Q&A: Securing Mobile Devices

How to handle the special security risks posed by portable devices

Mobile devices pose a new set of challenges to IT. Gil Sever, founder and CEO of Safend, explains these challenges, the security risks for the enterprise, and how to balance employee productivity and security policies.

Enterprise Strategies: Mobile computing is an emerging concern for IT, whether people are using laptops, PDAs, etc. With the growth of mobile devices, is IT aware of all the devices connected to its network? If not, why not?

Gil Sever: With the proliferation of portable storage devices, it is difficult for IT to be aware of every single device that has connected or is connecting to the corporate network and even more important, what data they might be downloading once connected. This is because a large majority of companies do not have endpoint security solutions in place that log removable device connections to the network.

Determining what kind -- and how many -- devices are accessing an organization’s network is the first step in developing an effective data leakage prevention (DLP) strategy. Effective DLP should achieve both detailed visibility and granular control over all endpoint activity -- from the devices attached to content awareness and data transfer to/from removable media as well as through wireless connections. This type of solution provides security administrators the power to monitor every potential endpoint data leakage channel, coupled with the ability to create and enforce security policies that are tailored to specific organizational IT requirements.

Do USB devices pose particular problem for IT and what can IT do to secure them?

The concern with USB devices from an enterprise standpoint is that confidential corporate data is easily downloaded to and stored on the device, leaving sensitive data at risk if the device is lost or stolen when taken outside of the office.

To mitigate these risks without infringing on employee productivity, IT administrators should incorporate endpoint security software into its DLP strategy. The more granular access control that is provided combined with stringent encryption policies and built-in compliance policies the easier it is to combat security threats.

Granular access refers to the settings determined by the IT administrator. For example, IT administrators may get as specific as they like, specifying what devices may be connected to which computer, specific times a device may be connected to the computer, and so forth. It can even get as granular as deciding accessibility by device model or serial number. There is no such thing as becoming too granular when referring to DLP. Once the IT administrator sets the restrictions, they can be easily managed to ensure the utmost security of corporate data.

By implementing encryption in the enterprise, administrators are able to take steps to neutralize the threat. Every hard drive and portable storage device represents a risk if it contains data that could be used to harm, distress, or embarrass a corporation, government, or an individual. That is where encryption products come in. They ensure the data stored on machines and storage devices are safe, even if the data is lost or stolen, by providing the protection and security today’s organizations are seeking.

Users always are battling IT when it comes to security. We all hate having to remember multiple user-IDs and passwords, and as users, we hate being restricted in any way. Are there special challenges with securing portable devices and how can IT keep end users from circumventing mobile-device security measures or policies?

For many organizations, the biggest challenge regarding to mobile devices is “how can administrators enable employees to maintain or increase productivity when traveling or working remotely while avoiding data security threats?”

To ensure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible enough that they don’t hinder productivity, but strong enough to prevent data leakage threats. This is accomplished through granular policies that allow administrators to block, allow, or restrict access to data for everything from file type and device type to specific device serial numbers.

When securing the enterprise, companies often choose a binary approach where they allow all or block all access to removable devices. When blocking all access is used to ensure data security, employees are clearly inhibited from being productive outside of the office environment. A granular solution allows administrations to grant access for specific data to specific users, enabling productivity to remain intact while adhering to data protection policies. A centrally managed solution also enables administrators to establish such policies based on existing role-based settings and efficiently deploy the policies via Active Directory or eNovell Directory.

What risks to an organization do portable devices pose and how are these different from traditional security risks from desktop systems?

The major concern with portable devices, Blackberrys, iPods, CD/DVDs, USB sticks, and PDAs is the fear that the device may be lost or stolen, putting the data it contains at serious risk. On traditional desktops data theft is still a concern, but it is more difficult for information to leave the corporate walls as many companies have e-mail security policies in place to prevent and monitor in-house files from being emailed outside of the corporate network.

To truly ensure the security of confidential data stored on portable devices -- even when they are out of the office -- effective DLP strategies and policies need to be deployed. This includes written usage and access policies, policy enforcement for regulatory compliance, endpoint DLP technology, encryption technology and content management systems.

Business and security executives are looking for solutions that maintain a balance between employee productivity and freedom of action while still ensuring robust information security. What best practices can IT follow to achieve this balance? What factors must be considered?

A number of factors need to be considered when defining an enterprise-wide DLP strategy: who really needs access to sensitive data? Do they need access to all data or just a subset of information or files? What devices can be used to access data? Which can not? For authorized users, should encryption be mandated for data transferred to portable devices?

Best practices are essential in maintaining the balance between productivity and security when it comes to portable devices. This includes implementing a robust and integrated technology solution and setting and enforcing strict and clearly-defined written policies.

How do vendors manage the common issue enterprise administrators’ face of managing multiple agents to create a comprehensive DLP solution for their organization?

One remedy is to ensure your endpoint DLP solution provides a centralized management tool that offers the unified management of policies, logs and clients through a single management console for its products. Additionally, the solutions should be built on a flexible architecture that enables the vendor to quickly add functionality and integrate with partner DLP solutions, such as Encryption and Content Inspection solutions. This enables the customer to stay ahead of threats and have a comprehensive solution in their heterogeneous environment.

What does Safend offer to prevent endpoint data leakage?

Safend is an endpoint data leakage prevention solution. Through the company’s innovative technology, customers are provided with a solution that assists in the prevention of endpoint data leakage problems. Safend helps companies enhance productivity without sacrificing security. The solution provides small to mid-sized enterprises with the visibility and control needed to securely utilize new communication and removable storage technologies while maintaining increasingly stringent regulatory requirements. Safend provides three solutions that work together and assist in the prevention of endpoint data leakage problems:

Safend Auditor provides rapid, non-intrusive, clientless port and device identification, providing detailed audit logs of all devices currently or historically connected to endpoints via USB, Firewire, PCMCIA or WiFi ports. Safend Protector provides highly granular, intuitive port and device control, providing administrators the ability to block, restrict, or allow access, and/or allow with automatic data encryption based on administrator-defined policies. It protects all local, physical and wireless communications ports from accidental data loss and malicious threats. Lastly, Safend Reporter is an add-on module that provides comprehensive reporting and analysis on security incidents and operations status. Safend Reporter heightens visibility into security incidents by incident type, providing drill reporting to facilitate granular policy creation and enforcement. The tool reports on data accessed by removable storage devices and wireless ports, providing extensive security and operational reporting that enables data security and regulatory compliance.

Coupled with Safend Protector’s built-in compliance policy settings for HIPAA, PCI and SOX, Safend Reporter provides regulatory compliance reporting that helps meet the data accountability tenets of these and other compliance standards.

Must Read Articles