apprentice
8/29/2013 | 9:56:42 PM
re: Secure Data, Not Devices
The fact that government bodies, such as NIST, but also DHS, are still wrestling with identity authentication suggests that the march to securing data over all these devices is going to be a long one.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio