Increasingly, organizations are enabling their workforce to be productive from anywhere at any time. Desktops gave way to laptops that could be taken out of the office, cell phones gave way to smartphones and email, and now remote access to the company network is giving way to the cloud and mobile apps. This evolution comes with many benefits, but if it’s not approached with careful thought and planning, it can also come with unacceptable risk.
Are you certain your private and confidential information isn’t ending up on unsecured personal devices or in personal cloud services where it’s completely out of your control? Is that smartphone encrypted and locked with a PIN? Carefully thought-out policies and technical controls can help you mitigate the risks in an increasingly mobile world, but where do you start?
Determine the Current State
Unless you’ve just founded a startup, you likely already have some information that needs to be protected. Find out where the data is, how it’s accessed, and where it might go.
- Locate your sensitive information: Is it stored on laptops, network drives on your file server, in SharePoint, in Office 365, transferred via Email?
- Determine the accessibility of the information: Do employees access email on their smartphones? Do they access other services like OneDrive or Dropbox? Are those cloud services configured properly so that the content isn’t being shared with the wrong people?
- Look at how you know, with certainty, who is connecting to your cloud and network data. Are you sure it’s an authorized user? Do you trust the device they are connecting with and where they are connecting from?
Determine the Desired State and Write a Policy
Determine what you want for acceptable behavior and ensure it’s in a policy that new hires and current employees receive, read thoroughly, and sign. It’s important that there’s clear direction for employees including, but not limited, to:
- Approved services where sensitive data can be sent and saved (e.g. Email, OneDrive vs. OneDrive for Business, Dropbox, SharePoint Online, etc.)
- Approved devices that can be used to access or store sensitive data (e.g. the company-owned smartphone, BYOD phones and tablets, home computers, etc.)
- Approved methods for securing user identities (e.g. strong passwords and required periodic password changes)
- The rights the company retains with regard to personal devices (e.g. the right to completely wipe a device and delete all its contents, or the right to selectively wipe only company data from the device, etc.)
- Security requirements for devices (e.g. device encryption, passwords and PINs, screen lock limits, etc.)
Implement Technical Controls to Enforce Policies Where Possible
Your policy will guide behavior; technology can help ensure mistakes or malicious activities are limited. The implementation of technical controls is not a “one-size-fits-all” endeavor. Increased security usually means increased inconvenience, so it’s important to find balance between security and usability.
Here are a few high-level considerations to get things started:
- Choose how you want to control information:
- Multifactor Authentication (MFA) is a great option to ensure the front door to your data remains locked from unauthorized access and its usability has improved greatly in recent years. Many find the push notification option the easiest to use. You simply enter your username and password and receive a popup notification on your phone, tap 'Allow,' and you’re in. There are many other options as well.
- Mobile Device Management (MDM) takes control of the entire device. It’s the most intrusive option for end users but it offers significant protections. It’s important to note that there is no separation of personal and business data with an MDM-only solution. If you wipe a device, everything is deleted, including personal photos and music.
- Mobile Application Management (MAM) controls just the apps. This solution is less intrusive for users but it’s also more limited. “Containerization” allows you to wipe business apps while leaving personal data untouched - not all apps are supported and additional effort may be required to get things setup.
- Information Rights Management (IRM) sets security on individual files. This solution offers significant protection and flexibility because the files remain protected no matter where they end up. However, this requires ongoing effort for the users to set and maintain appropriate permissions. Additionally, Microsoft identities (user accounts) are required.
- Choose your settings: There are many options to consider but at a minimum you should enforce encryption, require a PIN, enforce a screen lock timeout, and prohibit jailbroken/rooted devices. Additional options include, but certainly aren’t limited to:
- Block copy/paste,
- Block screenshots,
- Prevent 'Save As' operations to unmanaged locations,
- Number of failed login attempts before self-wipe,
- And, much more.
There is a lot to consider when determining how best to utilize mobile technology in order to maximize the benefits while minimizing the risk. It’s a complex topic that can, and must, be customized to each individual business’ needs. The three steps above will help you get started.
Systems Engineering's Jeff Trudel is an Analyst in the Professional Services department. Jeff is currently working with SE clients to create and deliver thorough policies and procedures including Information Security Policies, Business Continuity Plans, and Acceptable User Agreements to assist organizations in securing their more precious information assets.