Mobile working needs a security rethink
How to stay safe on the move
Published: 16 March 2009 15:15 GMT by Anthony Plewes
Show related articles
With employees working away from the office, at home, at client sites or simply on the road, Anthony Plewes wonders if they should rethink the problem of data on the move.
According to the most recent annual survey from the Computer Security Institute (CSI), the third most common security incident experienced by companies was the theft or loss of mobile devices, behind virus infection and insider attack.
With this in mind, it's a surprise to see that nearly 30 per cent of respondents to the survey didn't require corporate data to be encrypted in transit, meaning that data from devices lost or stolen could end up in the hands of a competitor or criminal.
Even fewer organisations bother to encrypt data in storage, with only 53 per cent of respondents saying they encrypt data at rest.
As Yankee Group senior VP Zeus Kerravala explained: "Mobility brings data security to the forefront. Users carrying multiple devices, each with its own set of local applications, exposes critical corporate data without backup or proper security. The majority of mobile security solutions today focus on securing the access to and from the endpoint but there is very little focus on securing the corporate data that is on the device."
Most companies have recognised they need to do more to keep their mobile data secure, and part of that is recognising that people may use non-corporate computers for work and corporate devices for social activities.
Jane Kimberlin, IT director at Domino's Pizza, said: "At Dominos we do 30 per cent of our business on a Friday and Saturday night - therefore we expect our people to be flexible about when they work. "We are evaluating the use of encrypted memory sticks, access to personal email and if there should be restrictions on social networking."
Whatever happened to the firewall?
Firewalls were introduced when connectivity options were much more limited and consisted mainly of a single wide area network into the office.
They create a perimeter between untrusted and trusted parts of the network, so that everything on the local area network is trusted, while everything on the internet is not.
Traffic passing between the two zones is scanned to see if it is a threat - and blocked if it is. While this may have worked in simple environments, mobile working and the internet have blown the concept of a company perimeter completely out of the water.
To make firewalls work in this new environment, companies have had to create holes to give mobile employees access to corporate resources or for internet applications to actually work.
The traditional approach was to harden the perimeter, while leaving the internal systems relatively vulnerable. Instead companies should be looking at the fundamentals of how to design a secure infrastructure.
Paul Simmonds, board member of security user group the Jericho Forum, points out that engineers building a bridge need to design for the worst case scenario, such as a hurricane, so they can be sure it doesn't collapse in the next storm.
Similarly, good design for security should demand that all products are created to be able to operate in the worst case scenario. For security this represents the internet, and security that keeps information safe on the net will be safe everywhere.
Although security and usability are often seen as two opposite sides of the spectrum, Simmonds says this assumption is based on flawed thinking. "The problem beforehand was that we bolted on security afterwards, which made security a 'disabler'. However, if you design security in as a fundamental strategy - then it will actually enable your functionality."
Securing the mobile enterprise
The bottom line is that companies should look to protect their data, and assume it is always being used in the worse-case environment of travelling over the internet. Simmonds points out that a hardened corporate perimeter is actually harming businesses.
For example, why extend the hardened corporate perimeter out to homeworkers or small offices and make them access the internet through the corporate connection? Much cheaper and more functional is to give them a local internet connection, and ensure the data is protected.
Putting the Jericho Forum's advice into practice doesn't require as radical an overhaul of current security thinking as you might imagine, says Simmonds. Primarily it is a shift of emphasis to what companies need to secure.
For example, instead of designing connections to the secure network, companies should focus on connections to secure resources; and instead of building secure tunnels from a device to a network point, use a secure protocol from the device directly into the secure resource.
Rights to access data should always be held at the data level because the closer you get to the data, the easier it is to protect.
Ditching the firewall?
Traditional firewalls do still have a place in security. Robert Richardson, director of the Computer Security Institute, points out that many security tools still function in the traditional manner of surrounding and scanning, and that conscientious use of these tools have actually reduced losses from security breaches to a record low this year.
Even the Jericho Forum says firewalls have a role to play in a layered security infrastructure but they need to be deployed selectively, with simpler rules and none of the holes that are necessary for them to protect the company perimeter.
Related links
- Minority Report: Two good reasons Apple doesn't make a netbook
- 'If you look at iPlayer from a distance, it's still very web 1.0'
- Minority Report: Why I loathe Apple Stores
- How my team didn't slip up in the snow
- Securing Physical and Virtual IT Assets Without Hardware Firewalls or VLANs - A New Approach: An Identity-Aware Network Inside the Perimeter
Reader Comments (0)