Nemi George, Director of IS, Pacific Dental Services
Organizations are increasingly adopting a ‘mobile-cloud first’ technology approach. The only difference is whether or not its adoption is proactively driven by the organization or reactively, in response to employees using their personal devices and unapproved applications including personal cloud storage and collaboration services to access sensitive and confidential corporate information with little or no security controls. This is often referred to as Shadow IT.
Most organizations attempt to address the security concerns by implementing Mobile Device Management (MDM). MDM is effective when implemented with complementary tools rather than a standalone solution. MDM has its place, but isn’t the panacea for all ills.
This paper does not dismiss the impact of a well implemented MDM program, but simply offers a different or perhaps complementary approach.
‘‘Protecting data by using just MDM is like trying to trap smoke in a cage.’’
Understanding the Risks:
Several organizations implement MDM without understanding their core assets, business/operational risks from adopting an unmanaged mobile-cloud first technology approach.
A disproportionate amount of effort is spent protecting the device instead of the data.
The key risk areas for most organizations can be summarized as follows:
a. Data: Protecting the ‘crown jewels’ (data) has to be the primary focus. Ensuring that all data types are identified, appropriately risk assessed and classified is the most important aspect of any security program and is often overlooked.
Most organizations are relatively successful at managing data at rest and in motion by using suitable encryption and cryptographic controls but struggle to maintain visibility and control once the user accesses or stores data locally. Security control reduces the further out the data travels.
b. Users: Users present a significant risk to securing IT systems and data assets. This increases exponentially when the user is outside the control and traditional boundaries of an organization’s network. This is further exacerbated by personal mobile devices, personal cloud storage and collaboration services. The ability to monitor, audit and report unusual user activity, build behavior patterns is a key control.
c. Access: Ensuring information is made available to the right individuals or groups, while restricting access to those who are not authorized to access data is critical. Compromise of data confidentiality and integrity is a key risk in the adoption of cloud and mobile.
Going beyond MDM:
Enterprise risk management (ERM) offers a good starting point to the Mobility and Cloud conundrum. The outputs of the ERM process may vary across organizations, but most agree on one thing—you should protect your most important assets.
The model below illustrates the various risk areas and suggested controls to mitigate known risks. The security ‘noose’ tightens the closer you get to the data.
MDM is effective when implemented with complementary tools rather than a standalone solution
a. Information Classification: Information classification, whether it is automatic, user driven or hybrid is a key aspect of data protection. It ensures users are more informed and understand the impact of classifications on the document’s use and handling. Classification uses simple visual tags/labels to translate policies into enforceable controls. Classification can also be integrated directly into other applications to enforce complementary controls e.g. digital rights management, data loss prevention solutions. Data centric security ensures data protection is always on. It should work across multiple file types and applications.
b. Information Rights Management (IRM): A form of Digital Rights Management (DRM), IRM allows for the ‘remote control and management’ of data files. IRM centrally controls access rights and permissions to data irrespective of how the data is accessed or where it resides even if it is stored locally. IT can control how files are created, viewed, edited, distributed or even printed. IRM should be used in line with Classification i.e. applied to the most confidential data. Organizations with a lot of proprietary/ confidential information e.g. defense, manufacturing may find IRM the most effective way to secure sensitive information but in other organizations, IRM should be balanced against user experience and corporate culture.
c. Mobile Content Management (MCM): Like Information Rights Management (IRM), MCM enables workforce mobility by applying security controls to the content rather than the device. MCM provides a secure container that encrypts data locally, allows secure connection to the organization’s data repository, facilitates collaboration, allowing sharing, annotation, editing of documents locally on any devices while allowing the organization’s IT department to retain visibility and control. MCM enforces corporate security policies such as Data Classification/Loss Prevention policies.
a. Encryption: Data at rest (servers, storage arrays, cloud infrastructure) should be encrypted appropriately.
b. Auditing: Data storage should be monitored and logging sufficiently configured to enable auditability and traceability.
c. Authentication and Access Control: Strong authentication and access control is critical. Generic/ shared credentials should be avoided. User accounts/entitlements should be reviewed regularly.
a. Cryptography: Cryptographic controls such as Transport Layer Security protocol (TLS) are effective ways of providing security over a transport layer. TLS ensures data privacy, security and integrity across applications, servers and web browsers. TLS 1.2 is the current supported version of TLS.
a. Endpoint Protection Platform (EPP): This refers to a diverse set of security tools, applications such as anti-virus, anti-malware, personal firewalls and other forms of host intrusion prevention bundled into a single platform or configured as standalone applications. EPP solutions may include Disk/File Level Encryption, basic Device and Patch Management.
b. Others: Other controls including Mobile Application (MAM) and Device Management (MDM), but these are not covered as part of this paper.
a. Identity and Access Management (IAM): IAM is key in mitigating the risk posed by users. Ensuring users have a single identity, securely authenticated and appropriately mapped to permissions/privileges is essential as the endpoints become more ubiquitous. Integrating IAM with other technologies e.g. Single Sign-On (SSO) and Multi— Factor Authentication (MFA) offers a robust solution.
b. Training and Awareness: Training and awareness programs are essential, ensuring users are aware of their responsibilities. Using bespoke training as an add-on to generic mandatory training is recommended. Simulated training (phishing/ransomware) and social engineering are very effective in proactively educating staff on how to spot and respond to real world attacks.