If you work in a highly regulated industry, we’re preaching to the choir when we say that keeping data secure means making sure that your systems protect the data whether it’s “at rest” (that is, stored in your system) or being moved from one system to another through insecure tools such as email or mobile devices.
But these days, as nearly every business is confronted with an increasingly complex ecosystem of security measures and regulations, balancing data protection and performance is becoming more important for all enterprise IT teams.
Ideally, sensitive data would remain secure thanks to an enterprise-wide data encryption plan that covers all enterprise networks and systems. But in the real world, that’s not likely to happen.
Employees, contractors, and customers need access to the data from mobile devices, so a robust enterprise mobility security plan has to be in place as well. In fact, enterprise mobility security is one of the primary initiatives for many corporate IT teams this year.
We all know that mobile device encryption helps to mitigate security risks, and that using data encryption while data is in transit is important. But how do you balance data protection and performance?
It starts with closely reviewing current policies and procedures, and identifying current weaknesses in enterprise mobility security or data encryption plans. Then it’s a matter of reviewing a range of possible solutions to find the ones that will work best within your organization.
At InfoVision, we find that most of our clients prefer a combination of hardware-level encryption for their main databases, with a network access control system (NAC) that enforces security policy on mobile devices that connect to the network.
Many vendors who offer solutions designed to offer secure access to sensitive records via mobile devices such as smart phones or tablets. Some of them keep large, confidential databases on a central server accessible from a mobile device – without allowing data to actually reside on the device. Others rely on mobile device storage encryption or mobility device management applications that can remotely wipe a device. Each method can help to limit exposure if the device is ever lost or stolen, but using both may be the best method for truly sensitive data.
Of course, data doesn’t remain “at rest” very long, so data encryption for data in transit may be even more critical than “at rest” data security. One flaw in many consumer-driven mobile applications or off-the-shelf mobile apps for enterprises is that the apps don’t include any way to encrypt data as it moves between devices or across the network. The software “assumes” that the administrator has already secured the network, or that security is not critical to the user.
Firewalls, Wi-Fi networks and VPNs are often the other vulnerable spots in mobile data security. There isn’t a one size fits all solution to security, especially without the resource bottlenecks that encrypting data can cause.
So when it’s time to look at your enterprise mobility security needs, treat the process the way you’d treat any other mission critical development project. Start with identifying the business requirements, regulatory considerations and budget.
Then analyze the assets you are protecting, recognizing that not all data requires the same kind of protection so long as the less secure information does not provide a route to more secure data that a skilled hacker could exploit. Last, but not least, look at your workforce, and make sure that you understand their behaviors and needs.
That last point may be the most critical of all, according to a recent survey from security giant Symantec. In a new survey published this month, the company says that employees really don’t think twice about stealing data from their employer. There’s a stark contrast between employee behaviors and attitudes and company policies, the survey reports, and failing to understand the gap can put almost any data security policy at risk.
Data encryption is the last line of defense, but employee training and policy enforcement remains the most important factor in protecting your data.