IT zone

Tips for mobile data security

Under the Data Protection Act, most commercial organisations have a legal obligation to protect data effectively. Peter Mitteregge of Credant Technologies sets out a basic outline for coping with the risks of mobile computing.

---

Today’s working lifestyle is highly mobile, with the result that data is carried across a multitude of devices including desktop PCs, laptops, notebooks, smartphones, PDAs, USB drives and CDs. And don't forget iPods, MP3 players and even digital cameras. So when you think of data security, it would be a mistake to continue thinking of it as a static problem.

A better way to view data security is as a lifecycle, which can be broken down into four phases of data protection: from detecting where the data is stored and protecting it through encryption, to managing the protection regime and supporting users - and occasionally stepping in to restore data or purge unwanted information.

This article offers some tips to guide readers on selecting a security system that will ensure they don’t fall victim to common data lapses.

Data security is an end to end process
Don’t fall into the trap of focusing on just one device or what appears to be the most obvious target such as your laptop population. Take a data-centric view. Remember, it’s about the data saved on a device and not what its saved on - the cost to replace a lost or stolen device is cheap, but brand loyalty and customer confidence are much, much harder to value or restore. Don’t just buy laptop encryption and think you can sit back and relax. Think of everywhere that data resides.
"It’s not my device" is no defence
If data is lost it doesn’t matter what device it was on. Data is data. Don’t assume that the only devices you have to protect are the ones the organisation owns. Today people are using their own personal devices and hooking them up to the corporate network. These are often used for legitimate reasons, but would you be able to identify if they weren’t? And what happens if that personal device with corporate data on it is lost or stolen? Would you know? It’s not enough to simply tell people not to do something, you have to make sure that they can’t. An iPod, for example, has a 60GB hard drive. If corporate data is being transferred from the company's network to a device such as an iPod, then it has to be protected. However, some data protection systems encrypt files indiscriminately - which could turn an iPod into an iBrick. Look for a system that can recognise and accommodate different types of file according to where they came from.

3. What’s out there?
How can you protect something if you can’t tell that it’s there or in use? You can’t. The best solution will be able to detect devices trying to connect to your network and sync up with corporate data. Once identified, depending on the policy that is set, it can either be blocked or protected.

4. It has to fit in
Security systems can affect existing operations within a business. For instance, installing operating system patches is often done unattended. Many patching processes require systems to be restarted, but some security systems use a pre-boot password. Suspending this password means that the data is completely unprotected. Don't create a backdoor security culture and look for security solutions that do not require any change to operational processes.

5. It’s not an option
The underlying theme of data security regulation is that it must be "reasonable and appropriate". Never leave it up to the end user to make data secure - they don’t have the time or the knowledge. Protection would not be considered "reasonable and appropriate" if a device, and the data it contained, were lost or stolen. As part of your information security regime, data should be controlled and managed centrally, wherever it resides, ideally by qualified IT security staff who in the event of a theft could provide reports and audits to prove that data was protected.

6. How secure is it really?
There are many who would argue that to be 100% secure, entire disks need to be encrypted. This assumption has a huge weakness: if you encrypt the whole disk the same way, someone who succeeds in breaking in - or is already an insider - will have access to everything. To illustrate the point, take the typical case of an internal threat: A CFO who needs more memory or an upgrade will typically hand their machine to someone who uses an Administrator password to unlock it. Hey presto… they have access to everything on the disk, including the CFO’s highly confidential data. Data security systems should include the ability to protect individual users’ data separately from the system administration and security administration roles. Beware of systems that offer this feature as a bolt-on extra - this typically means it’s either poorly integrated, or relies on an another underlying mechanism for security

7. Prove it!
It is not good enough to say you’re protected. Corporate governance regulations require you to prove it. When a device is lost or stolen, then depending on local regulations the company has to decide if a “breach notification” needs to be issued, along with all the expense and embarrassment that goes with it. If the data was encrypted - and you can prove it - then you do not have to notify the affected individuals whose information has been lost, as it is not at risk.

8. Plan an escape route
Never put yourself in the position of no return - which is one drawback of full disk encryption, which is either on or off. There is nothing in between. One organisation using full disk encryption software encountered a 30% failure rate on local machines, as the encryption software conflicted with a program that hadn’t initially been identified. The strategy is to roll out a new security solution in stages. If it comes across a conflict then it can easily be stopped and taken back a step. This way, you can gradually build it up bit by bit yet make sure you can recover gracefully from any problems.

About the author
Dr Peter Mitteregge is European vice president for Credant Technologies, developer of the Mobile Guardian data encryption system. Credant will be exhibiting at Infosecurity Europe 2008 at London Olympia on 22-24 April.

Print Friendly Mail to Friend Post Comment