Protect the data, not the device:
Reducing the risk of user and device access to sensitive information
Controversial statement, in a time when the banner of MDM (Mobile Device Management) has come to the aid of BYOD risk for the enterprise and data security.
We took a step back to consider some of the limitations of MDM, the nature of data in transit and came to the conclusion that MDM is not the best answer for protecting data in a mobile / BYOD access environment (if your goal is to secure sensitive data, reduce network / technology complexity and reduce overall costs).
This is not a new idea, in fact when we did a bit of research into possible names or titles for this solution / article, we found lots of CIO articles referencing data protection strategies brought on by BYOD... and the idea is simply - not to spend lots of time and energy / money on trying to protect all the possible devices out there that are trying to connect to your network or sharing information originating from your organisation (the mother load of compliance and intellectual IP worries - Data Loss Prevention DLP), but simply to look more inwardly and centrally, to simplify the strategy and practice of protecting the data (seeing as that is what everyone and devices want to access and share).
In our search for true at source data protection, we find a solution that not only removes the need for MDM in the enterprise for data security, but also removes the need for many other hardware and software additions to the corporate network, that clutter, causes complexity, over administration and eventually lead to data leaks / breaches.
THE PROBLEM(s)
"Security can no longer be defined by a single
network boundary. MDM solutions can only provide limited protection".
Lets have a look at some of the risks around data protection and loss:-
- Access from everywhere (if you have a corporate device or profile with a VPN client - you can access your corporate network and data from anywhere in the world).
- Employees are bringing their own devices into the workplace, for convenience and improved productivity, and expect to be able to use them to access corporate systems and information.
- Increasingly customers, partners and suppliers also seek mobile / wireless access to all kinds of confidential information.
- Proliferation of device types and platforms that BYOD now presents to the business and IT (iPhone, Android, Mac, Windows, Blackberry...)
- According to CRN, John Girard quoted that MDM might be shelved by 2017 due to a number of problems or restrictions with the technology.
- This is likely to be due to resistance to MDM; naturally employees don't want IT poking around on the devices they own and use for leisure. Similarly, not many people are likely to report lost smartphones to their boss if their employer's solution is to wipe it remotely, deleting personal data at the same time as business assets.
- Third party mobile downloaded apps residing on peoples personal devices are not secure, and often provide access and transmit personal data.
- The security controls that MDM relies on by OSi and Android are limited.
- Enterprise applications and data are being moved into the cloud for ease of accessibility and infrastructure cost reduction - resulting in 'distributed resources' that to have to be accessed, secured and managed.
- Free availability of portable storage (a single mobile device (usb, smartphone) could store all your corporate data).
- A lot of other security vendor platforms have inherent data leaks built into their platforms, for example;
- cached web pages
- web cookies
- cached views of files
- native snapshot
- Whenever there is a new way of working or feature (wireless, mobile phones, remote offices...next it will be smart watches and then bio-engineering computing integrated into a person) that business wants to adopt using technology - the business ends up buying yet more technology with separate management and security controls (we should not forget the 'at grass roots' reason for what is trying to be achieved = users wanting access to applications, servers and data). So why not just control the policy of data access, based on context aware profiles with one platform / appliance that offers 'built from the ground up' security, including inherent end-to-end traffic encryption, rather than keep spending and adding more tech?
THE SOLUTION
So how else can you cope with BYOD / Mobile and even general data access?
While blocking employee-owned devices completely seems like an attractive solution, this only invites 'shadow IT' setups (where the workforce uses technology in unsanctioned and un-vetted ways - how BYOD started in the first place).
The solution from SecureNet Consulting focuses on simplifying security infrastructure, management, reducing costs by focusing on securing the data, not the device. Instead of trying to manage employee-owned devices, we recommend delivering sensitive information to unsecured smartphones and tablets in a controlled way that minimises risk of loss or theft.
Business Benefits
Simplify and save costs on your security architecture
> Simplify how you implement and manage policy
> Single point for policy and compliance = audit
> Fewer products on your network controlling access
> Simpler network topology
> Faster and safer deployment of projects
> Ease and accelerate BYOD adoption
> Customise the branding of the data access portal
> Reduce cost of collaboration projects with clients, customer and partners
> Reduce capital and revenue spend
> save over £100k over 3 years compared to alternative technologies
> No need for MDM, additional VPN or endpoint security client software / licenses
Key Technology Features
Enable workers to use their mobile devices to securely access documents and enterprise web based applications without the risk of data loss.
Enable workers to use their mobile devices to securely access documents and enterprise web based applications without the risk of data loss.
Access Control
Identity and context based access management Policy based user access, allowing organisations to create access rules that suit any given level of risk control requirements. Mobile and all access is granted based on a number of variables (who is connecting, from what device, device state / patch levels, where / location and time. You can then set rules to decide if you will allow data / information to be stored on that device and to go as far as to automatically encrypt data.User Device Independence
Deliver content to users regardless of device.
Native Security
inherent firewall, VPN and proxy functionality.
Native data leak functionality that exists in other security platforms (as listed above) have been removed from this solution to ensure no copies of the data can exist anywhere else.
inherent firewall, VPN and proxy functionality. Native data leak functionality that exists in other security platforms (as listed above) have been removed from this solution to ensure no copies of the data can exist anywhere else.End to End Encryption
Secure the connection between device and server (encrypt sensitive data at source), so data in transit is encrypted and can't be intercepted before it even lands on the device. It should remain encrypted for as long as it's in memory. No unencrypted data can leave or be stored on devices Encrypted off-line file storageAuthentication
Support for 2 factor authentication where passwords are not enough Convert files to read-only versions if it's too risky to give users access to the original. You could also watermark these documents so if they're leaked, the breach can be traced back to the party most likely to be responsible. Filter, convert, block, watermark any data moving from its source to mobile devices.End User DLP
Prevents users copying, paste and screenshots (policy based user access determines who is blocked from taking screen shots). Does not the use of native apps or native access to corporate applications Annotation and highlighting of pdf documents - Read only files allowed to be stored on mobile / remote devices can be annotated. Secure access and data entering, leaving and viewing of Microsoft SharePoint.
Data Compression
Compression used for data transmitted to mobile device – to help performance and latency.
Compression used for data transmitted to mobile device – to help performance and latency.
Audit Logging & Reporting
Satisfy compliance. Enterprise Audit logging and Reporting (all data and application accesses are recorded) – warn of suspicious behaviour.
Solution Architecture Diagram
Note: it does not matter where the policy enforcement server sits on the network.
HOW IS 'DATA PROTECT AND NOT THE DEVICE' DIFFERENT FROM MDM?
- MDM is about managing the devices - not designed from the ground up for security
- The data protection solution offered by SecureNet does not require devices to be managed because no data is stored on the device – therefore no data is at risk.
- The proposed technology / solution is also different from sand-boxing technologies, which still require data to be held in the system.
- No need for any or additional VPN clients, because secure access is inherent in the solution.
Satisfy compliance. Enterprise Audit logging and Reporting (all data and application accesses are recorded) – warn of suspicious behaviour.Solution Architecture Diagram
HOW IS 'DATA PROTECT AND NOT THE DEVICE' DIFFERENT FROM MDM?
- MDM is about managing the devices - not designed from the ground up for security
- The data protection solution offered by SecureNet does not require devices to be managed because no data is stored on the device – therefore no data is at risk.
- The proposed technology / solution is also different from sand-boxing technologies, which still require data to be held in the system.
- No need for any or additional VPN clients, because secure access is inherent in the solution.
If your organisation wants to gain competitive advantage from
BYOD opportunities and flexible mobile working, but still have concerns around
security – speak to SecureNet Consulting for a cost effective, simple, defense grade, granular
enterprise mobile / BYOD, data, network access and application security solution.
Mobility / BYOD Risk Assessment Service
Have you implemented a quick fix solution to allow for the demand of user mobility and Bring-your-Own-Device into the workplace in order to keep up with productivity, collaboration?
> Understand the risk and test your environment for security and capacity planning.
Mobility / BYOD Risk Assessment Service
Have you implemented a quick fix solution to allow for the demand of user mobility and Bring-your-Own-Device into the workplace in order to keep up with productivity, collaboration?
> Understand the risk and test your environment for security and capacity planning.
