Data watch

As recent high profile cases have shown, traditional enterprise security measures can fall apart at the seams when it comes to the weak link in the chain – the worker.

Tags: BahrainFVC - First Video Communications IncorporationFortinet IncorporationJuniper Networks IncorporatedOmanQatarSaudi ArabiaSymantec CorporationUnited Arab Emirates
  • E-Mail
Data watch Karam: Educating staff is the first step in protecting information from malicious attacks.
More pics ›
By  Piers Ford Published  August 12, 2010

As recent high profile cases have shown, traditional enterprise security measures can fall apart at the seams when it comes to the weak link in the chain – the worker. So just what can the CIO do to mitigate – or even remove entirely – the risk of data loss in an age where mobile working is becoming ever more persuasive? Piers Ford reports.

Technology has certainly done its job as far as enabling the mobile workforce is concerned. Most road warriors and remote workers probably can’t even remember what life was like before mobile devices revolutionised their world. Today they have 24-hour access to corporate networks and applications, allowing them to do their jobs in real-time, rather than relying on nightly, time-consuming, batch uploads across dodgy analogue connections or even manual, paper-based processes.

CIOs, on the other hand, might remember the old days with just a hint of nostalgia. For all the countless business and IT benefits delivered by mobile technology, it has also given them one of their biggest headaches: how to keep corporate data secure when so many staff are accessing and using it well beyond the office walls.

Despite a constant flow of technological advances – Juniper’s new single-client access control platform, Junos Pulse, which promises the ability to enforce endpoint security policies across a variety of corporate and personal devices, for example – human beings consistently remain the weak link in IT managers’ efforts to control an increasingly frustrating beast.

“CIOs need to put solutions in place that allow for role-appropriate access to corporate applications on both managed and unmanaged devices, while ensuring that these devices meet corporate guidelines during the entire network session,” says Tarek Abbas, systems engineering director at Juniper Networks, MEA.

“Ideally, this needs to happen with no client software deployment, no maintenance and no changes to existing services.”

The main challenge for CIOs, says Abbas, is that users today are mobile and demand simple, secure, connectivity to networked or cloud-based applications, 24/7/365, from anywhere in the world via smartphones and other mobile devices, as well as Wi-Fi or 3G- and 4G-enabled laptops, in order that they can be effective and productive for their employers.

“Some of those devices can be lost or stolen, and the enforced policies need to allow for strong authentication methods to mitigate against such risks. These policies should therefore be consistent,” he comments.

Another challenge is a blurring between corporate and personal device use, which makes it difficult for the CIO or IT manager to know who is accessing what, and how. Juniper’s new platform is designed to address this vexed issue, but it remains a thorn in the side of many IT departments who can’t rely on technological solutions alone.

“Ensuring that the user keeps their personal devices separate from corporate use, and vice-versa, is key,” says Judhi Prasetyo, who heads the regional partner business at another networking vendor, Fortinet.

“The user must ensure that the mobile device used is purely for corporate use and not linked with personal use. This would mean the CIO has complete control on extending an enterprise’s security policy to these devices, ensuring proper firewall and encryption is installed to prevent data loss in case of damage, or if the device is lost. This often means carrying two separate mobile devices, not sharing with family or friends, because this can often increase the chances of data leakage,” he says.

That sounds simple enough, but it also exposes one of the main obstacles to securing the mobile workforce: educating employees who, by definition, are rarely in one place for long and are seldom gathered together in circumstances that allow the CIO to implement awareness training in bulk.

The solution lies in a multi-pronged approach to mobile security, in which technology is balanced by user-education, a comprehensive working policy and constant enforcement, ideally keeping the messages plain and simple.

“Educating employees is the first step in protecting information from malicious attacks,” says Johnny Karam, regional director MENA at Symantec Middle East.

“Enterprises must help their employees understand what types of threats are out there, and how to prevent them. In order to increase productivity with a mobile workforce, while minimising the associated risk of information loss, organisations in the Middle East need to develop and enforce strong security policies for using mobile devices, encrypt the data on the devices and make sure security software is up to date.”

Policy decisions

“Most security implementations are as much about the tools as they are about the process and methodologies used to secure data,” argues Guru Prasad, general manager for strategic alliances and channel development at networking and security supplier FVC.

“The first step is to develop a remote worker access and security policy. The second is to identify the list of applications that need to be accessed. The third is to assess data leakage risks and ensure mitigation methods. And the last is to put an audit mechanism in place that keeps it current and effective.

“Keep policy and enforcement methodology simple,” he advises. “The simpler the enforcement or policy, the easier it is to implement.”

As far as the technology itself goes, vendors are constantly enhancing their mobile security offerings and CIOs have a plethora of platforms, endpoint solutions, and managed remote access technologies to suit every kind of environment.

A good starting point is probably network management software that, installed across enterprise mobile platforms, helps the CIO to control access from a central point. Another is standardised backup technology – essential to any policy enforcement.

“When you travel, there is a chance that back up will not have happened simply because you’re not connected to the corporate network,” explains Maihesh Vaidya, CEO at Middle Eastern storage specialist ISIT.

“However, using technology called block-level incremental backup, you’re not necessarily backing up the entire file, but only blocks that are changed since the last backup. This is an extremely efficient and powerful way to protect your data while you are on the move, and it allows the process to happen over networks with low bandwidth.”

Virtual private networks (VPNs), that use the SSL security standard to provide secure access to company servers in conjunction with digital authentication, also continue to be attractive solutions for enterprise-scale security.

But as CIOs look for ways to incorporate new devices into their mobile strategies – the iPad is the latest must-have gadget to catch the eye of mobile workers – they are also increasingly concerned about security assurance. Symantec, for example, says it is working with carriers to give them more control over mobile devices to ensure security, without affecting the user experience.

“The upcoming Symantec Mobile Reputation Security (SMRS) is a prototype for what we call a next-generation solution to mobile security,” says Karam. “It takes the existing reputation-based approach currently used on PCs and applies it to the expanding market of mobile technology and smartphones to create a lightweight security system for carriers,” he adds.

But Prasetyo warns that all roads must eventually lead back to the policy that should be driving any IT implementation. “Technologies that enforce data encryption combined with firewalling, virus scanning and access control are often cited as the best practice in remote data access,” he says. “However, the real key to secure mobile computing is to define guidelines in an enterprise security policy – and ensure that every employee understands the risks of not following them.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code