Overcoming the Security Challenges of Mobile and the Cloud

If you’re like most business folks these days two technologies are giving you fits: mobile and cloud. Not because they are being forced on you by your manager but because, more

Men at glass office building

often than not, they are being forced on you by your employees. Mobile — smartphones, laptops, and tablets — is revolutionizing the way people work and cloud is revolutionizing how the data and apps they need to work with are being housed and provided.

Figuring out how to manage the people aspects of this new work-anywhere-anytime mentality aside, the biggest headache and challenge most managers now face is security. Pandora’s Box is open and these technologies are being consumed and requested at unprecedented rates. This is not going to change. So how do you start to get a handle on this mega-trend and make sure that your most important asset, your data, isn’t just walking out the front door?

The good news is a lot of folks have been putting a lot of thought and effort into making this a turn-key process. After understanding  your security requirements and settling on your risk tolerance — critical first steps to any company-wide roll out of the following technologies — the next step is to look at three technologies for ensuring secure mobile access: device-level encryption, virtual private network (VPN) access, and mobile device management suites.

Each of these technologies are independent of the others but work together to ensure that data at rest (sitting on a smartphone somewhere) and data in flight (being transferred between devices and servers) is protected. MDM enforces policy-based decisions about who accesses your network and what devices they are allowed to use in the process. There are about 80 MDM vendors out there ranging from unheard-of-startups to the major players, so take some time and choose wisely.

For your cloud deployments you’ll want to think about things like data encryption, service level agreement (SLA) provisions around data loss and recovery, down-time, data sovereignty (i.e., just where in the world is your data at any given time?), and site-level physical security — no sense in securing all your data only to have someone literally walk in the front door and steal it.

Cloud-offerings are more mature than MDM so many of these questions are already answered by an industry which has a vested interest in keeping your data safe, secure and readily available; nothing like a few high-profile security breaches to put the brakes on a thriving business.

When it comes to cloud, there are a lot of providers so make sure you’re considering things like reputation and years in business. Get references and make the calls. Finally, go over your SLA very carefully and if you have questions, ask for advice. The time to find out that your cloud provider is not responsible for restoring your data is not the day after it is gone!

If you don’t have a dedicated IT team or security team then it’s probably best not to take an a la carte approach to any of these technologies but to get with a well-known vendor (both cloud and MDM) and let them guide you through the process. MDM in particular has touchy issues since you may find yourself securing data on your employee’s personal devices. Some MDM suites allow you to wipe the entire device, for example. This could lead to a lot of unhappy people if you blow away their phone books, passwords, emails and calendars along with all your corporate-owned spreadsheets and such.

Security aside, the benefits of cloud and mobile often far outweigh the risks. It’s just matter of your risk tolerance and deciding if the ROI will be worth the time and effort.

Tags: BYOD,Cloud Computing,IT Security,Technology
  • Douglas Craver

    Great post. To increase adoption of Security tools and processes in the release management development teams must be convinced that they won’t increase the time to market. Progressive enterprises want their mobile apps yesterday and love the cost savings compared to old skool desktop apps. But as the complexity of these biz apps increase they should see the potential for permission leakage, etc.