Ted Julian is no stranger to the many facets of information security. The chief marketing officer of Co3 Systems,...
an incident response management systems provider, has been in the security business for 20 years. But with the prevalence of bring your own device (BYOD) and cloud computing, there's something significantly different about today's threat landscape, he said: Data risk has expanded substantially, especially as the corporate and personal information stored on mobile devices becomes harder to manage.
At the recent Boston App Expo, Julian and Adam Bookman, partner at enterprise mobile strategy consultancy Propelics, led the "Security and Privacy Challenges" panel discussion on how today's enterprises can navigate the risky BYOD landscape. In part one of this story, they said data classification and profiling can help mitigate data loss. Here, they emphasize the importance of information security's nuts and bolts when creating mobile privacy and security policies.
Don't forget the basics
Ted JulianCMO, Co3 Systems
When it comes to crafting mobile security policies, sometimes the best advice is the most straightforward: Julian advised IT and security and privacy officers to start with "the basics" when it comes to mobile security, including device encryption, laptop encryption and remote wipe capabilities.
"You do that and you're going to spare yourself a lot of anxiety, chief among them to get out of there quickly, as you will absolve yourself of most regulatory requirements," he said.
The security solutions available today are more flexible than the ones of old, pointed out panel moderator Cimarron Buser, senior vice president of global operations at Apperian.
Take remote wipe, for example. "It's getting a lot more granular. With things like app wrapping and containerization, you can actually wipe the enterprise app and its data; you wouldn't necessarily have to wipe all the baby photos and things like that," he explained.
Documentation is also important to mobile security programs.
"If you're able to document, 'Yes, that device was compromised, and we can validate that the data on that device was encrypted,' then [you've covered] almost all of your state disclosure regulatory requirements, your HIPAA/HITECH and other regulatory requirements," Julian said.
But while employees sometimes prioritize their mobile user experience at the expense of corporate data protection, IT and security teams are occasionally guilty of the opposite: They prioritize the control of all endpoints while sacrificing user experience.
"There's the opposite of risk, of being too locked down," said Bookman. "I think IT people love the idea of virtualization, of locking -- nothing should be on your device -- but the users hate it, because you can't move the mouse, you can't touch things."
On the other hand, some organizations don't even have policies in place. "Certain types of data don't belong on certain types of devices," he cautioned. "It can't be a jailbroken device."
One way to find the happy medium between these approaches, Bookman advised, is to avoid treating mobile apps as systems of record and instead as front ends to your systems. He suggested separating mobile apps into an online and offline component, for example.
"We should definitely not be storing personal information. … I don't think we would like to see a lot of customer or patient information just living on the device -- that would not be good practice," he said.
Panelists also stressed that practice -- and education -- makes perfect. "You want to operate on muscle memory when an incident happens," Julian said.
Bookman agreed, stressing the importance of involving other teams, such as HR, in the policy-making and educating processes. It's one thing to implement passwords and have the ability to lock down devices, but it also important to understand why these precautions need to be put into place.
"People who are in risk and information security positions don't understand mobile and the way people use it," Bookman said, adding that there's a gap between how security and IT officers view mobile privacy and security and how users actually want to use their devices.
"These worlds have to come together, and we really have to make it more simple," he said.