Secret to BYOD: Make security an enabler
Connecting state and local government leaders
Blocking access to sensitive data by mobile workers in the end is counterproductive. Instead, it’s better to protect data by incorporating better access controls in the technology itself.
When it comes to IT security, data is the crown jewel. This is not to say that networks and other systems are not important. A compromise anywhere could expose resources in your enterprise to manipulation or theft. But it is the data your systems store and use that are the most valuable targets.
This is why mobile computing and BYOD are problematic. How do you protect your data when it is being accessed by and used on devices outside your control? The immediate reaction to this challenge is to forbid access, but that can be counterproductive, warns Alexander Watson, director of security research at Websense.
“People will find a way around things that stop them from getting their jobs done,” says Watson.
And employees today expect to use mobile devices to get their jobs done, no matter where they are. If balked, they will work around restrictions and create an inside threat — unintentional, perhaps, but a threat just the same. The solution is to make data security an enabler for mobile working rather than a roadblock.
The underlying problem in mobile computing is not new. Security generally has been an afterthought in computing, and security operations were set up separately from the IT shop. As a result, security is the bad guy who tells you that you can’t do something and stops you from doing it. It didn’t take long for this to be recognized as a problem. Consequently, the trend has been to move security from its silo and integrate it more tightly with IT and business operations. That way it can help with missions rather than interfere.
But patterns tend to be repeated in IT, and as new technologies are introduced this mistake often is repeated. Belated attempts at security inhibit the use of new tools until they are forced on the enterprise. However, security in mobile devices, particularly in increasingly powerful and useful smartphones and tablets, is evolving to help enable meaningful authentication, access control and data security.
Biometric authentication is emerging for phones with Apple’s introduction of a fingerprint scanner in its iPhone 5s. It’s imperfect, but a step forward in security and convenience. Card readers for devices can enable use of government CAC and PIV cards, and software credentials derived from these cards can be used for authentication and access.
Software agents can also apply data-loss-prevention policies on mobile devices. And there are software-hardware solutions such as the Trusted Execution Environment, which is a secure area on a phone’s main processor to provide security against software attacks. Independent processor chips can also be included in handsets to enable a secure work environment and secure communications channels.
None of these solutions are fully mature and no security is perfect. But if users and organizations demand these features in products out of the box, personal devices —which already are finding their way into government and private sector work environments — can become not only safe to use, but productive. “Security becomes an enabler,” Watson said.
NEXT STORY: NIST seeks comments on crypto management system