The Mobile Device Dilemma
Within the US particularly and most “first world” countries, we live in societies of “always on” and “always connected” for both personal and our professional lives. While this 24×7 connection allows for greater productivity and hyper-connectivity, it is not without its own pitfalls.
From both a personal and professional standpoint we must take a step back and really think about the “data” that is contained on our various smart phones, tablets, net books, and laptop PC’s.
Long ago are the days when your mobile phone only really had just a list of contacts. In today’s world, a person’s smart phone is their “go to” devices. They contain, personal and professional contacts, personal emails, calendars, banking applications, web browsers, personal documents stored either on the device or connected to some form of cloud-based storage. In short, a person’s smart phone is a capsule of their life. When you take this and factor that upwards of 50% of companies allow for “bring your own device” or “BOYD” to the corporate enterprise you add in all your professional documents and counterparts.
Taking this thought process and applying it to all of your other mobile IT devices and you can see the potential of massive amounts of both personal and professional data being moved throughout any city or country on a daily basis. This data is also traveling over a multitude of transmission means ranging from the built in cellular data services to private WiFi networks all the way to the Starbucks shop down the street.
With all that data flowing, what are we doing as consumers and IT professionals to protect ourselves? The answer is “it depends”. Corporations that have locked in to the BlackBerry architecture by Research In Motion (RIM) with a full suite of end-to-end encryption for data transmission and options for forced Data at Rest (DaR) device encryption and remote device wiping. While advantageous, BlackBerry has taken a few black eyes over their poorly received foray in to the world of tables, the playbook and more recently, and importantly, their massive network outages. Looking at the other two heavy hitters Apple with its iOS and Google with its Android, you really are looking at third party apps to not only bring better integration with the enterprise, but also beef up the security. The major advantage to having to use a third party offering is the ability to go “cross-platform”, that is you can have a mixed environment of both iOS and Android (even BlackBerry) based devices and still connect and secure them. The drawback is that they often require a bit more of a learning curve to properly deploy and configure it for use when compared to the “out of the box” solution provided by Research In Motion.
The securing of these types of devices is still in its infancy, as they become more popular, powerful, and connected, I fully expect to see some form of major data loss to happen sooner rather then later.
Moving away from your ultra-mobile devices and on to your more traditional “Windows” and “OS X” devices, you typically see these devices in the news for corporation data loss. The laptop stolen out of a car that contained thousands of people’s medical records, or the one left somewhere with hundreds of employees social security numbers on it. Most windows systems if unencrypted can be compromised in roughly 5-10 minutes with nothing more than a CD or USB drive. Even encrypted disk are not truly safe when you considered things like the infamous “evil maid” attack. Due to this, the industry has moved for a more centralized approached where data is stored on a Storage Area Network (SAN) that can be accessed remotely by authorized employees using a combination of Virtual Private Networking (VPN) and their user credentials. For large or more security minded companies, both of these actions might involve smartcard hardware tokens as a basis for two factor user authentication. With none of the data actually stored on the laptop, and the only method to access requires a hardware smartcard as well as the PIN or password associated with that card, accessing key data by unauthorized users is reduced.
This threat even applies to the run of the mill home users. How many people have things like their tax returns, banking information, private correspondence, etc on their laptop? Let us be honest with ourselves and think about how many home users actually routinely backup their data, let alone have it stored separately? How many times has a computer crashed and a friend lost “everything”? How much data would a thief have on you if someone stole your laptop right now? This is where home users need to be not only aware but be proactive. If you are going to be traveling with a laptop, file encryption using software like TrueCrypt as well as standard patch management are key to safeguarding private data in conjunction with judicious use of foreign WiFi.
As with most things within the IT realm, I have barely even scratched the surface of both the risks and countermeasures we must use to mitigate them. Understanding first that there is a threat, second what the threat is and then having a plan for defense in depth is the best method to protect yourself and those who’s networks or data you have access too.