Scott Crawford, a security veteran and research director at Enterprise Management Associates Inc. in Boulder, Colo., explains how CIOs can prevent users from sidestepping remote access security policies
Requires Free Membership to View
and lays out the technology paths CIOs can take to securely manage mobile devices.
SearchCIO.com: How should CIOs start determining their requirements in order to develop their
remote access security
policies?
Crawford: You need to be aware of not only where that data resides, but also how it can be
accessed and how it moves throughout your IT organization. That will help you identify where you
need to place your emphasis. You'll have a better idea for taking a look at where it's accessed
from and by what kinds of endpoints. It will give you use-case scenarios that will help you
determine what an appropriate policy would be. Then you can start evaluating the technology that
would help you solve those problems.
You need insight into how things are moving around in your organization. Are people paying
attention to that?
Well, that is part of the fuel for the adoption of DLP [data loss prevention] technologies
going back a few years now -- the fact that there was so much content moving around the
organization, inside the organization, to employees, to business partners, to organizations that
have no relationship with the enterprise. How do we get a handle on that? DLP gives you visibility
into that activity, but it has its limits. It's really good for identifying highly structured data
like account numbers; it faces some really serious challenges when it comes to unstructured
data.
How can the IT department stop users from sidestepping remote access security policies?
You can start with the most common use cases that you encounter as a starting point. Email
would likely be the first. This is not to say that DLP
[tools are] a silver bullet; it means you need to have insight into how content moves in your
organization. There are also the paths of egress to consider for how data leaves and falls into the
wrong hands. The mobile issue does exacerbate that. The point is that you have to consider, first,
just the sheer number of these devices and the things people want access to from them. And, by the
way, you're probably not going to get extra head count just to deal with consumer devices appearing
in large numbers in your organization.
Another typical path of egress is access to the application itself, and that's where you can exert some more control. Access to the network, as a means of accessing other resources, obviously would give you pretty broad access to a wide range of things within the environment, but not all access is equal from a mobile device. Most [mobile devices] have a browser, of course, but that begs the question of how are you enabling access to Web applications in the first place. So, mobile may be the catalyst for a lot of this, but it's not as if mobile is the only thing to consider.
What approaches are you seeing for BYOD [bring-your-own-device] programs?
There are vendors that can really enable a BYOD strategy and give an organization a lot of
latitude over what people are allowed to bring in or access. The vendors in the VDI [virtual
desktop infrastructure] space, that's one of their big talking points. If you use VDI technology,
the data doesn't find its way to the endpoint.
More on access and security risks
CIOs aren't letting cloud security risks derail move to the cloud
CIOs weigh use of social media against security concerns
Mobile, social engineering top data security management concerns
When people are getting to the point of choosing a technology for remote access security,
what is your advice?
People are torn over whether to get into mobile
device management for this, or if it's OK to just take a containerized approach to enterprise
applications or applications that would be a point of sensitivity. In other words, you can isolate
these applications and give the mobile user access to the business content, but can you also
protect them from unwanted or malicious interaction with other apps or the mobile device itself. Virtualization
technology is one way to deal with it, but there are existing container approaches in the
market today. There's also some NAC
[network access control] players who have deep insight into really granular, policy-based control
on access to a network environment where mobile is a factor.
Let us know what you think about the story; email Christina Torode, News Director.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation