Protecting Sensitive Data in the Mobile Era is No Small Task

CIOs and IT departments are on the frontlines of a monumental IT shift. With the number of mobile devices and applications exploding and bandwidth soaring, they are being asked to find ways to enable the brave new world of enterprise mobility.

Users - from rank-and-file employees to executives - are exploring new ways to benefit from the increasingly wide array of devices and platforms. Much of this exploration involves a merging of business and personal computing. In short, mobility is breaking down corporate walls and pushing enterprise data into the real world. Welcome to the mobile era.

All involved - from the users to IT - recognize the productivity and business efficiency benefits of this trend, but it is typically only IT that also recognizes the dangers unchecked mobility poses to sensitive corporate data.

The fact of the matter is that typical users don't realize the risk to enterprise data they create when they leave their smartphone sitting out in the open on a table at a restaurant or carelessly forget it in the backseat of a taxi on the way to the airport. Of course they recognize the financial and productivity impact losing their device would have on them, but in most cases this is not enough to cause them to think twice before putting the device in potentially dangerous situations.

The more serious risk this creates, and the one most users overlook, is the risk of losing control of the corporate data on the device. Therefore, IT can be forgiven if their first instinct is to lock everything down. Prohibiting users from taking advantage of new forms of mobile computing contains the risk. However, this approach is growing increasingly unrealistic in the face of growing demand - especially from executives - to move in the opposite direction.

At the same time, however, enterprise data must remain secure. After all, "but the employee asked us to connect the device to the corporate network" will not hold up as an excuse when faced with answering for a data breach. So then, IT must come up with a different solution; a means to protect sensitive corporate information regardless of where it might end up.

How can this be accomplished? One viable solution is for enterprises to extend their mobile security strategies - which should already include endpoint security and mobile device management (MDM) - to encompass mobile-specific encryption policies. By stepping up a level from the device and securing the data itself, the impact of a lost or stolen device on the enterprise is further reduced.

To understand why this is the case, consider the following possible scenario: An employee leaves his corporate-connected smartphone sitting on the counter of a bar while he steps away to use the restroom. In a matter of seconds, a thief snatches the device and is out the front door. Next, by either guessing a weak screen lock password or using software to break a more advanced one, it is not difficult for him to gain access to everything on the device, including the employee's corporate email and whatever sensitive information therein. This could include anything from sales data to enterprise usernames and passwords. Losing control of the latter would be particularly damaging, after all today's threat landscape is filled with targeted attacks and advanced persisted threats that rely on just such golden nuggets of information to wiggle their way onto corporate networks.

This scenario plays out differently, however, if encryption technology is utilized on all sensitive emails being transmitted to mobile devices from corporate servers. In this case, messages in the employee's inbox stay encrypted and the attacker cannot access any of the sensitive information. Reliance upon the device's security measures alone is not required because the data itself is protected.

Now that a case has been made for using technology to protect the actual data resting on mobile devices, it is important to recognize a couple best practices that will make a mobile-focused encryption implementation successful.

First, enterprises must remember that the goal is to enable users to use their devices the way they want, under conditions that IT supports. Some approaches to information protection place severe limitations on how it can be used. One of these approaches is to put potentially sensitive documents and messages into a sandboxed partition of the device. With this approach, users are prevented from using the data within their own applications. These usage limitations tend to create hostility and frustration among users who are now forced to access their own data in a way that is contrary to their preferences.

This somewhat archaic approach is less than ideal. A better approach is to use encryption in a manner that is policy-driven and granular enough to work with existing applications under the proper conditions. The all-or-nothing approach to security is simply too rigid to match well with increasingly flexible mobile environments. What is needed is to blend data protection, such as encryption, together with the user interface and mobile applications for seamless usability.

Second, it is critical to ensure mobile access to encrypted data is independent of network availability. After all, mobile devices are designed to be used on the go, which means users won't always have network connectivity. The best approach to solving this issue is to use an encryption application that runs natively on mobile devices' operating systems. This ensures messages stay protected from the time they are sent until the time they are received and beyond. Because the application performs the encryption, it can operate even in offline situations, such as on an airliner at 35,000 feet. Thus, ensuring information is always available when the user needs it, regardless of network connectivity.

To summarize, enterprises can no longer assume their data is always safe and sound behind corporate firewalls. Instead, it is being taken everywhere employees are carrying their smartphones and tablets, and this creates a risk to the integrity of that information. As such, additional layers of defense, layers that protect the data flowing to and from mobile devices, must be implemented. Encryption, done right, is one such technology.

About the author:

Brian Tokuyoshi is senior manager, Encryption Group, Symantec. For more information about the company, visit