Risk
8/29/2013
11:10 AM
Dave Anderson
Dave Anderson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Secure Data, Not Devices

As government goes mobile and makes greater use of cloud services, IT leaders must adopt a more data-centric, not device-centric, security approach.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
In Gartner's latest quarterly PC sales analysis, it's hard to miss the enormous shift away from desktop and laptop PCs toward tablets and smartphones. Worldwide PC shipments in the second quarter were down 10.9% from the year before, marking the fifth consecutive quarter of falling sales.

U.S. government agencies are following this trend and, in some cases, even leading it. According to a Mobile Work Exchange report released in May 2013, many federal IT executives say they have launched new internal and customer-facing mobile applications, including apps for timecards, document sharing, inventory tracking, and weather watch and warning systems. A solid 59% of agencies has developed an enterprise-wide inventory for mobile devices and wireless contracts.

The good news is that these federal users say their agencies are realizing the benefits of access to mobile devices, including improved communication with colleagues in different locations, employee productivity and availability to constituents.

The shift toward tablets raises an important issue that promises to change the data governance dynamic for most agencies. Since iPads and other tablets have limited on-device data-storage facilities, we must ask: What about the data? Where is it stored and how is it protected?

According to the Mobile Work Exchange report, 73% of government respondents admit security and the ability to protect sensitive information across devices is the top barrier to going mobile.

[ After two major breaches this year, you have to wonder whether the DOE is serious about security. See Department Of Energy Cyberattack: 5 Takeaways . ]

So while many agencies are adopting tablets and other devices and moving to the cloud, which supports anytime/anywhere computing, doing so without the proper data protection strategy and controls puts that data at risk.

The challenge this creates for government IT is significant, as very few legacy endpoint security technologies can reliably extend their protection into the cloud. Not only this, but there are regulatory hurdles to be met when it comes to moving data into and across the cloud, as well as storing or replicating data on mobile devices.

A report published in March from the Department of Defense inspector general's office on the effects of BYOD on U.S. military data security found that the military command was unaware of more than 14,000 commercial mobile devices in active use across the Army. The report's findings are a classic example of what happens on the data security front in very large organizations.

Just like a large enterprise, not only do government agencies need security policies, they need the technology in place to enforce those policies and ensure the proper governance surrounding the data as it flows into, across and out of the organization. A lack of technology to both enforce the required security policies, as well as control what happens to the data, whether it is held in a local or cloud environment or even across a mobile device, creates a huge data exposure risk that exists across all unknown devices.

Effective data security is already a complex issue for most IT and security departments, but adding mobile access -- with all the challenges this entails -- changes the ballgame significantly. As more agencies embrace mobile access to corporate data, it is imperative that the information governance systems they use take a data-centric approach to business security.

That's one of many reasons why encrypting the data as it is used and moved across a network, through the cloud and over mobile devices assumes significant importance. Encryption takes data protection to a completely new level.

As we've seen, it only takes one email and attachment containing sensitive materials to fall into enemy hands to create a breach that's difficult to contain. Given current budget pressures and the challenge of getting users to willingly encrypt their data and overcome their worries that data encryption will hamper productivity, there is plenty of resistance to properly managing data over today's mobile networks. However, the stakes for not adopting a more data-centric security approach are high -- and growing higher -- as more workers turn to mobile devices to do their work.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WKash
50%
50%
WKash,
User Rank: Apprentice
8/29/2013 | 9:56:42 PM
re: Secure Data, Not Devices
The fact that government bodies, such as NIST, but also DHS, are still wrestling with identity authentication suggests that the march to securing data over all these devices is going to be a long one.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/14/2013 | 7:55:06 PM
re: Secure Data, Not Devices
I think the answer lies both in securing data through encryption and authentication and point defenses on the devices themselves. A layered defense is always the best option as nothing is invincible. A couple of smart phones and tablets firms are now integrating software and hardware applications for BYOD. It is a trend to follow.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.