Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/29/2013
11:10 AM
Dave Anderson
Dave Anderson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Secure Data, Not Devices

As government goes mobile and makes greater use of cloud services, IT leaders must adopt a more data-centric, not device-centric, security approach.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
In Gartner's latest quarterly PC sales analysis, it's hard to miss the enormous shift away from desktop and laptop PCs toward tablets and smartphones. Worldwide PC shipments in the second quarter were down 10.9% from the year before, marking the fifth consecutive quarter of falling sales.

U.S. government agencies are following this trend and, in some cases, even leading it. According to a Mobile Work Exchange report released in May 2013, many federal IT executives say they have launched new internal and customer-facing mobile applications, including apps for timecards, document sharing, inventory tracking, and weather watch and warning systems. A solid 59% of agencies has developed an enterprise-wide inventory for mobile devices and wireless contracts.

The good news is that these federal users say their agencies are realizing the benefits of access to mobile devices, including improved communication with colleagues in different locations, employee productivity and availability to constituents.

The shift toward tablets raises an important issue that promises to change the data governance dynamic for most agencies. Since iPads and other tablets have limited on-device data-storage facilities, we must ask: What about the data? Where is it stored and how is it protected?

According to the Mobile Work Exchange report, 73% of government respondents admit security and the ability to protect sensitive information across devices is the top barrier to going mobile.

[ After two major breaches this year, you have to wonder whether the DOE is serious about security. See Department Of Energy Cyberattack: 5 Takeaways . ]

So while many agencies are adopting tablets and other devices and moving to the cloud, which supports anytime/anywhere computing, doing so without the proper data protection strategy and controls puts that data at risk.

The challenge this creates for government IT is significant, as very few legacy endpoint security technologies can reliably extend their protection into the cloud. Not only this, but there are regulatory hurdles to be met when it comes to moving data into and across the cloud, as well as storing or replicating data on mobile devices.

A report published in March from the Department of Defense inspector general's office on the effects of BYOD on U.S. military data security found that the military command was unaware of more than 14,000 commercial mobile devices in active use across the Army. The report's findings are a classic example of what happens on the data security front in very large organizations.

Just like a large enterprise, not only do government agencies need security policies, they need the technology in place to enforce those policies and ensure the proper governance surrounding the data as it flows into, across and out of the organization. A lack of technology to both enforce the required security policies, as well as control what happens to the data, whether it is held in a local or cloud environment or even across a mobile device, creates a huge data exposure risk that exists across all unknown devices.

Effective data security is already a complex issue for most IT and security departments, but adding mobile access -- with all the challenges this entails -- changes the ballgame significantly. As more agencies embrace mobile access to corporate data, it is imperative that the information governance systems they use take a data-centric approach to business security.

That's one of many reasons why encrypting the data as it is used and moved across a network, through the cloud and over mobile devices assumes significant importance. Encryption takes data protection to a completely new level.

As we've seen, it only takes one email and attachment containing sensitive materials to fall into enemy hands to create a breach that's difficult to contain. Given current budget pressures and the challenge of getting users to willingly encrypt their data and overcome their worries that data encryption will hamper productivity, there is plenty of resistance to properly managing data over today's mobile networks. However, the stakes for not adopting a more data-centric security approach are high -- and growing higher -- as more workers turn to mobile devices to do their work.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/14/2013 | 7:55:06 PM
re: Secure Data, Not Devices
I think the answer lies both in securing data through encryption and authentication and point defenses on the devices themselves. A layered defense is always the best option as nothing is invincible. A couple of smart phones and tablets firms are now integrating software and hardware applications for BYOD. It is a trend to follow.
WKash
50%
50%
WKash,
User Rank: Apprentice
8/29/2013 | 9:56:42 PM
re: Secure Data, Not Devices
The fact that government bodies, such as NIST, but also DHS, are still wrestling with identity authentication suggests that the march to securing data over all these devices is going to be a long one.
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.