Solving the Portable Data Security Headache
Protecting intellectual property and sensitive information is a major security concern for any business today—especially against the backdrop of workers needing to share documents and files with their colleagues, customrs, and parnters on a daily basis.
The problem facing IT professionals is that, all too frequently, these items contain confidential information, mandating the need for effective file encryption. But a good data leak prevention platform will go several steps further than adding simple file encryption to the smorgasbord modern IT security systems have become—there is now a pressing need to create a secure platform on which coworkers can collaborate.
If you are moving data around on a company network, protecting the information flow is a relatively easy task—with the right technology in place, of course. But the biggest headache that many company IT professionals face is the one posed by removable media.
In a small company, chances are that the IT department consists of one or two people—typically assisted by one or more local specialists. In this case, the managing director of the company likely makes the decisions on which security systems to deploy.
The headache for the company, however, is that relying on a single person to understand the nature of the multiple security threats the modern technology landscape presents is asking for trouble, no matter how knowledgeable that person is.
An experienced IT security manager would find it logistically impossible to make all the right decisions—and review those decisions on a regular basis—so expecting a managing director to make the right decisions all the time is a big, impractical ask.
The bottom line is that a lot more needs to be done on the best practice education front when it comes to security and governance in a small company. Even with the best planning and support available, the security framework a small business has in place may be effective most of the time, but we have found that the devil is usually in the details—meaning that the security framework needs to be comprehensive if it is going to work well all of the time.
Removable media, despite its convenience, is a potential security threat for most companies, as it is a relatively trivial task for a member of a staff to transfer large volumes of data to a portable media player or smartphone. Even the most basic of smartphones these days has around 16 gigabytes of data storage, and you can now buy an affordable USB stick with this capacity in a retail outlet.
Small wonder, then, that more and more PC users are relying on USB sticks (aka flash drives) and portable media devices to assist them in moving their data around. Critics might argue that with the arrival of fiber-based broadband services, such as BT Infinity and similar services, it is possible to store and move data around in a cloud computing environment.
Unfortunately, the asymmetric nature of modern broadband services means that the upstream speeds are often a fraction of the data speeds seen on the downstream link. Put quite simply, it can take an hour or more to move a large volume of data into the cloud, while a similar transfer can be accomplished in a few minutes using a humble USB stick.
Until quite recently, many businesses did not allow unprotected USB sticks to be used in the workplace, preferring instead to use secure USB sticks sporting encryption and close integration with on-network security technologies.
The advent of the 16GB budget smartphone—and, of course, the iPhone and iPad—has changed the landscape significantly in this regard. We expect that the penetration levels of portable media devices in the workplace will continue to soar.
The good news here is that, rather than use a secure USB stick, if we approach the data governance issue from the other side and impose layers of security when a portable device is plugged into the company IT system, we can still control the flow of data.
For example, we can employ a set of block, read, or read/write options depending on the workstation being accessed, the privilege of the account holder, and the security policies that apply to a given business.
This is particularly important in the modern business environment, where people often take their work home with them. We need to develop a security environment that allows them to work from home, as well as when they travel.
Today, many users are choosing not to take a laptop computer with them when traveling, as they know there will be a computer of some type available at their destination. When they reach the distant office or hotel, they plug their USB stick into the computer and begin going about their business. The USB stick is a business enabler, so it's essential that you develop a set of best data security practices within your organization—and enforce them using on-network security.
Our observations suggest that, where best practice is introduced to the security environment in a given business, those best practices automatically set the scene for regulatory compliance.
Backing up best practices in the security space is the need to enforce encryption at the remote end of a given connection, with enablement being the key. Managers also need to recognize that there are many different types of users in even the smallest of companies. We need to enable and control their data, regardless of who they are.
To develop an effective security mechanism to defend the firm's data in such situations requires that the security is cost-effective, yet does not interfere with the user experience. The best solution here is to implement design workflow into the process.
By automating the technology, and keeping a grip on the governance of that technology, it becomes possible to save on operating costs for the organization, while at the same time maintaining the best levels of efficiency and security.
We have also found that the interface to the security system needs to be very similar to the current system if the company is to achieve stakeholder buy-in to the technology, where all the staff may not understand how the security technology works, but they do understand why it is there.
Obtaining stakeholder buy-in in this way means that staff can handle situations more effectively when things go wrong, with automated systems reporting back to the people in charge what is happening in real time.
If at all possible, the portable media technology also needs to have a "phone home" capability, both in order to track what is happening to the data while it is on the device in question, and also to permit ongoing access to that data.
This means that if the portable device does not contact headquarters on a regular basis, access to the data on the device is automatically blocked and/or a remote wipe carried out.
While this may sound like overkill for a small company and its trusted staff, managers need to be aware that today's trusted employee could be tomorrow's competitor. In the event that a member of a staff is poached, all bets are off on the security of your data.
It's also worth remembering that the penalties for failing to protect your company's data are now a lot more than the cost of compliance. Yes, a good security platform will cost money, but far less than the cost of remediating a data breach.
Jeff Sherwood is the vice president of Cryptzone.