Wednesday, June 01, 2011

Data in the Mobile World

I have been part of multiple discussions with customers lately that center around mobile computing.  The dramatic enhancement to features and functionality we are seeing in the tablet devices, relatively low cost of smart-phones, increases in mobile network speeds and other factors are all contributing to this renewed interest many are expressing in mobility.  The dominant communications method among mobile users is still email, but we are also seeing social capability and functions in every major vendor’s smart phone and tablet.

Freeing the workforce from the physical constraints of an office environment has many benefits.  I am sure we can find case studies on employee satisfaction, productivity, etc that all speak favorably about mobile computing and enabling multiple means of access to corporate data and services.  This freedom, however, cannot sacrifice the security you have developed around your sensitive data.

Increasing demands and restrictions on data security is an ever present concern among security officers in the industry.  They always need to know who is seeing what information, and should they be seeing it.  Mobile devices make it easier for data to be stolen by simply lifting the device or eavesdropping on someone’s screen.  I can’t tell you how many times I have noticed someone in an airport concerning them selves with the goings on of someone else’s laptop close by.

So how do we address this concern?

The answer is not to ignore mobility.  If you try that approach, your users will find ways to work around your security measures and gain whatever level of mobility they can.  This could be far greater of a risk as you will have no governance over the devices or data, nor will your users be educated about handling the responsibility you are now entrusting them with.

The balance of accessibility and security is an age old issue facing IT professionals.  The approach needs to be a strategic and logical one.  I would suggest generating a data security matrix, outlining the disposition of each type of data your organization deals with.  You may already have such a document, but unless it includes a few data points specifically related to mobile access, I would consider it incomplete.

I would setup the matrix to include the following, at least, as an example:

  • Data Owner (Who is responsible for the content and access to it?)
  • Data Maintainers (Contributors to the content that may not be the owner.)
  • Proprietary Yes / No?
  • Confidentiality
    • Scope of Confidentiality (Individual, Role-Based, Groups, Organization Wide?)
  • Regulated Data (What regulations and requirements are put on the data?)
    • Penalty of Infraction
  • Storage Requirements
    • Encryption / Encoding
  • Data Expiration / Maintenance Cycle
  • Elimination Procedures
  • Recovery Procedures
  • Scope of Access (On site, Remote, etc.)

As this data matrix is developed, I aim to address as many use cases as possible.  I think about the users and their roles, where they work, the devices they use, and the type of interaction they have with the data.  Paying particular attention to the sensitive and regulated data.  As the use cases become more defined and the sensitivity of the data is established, appropriate procedures for handling the data becomes evident.

I find this logical approach to allowing alternate means of access to enterprise data a very intelligent use of time and resources.  Remaining ahead of user demands in this area often discourages users from finding means of working around the restrictions in place and posing a greater threat than necessary to your organization.

As with almost any security initiative, as most will agree, there is no real substitute for end user training and education.  Empowering your mobile users with the knowledge and tools necessary to keep them selves and your data safe as they roam about the world is another critical component to a comprehensive approach to this demand on your IT organization.

I hope this has given my readers a few useful pointers, or at least opened up the discussion a bit more to help keep everyone safe.  As a leading airline says, “You are free to roam about the country!”

- Happy and Safe Travels!

No comments:

Post a Comment