Scott Crawford, a security veteran and research director at Enterprise Management Associates Inc. in Boulder, Colo.,...
explains how CIOs can prevent users from sidestepping remote access security policies and lays out the technology paths CIOs can take to securely manage mobile devices.
SearchCIO.com: How should CIOs start determining their requirements in order to develop their remote access security policies?
Crawford: You need to be aware of not only where that data resides, but also how it can be accessed and how it moves throughout your IT organization. That will help you identify where you need to place your emphasis. You'll have a better idea for taking a look at where it's accessed from and by what kinds of endpoints. It will give you use-case scenarios that will help you determine what an appropriate policy would be. Then you can start evaluating the technology that would help you solve those problems.
You need insight into how things are moving around in your organization. Are people paying attention to that?
Well, that is part of the fuel for the adoption of DLP [data loss prevention] technologies going back a few years now -- the fact that there was so much content moving around the organization, inside the organization, to employees, to business partners, to organizations that have no relationship with the enterprise. How do we get a handle on that? DLP gives you visibility into that activity, but it has its limits. It's really good for identifying highly structured data like account numbers; it faces some really serious challenges when it comes to unstructured data.
How can the IT department stop users from sidestepping remote access security policies?
You can start with the most common use cases that you encounter as a starting point. Email would likely be the first. This is not to say that DLP [tools are] a silver bullet; it means you need to have insight into how content moves in your organization. There are also the paths of egress to consider for how data leaves and falls into the wrong hands. The mobile issue does exacerbate that. The point is that you have to consider, first, just the sheer number of these devices and the things people want access to from them. And, by the way, you're probably not going to get extra head count just to deal with consumer devices appearing in large numbers in your organization.
Another typical path of egress is access to the application itself, and that's where you can exert some more control. Access to the network, as a means of accessing other resources, obviously would give you pretty broad access to a wide range of things within the environment, but not all access is equal from a mobile device. Most [mobile devices] have a browser, of course, but that begs the question of how are you enabling access to Web applications in the first place. So, mobile may be the catalyst for a lot of this, but it's not as if mobile is the only thing to consider.
What approaches are you seeing for BYOD [bring-your-own-device] programs?
There are vendors that can really enable a BYOD strategy and give an organization a lot of latitude over what people are allowed to bring in or access. The vendors in the VDI [virtual desktop infrastructure] space, that's one of their big talking points. If you use VDI technology, the data doesn't find its way to the endpoint.
More on access and security risks
When people are getting to the point of choosing a technology for remote access security, what is your advice?
People are torn over whether to get into mobile device management for this, or if it's OK to just take a containerized approach to enterprise applications or applications that would be a point of sensitivity. In other words, you can isolate these applications and give the mobile user access to the business content, but can you also protect them from unwanted or malicious interaction with other apps or the mobile device itself. Virtualization technology is one way to deal with it, but there are existing container approaches in the market today. There's also some NAC [network access control] players who have deep insight into really granular, policy-based control on access to a network environment where mobile is a factor.
Let us know what you think about the story; email Christina Torode, News Director.
Dig Deeper on Enterprise Information Security Management