Not too long ago, ensuring data security was a fairly straightforward task for most companies: slap a password on every desktop computer in the office and call it a day. Sure, this may be a slight oversimplification – corporations have long had to protect against external security breaches, and they have never been immune to internal threats, either. But protecting data stored within the company's firewall wasn't nearly the tall task that it is today.
The generally accepted "encrypt it and forget it" strategy of recent years no longer cuts it. For a couple very good reasons. First, corporate data now lives not just on stagnant desktops, but on laptops, smartphones, tablets and is also routinely stored and transferred on tiny flash drives. Adding to that, employees frequently access and manipulate data while working on their sometimes-sanctioned, sometimes-unsanctioned personal devices. All of this activity takes place outside of local area network (LAN) protection, rendering even the most impervious firewall irrelevant.
Employers can be diligent in installing encryption protection software on the devices their employees use, but what happens if the password is compromised? Whenever the password is known, the laptop, smartphone or tablet is at no less security risk with encryption as it is without. Once the device is authenticated the contents of the device are de-crypted and the data is available for whomever has the device. Even diligent employees write passwords down. Thieves steal computers while powered on (and de-crypted). Employees are transient and can leave the firm but still have the device and its password credentials. Then what?
Encryption is certainly a good start, but it's really just the baseline in today's data-security landscape. In selecting a data security strategy and implementing a system, companies shouldn't fret over which option provides the most robust encryption – they're likely all about the same. Rather, they should focus on the elements layered on top of encryption. They need features that will make their system flexible enough to corral widely dispersed data on many different mobile platforms and be able to protect that data under conditions where we must assume that the password is vulnerable.
Here, then, are four essential features of any corporate data security system. While some - or perhaps all - of the items on this list might have been viewed as luxuries not too long ago, they are fast becoming requirements in our rapidly evolving computing environment.
1. Flexible Encryption
With many data security platforms, encryption is an all-or-nothing proposition: You either encrypt the entire hard drive (system and all), or you don't encrypt it at all. As hard drives have grown larger, this situation has induced frustration in employers and employees alike. A 500-GB hard drive often takes not hours but days to encrypt, no matter if only a small portion of it is actually being used. Delays caused by encryption software can fray tempers and hamper productivity.
This binary encryption option will often be overkill in these situations, so companies should consider encrypting just the data – data files and locations – and not the system itself, with executables and applications that really pose no threat. A recommendation not to encrypt something might seem out of place, but they goal of any data protection implementation has to balance security with productivity. Encrypting what doesn’t need it will only lead to excessive boot times and slower performances on data-intensive applications. By leveraging a device’s built-in encryption systems with additional software that only controls what needs controlling, companies can have the best of both words: greater data security without compromising productivity.
2. Remote Monitoring
With the proliferation of sensitive business data on many different devices, both company and employee-owned, business leaders need to understand where these vulnerable devices may be and feel comfortable that they’re within the organization’s control. Evidence that encryption is in place. Assurance that employees are abiding by the company's data-protection policies – after all, employees often take shortcuts that may endanger company data in the name of efficiency.
Many of the data-security systems on the market give managers a way to follow up on these concerns, allowing them to modify controls in response to what they're seeing.
Such systems also allow administrators to establish different levels of authorization for different classes of employees, and to change those authorization settings on the fly. Authorization shouldn't be permanent, and these systems recognize this truth by allowing administrators to revoke it at any time – whether or not they have physical access to the devices the employee is using.
3. Remote Data Access Control
Passwords won't do much to protect information stored on a stolen mobile device from which an employee has failed to log out, or on a tablet that is still in the possession of a fired employee who should no longer have access to the data stored on it. So in addition to encryption, companies need the ability to remotely control access to the data on these devices remotely in the event of a breach.
The methodology to data access denial can be drachonian and permanent like a 7x overwrite to a DOD standard – appropriate when the organization knows a device is stolen (and highly unlikely to ever return). Data erasure is also a useful tool when it comes to retiring devices. Shorter product lifecycles and the quickening pace of technological advances have caused devices to fall into obsolescence at a faster clip than ever before. While many companies find the task of deleting data on each retired device to be a daunting (not to mention costly) one, remote erasure makes the job as simple as point-and-click. And the fact that administrators can use a single console to track which devices have been erased and which haven't diminishes the risk that some devices will be overlooked.
A recoverable approach to data access control is the notion of remote “quarantine,” where the organization can utilize tools that temporarily deny access to the contents of a device. If and when the organization feels as though there is no longer risk to that device or its contents, it can again remotely restore access and use of the device. This technique is remote and immediate without harm to the contents of the device.
4. Automatic Security Features
The fact that administrators can now exercise more control over data on devices their employees use doesn't mean that they should be responsible for monitoring those devices at every moment. Accordingly, data-security systems should include automatic in-device features, as well. One common example of this type of feature are automatic responses to a string of invalid log-on attempts. A company might like to pre-determine what the device should automatically do in response to such a risk. Furthermore, it might like to choose responses that escalate in severity as the risk itself escalates. A device shutdown might even be appropriate after a few invalid log-on attempts. Or, quarantining the device might be the right response after 7 or 8 invalid log-on attempts. Well-designed automatic features can go a long way toward alerting administrators to issues and bottling up threats before they come to management's attention.
About the Author: Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.