Encryption, Data-Centric Approach Needed To Secure Cloud, Mobile Users
Posted by Chris Talbot
February 08, 2012
The ever-growing mobile workforce with its head in the cloud has created what seems like an endless list of IT challenges to overcome, and with anywhere, anytime access to information a necessity for many enterprises, the new IT world is having an impact on the kind of encryption enterprises need to protect their sensitive and proprietary data. InformationWeek's "Data Encryption: Ushering In a New Era" report found that cloud and mobility are adding new challenges to security, but only 47% of 506 IT professionals that responded to a survey on data encryption stated that have mobile-device encryption has been made a priority. Another InformationWeek survey, "Research: 2012 State of Cloud Computing," of 511 IT professionals regarding cloud computing found that 64% of enterprises using cloud services are dealing with between two and five different providers. As the number of servers and applications move into the cloud, the more the use of encryption drops off. "The problem of mobility and cloud is it forces policies, processes and encryption technologies to have to scale to an outside device, organization, and too many more use cases," says Michael Davis, CEO of Savid Technologies and author of the report. "This usually means the governance/audit team isn't ready, the security team gets bogged down in details related to deployment, but in the end we don't see users impacted too much by encryption in these spaces as the technology is usually transparent." All of the encryption technologies require keys, but in the case of mobile devices, the keys are usually controlled by end users when they turn on their phones, Davis explains. In that case, the user must have a lock/password screen or encryption isn't able to do its job. IT can create policies around using lock/password screens, but end users frequently ignore policies. In the case of mobile devices, it leaves potentially sensitive data open to anyone who comes into physical contact with the phone. Of the 506 respondents to the data encryption survey, 38% said their organizations have comprehensive formal policies in place that expressly require encryption of personally identifiable information (PII) or confidential data on certain devices within their networks. They said the policies are strictly enforced. Another 38% noted that although they have policies, enforcement is limited or done on an application-by-application basis.
"If the organization doesn't start looking at their data in terms of who, what, why and where the access to that data needs to occur, they won't be able to properly encrypt the data and know what devices need to decrypt the data," states Davis. "Furthermore, when it comes to cloud, if you don't encrypt and have control of your keys, you are basing your security on the fact that the cloud provider promises to implement security at or above the level your organization does, and, sadly, most organizations don't check to see that the cloud provider actually meets the same level of security requirements."
From a mobility perspective, enterprises have been lucky because of the type of data typically being stored on mobile devices, Davis says. End users have not wanted to work with large documents, spreadsheets and other files not easily viewable on mobile devices, but as the form factors, available applications and performance of mobile devices have increased, users are becoming more likely to work with such data on their smartphones and tablets. "Mobility has enabled anywhere, anytime access. I call it the Starbucks problem. Every Starbucks is now the corner office for most workers, and mobility is going to continue to demand that employees access files anywhere from any device," he says. IT organizations need to ask themselves some tough questions about security and encryption, with a focus on securing data that is not under their control (because most of those mobile devices aren't). The solution to the problem is usually taking a data-centric approach to security instead of the traditional premise-based model, says Davis. Learn more about Strategy: SIEM by subscribing to Network Computing Pro Reports (free, registration required).
"If the organization doesn't start looking at their data in terms of who, what, why and where the access to that data needs to occur, they won't be able to properly encrypt the data and know what devices need to decrypt the data," states Davis. "Furthermore, when it comes to cloud, if you don't encrypt and have control of your keys, you are basing your security on the fact that the cloud provider promises to implement security at or above the level your organization does, and, sadly, most organizations don't check to see that the cloud provider actually meets the same level of security requirements."
From a mobility perspective, enterprises have been lucky because of the type of data typically being stored on mobile devices, Davis says. End users have not wanted to work with large documents, spreadsheets and other files not easily viewable on mobile devices, but as the form factors, available applications and performance of mobile devices have increased, users are becoming more likely to work with such data on their smartphones and tablets. "Mobility has enabled anywhere, anytime access. I call it the Starbucks problem. Every Starbucks is now the corner office for most workers, and mobility is going to continue to demand that employees access files anywhere from any device," he says. IT organizations need to ask themselves some tough questions about security and encryption, with a focus on securing data that is not under their control (because most of those mobile devices aren't). The solution to the problem is usually taking a data-centric approach to security instead of the traditional premise-based model, says Davis. Learn more about Strategy: SIEM by subscribing to Network Computing Pro Reports (free, registration required).