Growing up, there was a very specific sandwich-making rule laid down by my dad. When making peanut butter and jelly sandwiches, you had to use the peanut butter before the jelly. Was this because of some principle which determined that the resulting sandwich held together better when the ingredients were applied in this order? No. It was because he hated the cross-contamination of jelly into the peanut butter jar which was inevitable when it was on the spreading knife first. He preferred jelly-free sandwiches, you see.
This memory of a long held rule, which still govern my actions today, came to me as I was reviewing the Center’s current research into security related topics. We’re talking with Chief Information Security Officers (CISOs) about their evolution and leading practices in the enterprise. We’re discussing how they successfully bring security topics into the business world. Most importantly, we’re examining how business priorities impact security choices.
In the realm of mobile and BYOD, you can hardly have a conversation without discussing security. It is a key inhibitor to mobile adoption and one reason companies are looking for managed security solutions rather than simply hoping for the best. Some security leaders argue for keeping personally owned devices out of the enterprise, simply due to the risk potential. Others, accepting that mobile is here to stay, fight to make its use as secure and safe as possible. It’s only going to get worse and more and more connected devices enter the enterprise (see this recent Forbes article: “The Next Big Thing In Enterprise IT: Bring Your Own Wearable Tech?”)
IBM’s prior CISO, and current head of Security Services, Kris Lovejoy wrote about best practices for mobile implementations last year as part of our Security Essentials series: “Enabling mobility: their device, your data”. For many, doing business means being mobile. As a security leader, it becomes your job to manage the risk – not just avoid it. Caleb Barlow extended these thoughts with an article this summer, “Yes, It’s Possible to Be Confident About Mobile Security”, which focuses on four key ways to mitigate the risk of adding mobile to your secure enterprise:
- Risk analysis – Organizations must understand what enterprise data is on employee devices, how it could be compromised and the potential impact of the comprise (i.e. What does it cost? What happens if the device is lost? Is the data incidental or crucial to business?).
- Securing the application – In the pre-mobile, personal computer era, simply securing the device and the user were sufficient. When it comes to mobile devices, we also need to think about securing the application itself. As a typical application is downloaded from a store, the end user really has no idea who built the application, what it actually does with your data or how secure it is. Corporate applications with sensitive data need to be secure in their own right.
- Secure mobile access authentication – Since mobile devices are shared, it’s important to authenticate both the user and the device before granting access and to look at the context of the user requesting access based on factors like time, network, location, device characteristics, role, etc. If the context appears to be out of line with normal behavior, appropriate counter measures can be taken.
- Encryption: Simply put, if the data is sensitive it needs to be encrypted both while at rest as well as while in motion on the network.
What stops you from fully adding mobile to your security strategy? Hopefully it is more than just a distaste for jelly in your peanut butter. This October we’ll have more to share on mobile adoption challenges when we release this year’s follow up to our 2012 CISO Assessment.