It seems like every day half the twitter feeds around cloud are about the great advancements we have seen such as in OpenStack and Big Data, and the new technologies we are seeing to help drive adoption of cloud computing.
Unfortunately, the other half talks to encryption issues, data leaks, vendor uncertainty…doom and gloom. Most notably, the increased chatter around data privacy (both from an international government perspective, and the traditional risks associated with improper data loss protection controls) continues to impact one of the biggest trends trying to move forward: mobile device management.
While it might seem I am harping on this topic, not just because I have this discussion daily with colleagues, the reality is this: Cloud adoption is going to start for many organizations with mobility. BYOD, Mobile Device Management (MDM), and the connected enterprise. Look at your industry reports, this is where one of the biggest cloud roadblocks is coming from.
CDW recently released a report with an eye opening statistic:
“Technology services and product provider CDW surveyed 1,200 mobile users and 1,200 IT professionals, and found a significant disconnect: 64 percent of IT professionals graded themselves with an A or B for providing personal mobile support (including BYOD policies and technical support), while 56 percent of users gave IT a grade of C or worse.”
This is to be expected, these new ways to deal with the complexities of mobile devices are sure to be a bit of a hurdle for anyone. It’s this unhappy statistic from Symantec that really illustrates the problem:
“83 percent of lost smartphones are used in attempts to access corporate data.”
Did you get that? 83%! This means if your employee loses their phones, there is a very good chance, especially if they work for an organization that has nice, confidential data such as those subject to compliance. So no matter what the IT team does, there is a chance that all their controls can be bypassed by a phone that was probably unintentionally misplaced. Ouch.
So in honor of my IT security friends, I wanted to put together a quick (well, somewhat quick) and friendly post to provide some tips on how you can reduce BYOD headaches and avoid a nasty call from the legal team about a breach caused by a lost mobile device.
1. Figure out what you want to accomplish. There are tons of great resources out there. The first step is to figure out what you want to accomplish. Do you have a highly mobile staff who need access to corporate resources anywhere at any time? Are they mostly on-site but require mobility (such as in the case of hospitals), are you looking to streamline and integrate new mobile technologies to make your sales teams leaner and meaner? If you don’t know what you want to achieve, it’ll be a lot more difficult to figure out what you need to get there.
2. Map, map, map. This is where you figure out who will be involved (users and resources) and what systems you want to connect. Once you know what will be involved, you can then start overlaying the security controls you need to protect both the systems and the users.
3. Assume worst case scenarios. Assume your users will do everything to bypass not only your security controls, but also that your worst fears, device loss/theft, will happen. Let’s be honest, no one wants to think they will be the unlucky person who has to tell their boss “crap, I lost my device and there was sensitive info on it”, but the reality, it happens. Consider additional security controls on the end device (as opposed to the systems and users we covered in step 2). Great starting points are device encryption from third parties (we all know for a fact that standard device security is no longer good enough), endpoint, authentication. Mobile devices are computers, really small, expensive computers. Treat them that way.
4. Train, train and then train again. Employees, especially end users who are not technical, hate talking security. It’s boring, complicated and they just don’t care. You need to ensure they are aware of the serious risks that come from BYOD. But don’t overcontrol them, the more security and red tape you put in place, the more holes they will poke in your controls. I’m looking at you Wi-Fi and mobile hotspot enthusiasts.
5. Breathe deeply, because it’s not going to go away. Also accept that due to the relatively new adoption of this strategy, even if you run into issues, there are probably a dozen other people who have hit the same snag. Learn from it, talk to others so they don’t make the same mistake. Learn from others’ mistakes. It’s a learning curve as steep as a hockey stick for both IT folks and users, we can’t expect perfection every time.
Luckily, vendors are starting to put together some really robust MDM solutions to make the management of controls and devices easier. If you are thinking about BYOD and MDM, ensure whichever platforms you go with support all the key requirements and ask other customers about how it addresses the entire BYOD approach. Don’t get caught off guard because you assume your MDM will protect all aspects of your mobile strategy. Because when a user loses their device, sadly, it’ll be your phone that will ring.
Andrea Bilobrk is the author of Deconstructing Cloud, the comprehensive guide to understanding and implementing cloud methodology.