Today we are at the cusp of change in the technology world. Several megatrends – cloud, virtualization, consumerization of IT and information explosion – are coming together to dramatically alter the way we work and play. Today’s employees expect and demand to work on the move just as effectively as they would on a stationary PC. And they want to do this on devices that they choose – across form factors (smartphone/tablet) and platforms.
However, while improved productivity demands that these options are given to the employee, IT departments are faced with a dilemma of choice. Earlier, IT would standardize on one platform and all employees were expected to use only compatible devices, which were often assigned by the office. Millennial workers are used to sophisticated technology at home and are asking for the same at work too.
Should IT remain committed to an outdated model that restricts the technology workers use, or give employees the tools they need to be productive, while still keeping confidential data secure?
New Approach to Security
Whether Indian enterprises are ready for the cloud or not, consumerization of IT is already making the decision for them. For users to do their jobs, they must be able to create, access, manipulate and store large amounts of data. Cloud frees device manufacturers from accounting for local storage – thereby letting them create highly portable, stylish and powerful devices that can create office documents, multimedia and more.
The loss of traditional security controls with the mobile devices combined with cloud-driven services results in the need for a new approach to security. In India, 59 per cent of enterprises feel employee-owned endpoints are a security threat, according to a recent Symantec survey. Organizations now must cope with workers introducing personal devices on the enterprise cloud and accessing workplace technology for personal purposes. For IT, the ultimate goal is protecting data by defining who should access what data and defining rights management for viewing and manipulating that data.
Protecting Data
IT is also tasked with enforcing governance over devices to ensure corporate data is protected, and enforce centrally defined and distributed security policies to all devices to secure data at rest and in motion.
For this, enterprises can consider five important guidelines to shape an IT policy that enables mobile devices and workers to function seamlessly and securely in the cloud.
Account for all devices: It is difficult to protect or manage what you can’t see. This begins with device inventory to gain visibility across multiple networks and into the cloud. After taking stock, implement continuous security practices, such as scanning for current security software, operating system patches, and hardware information (e.g., model and serial number).
Securing devices is securing the cloud: Since they are essentially access points to the cloud, mobile devices need the same multi-layer protection we apply to other business endpoints, including:
- Firewalls protecting the device and its contents by port and by protocol.
- Anti-virus protection spanning multiple attack vectors, which might include MMS (multimedia messaging service), infrared, Bluetooth, and e-mail.
- Real-time protection, including intrusion prevention with heuristics to block “zero-day” attacks for unpublished signatures, and user and administrator alerts for attacks in progress.
- Anti-spam for the growing problem of short messaging service spam
Integrated protection: Security and management for mobile devices should be integrated into the overall enterprise security and management framework and administered in the same way – ideally using compatible solutions and unified policies. This creates operational efficiencies, but more importantly, it ensures consistent protection across your infrastructure, whether it be on premises or in the cloud. Security policy should be unified across popular mobile operating systems such as Symbian, Windows Mobile, BlackBerry, Android or Apple iOS, and their successors. And non-compliant mobile devices should be denied network access until they have been scanned, and if necessary patched, upgraded, or remediated.
Cloud-based encryption: Millions of mobile devices used in the US alone “go missing” every year. To protect against unauthorized users gaining access to valuable corporate data, encryption delivered in the cloud is necessary to protect the data that resides there. As an additional layer of security, companies should ensure they have a remote-wipe capability for unrecovered devices.
Scalability and flexibility: Threats that target mobile devices are the same for small businesses and enterprises. As businesses grow, they require security management technology that is automated, policy-based, and scalable so that the infrastructure can accommodate new mobile platforms and services as they are introduced.
Together these guidelines provide a strong baseline policy, which should give IT and business leaders confidence in the cloud and the mobile devices it enables.
With this information-centric framework in place, companies can take full advantage of the benefits offered by the cloud. At the same time, having the right policies and technologies in place provides confidence that data – the new enterprise currency – is secure from unauthorized access.