Risk
8/29/2013
11:10 AM
Dave Anderson
Dave Anderson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Secure Data, Not Devices

As government goes mobile and makes greater use of cloud services, IT leaders must adopt a more data-centric, not device-centric, security approach.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
In Gartner's latest quarterly PC sales analysis, it's hard to miss the enormous shift away from desktop and laptop PCs toward tablets and smartphones. Worldwide PC shipments in the second quarter were down 10.9% from the year before, marking the fifth consecutive quarter of falling sales.

U.S. government agencies are following this trend and, in some cases, even leading it. According to a Mobile Work Exchange report released in May 2013, many federal IT executives say they have launched new internal and customer-facing mobile applications, including apps for timecards, document sharing, inventory tracking, and weather watch and warning systems. A solid 59% of agencies has developed an enterprise-wide inventory for mobile devices and wireless contracts.

The good news is that these federal users say their agencies are realizing the benefits of access to mobile devices, including improved communication with colleagues in different locations, employee productivity and availability to constituents.

The shift toward tablets raises an important issue that promises to change the data governance dynamic for most agencies. Since iPads and other tablets have limited on-device data-storage facilities, we must ask: What about the data? Where is it stored and how is it protected?

According to the Mobile Work Exchange report, 73% of government respondents admit security and the ability to protect sensitive information across devices is the top barrier to going mobile.

[ After two major breaches this year, you have to wonder whether the DOE is serious about security. See Department Of Energy Cyberattack: 5 Takeaways . ]

So while many agencies are adopting tablets and other devices and moving to the cloud, which supports anytime/anywhere computing, doing so without the proper data protection strategy and controls puts that data at risk.

The challenge this creates for government IT is significant, as very few legacy endpoint security technologies can reliably extend their protection into the cloud. Not only this, but there are regulatory hurdles to be met when it comes to moving data into and across the cloud, as well as storing or replicating data on mobile devices.

A report published in March from the Department of Defense inspector general's office on the effects of BYOD on U.S. military data security found that the military command was unaware of more than 14,000 commercial mobile devices in active use across the Army. The report's findings are a classic example of what happens on the data security front in very large organizations.

Just like a large enterprise, not only do government agencies need security policies, they need the technology in place to enforce those policies and ensure the proper governance surrounding the data as it flows into, across and out of the organization. A lack of technology to both enforce the required security policies, as well as control what happens to the data, whether it is held in a local or cloud environment or even across a mobile device, creates a huge data exposure risk that exists across all unknown devices.

Effective data security is already a complex issue for most IT and security departments, but adding mobile access -- with all the challenges this entails -- changes the ballgame significantly. As more agencies embrace mobile access to corporate data, it is imperative that the information governance systems they use take a data-centric approach to business security.

That's one of many reasons why encrypting the data as it is used and moved across a network, through the cloud and over mobile devices assumes significant importance. Encryption takes data protection to a completely new level.

As we've seen, it only takes one email and attachment containing sensitive materials to fall into enemy hands to create a breach that's difficult to contain. Given current budget pressures and the challenge of getting users to willingly encrypt their data and overcome their worries that data encryption will hamper productivity, there is plenty of resistance to properly managing data over today's mobile networks. However, the stakes for not adopting a more data-centric security approach are high -- and growing higher -- as more workers turn to mobile devices to do their work.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
8/29/2013 | 9:56:42 PM
re: Secure Data, Not Devices
The fact that government bodies, such as NIST, but also DHS, are still wrestling with identity authentication suggests that the march to securing data over all these devices is going to be a long one.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/14/2013 | 7:55:06 PM
re: Secure Data, Not Devices
I think the answer lies both in securing data through encryption and authentication and point defenses on the devices themselves. A layered defense is always the best option as nothing is invincible. A couple of smart phones and tablets firms are now integrating software and hardware applications for BYOD. It is a trend to follow.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?