An exclusive series by the CIO Executive Council
SCENARIO: Protecting sensitive data on mobile devices
The rapid proliferation of new and innovative mobile devices represents the best and worst of times for IT organizations. On the one hand, we have end users genuinely excited about the promise of IT in their professional lives. We have physicians who can access any medical information they might need from a device that fits in the pocket of their lab coats. On the other hand, mobile devices mean that protected information is being accessed from everywhere, not just systems on desks. We in IT no longer want to always be saying “no.” We want to embrace IT innovation and make life easier for our end users. But how can we bring the latest and greatest mobile devices safely into our environment without increasing the data risk exponentially?
Today, we use double-layer security, first with our Citrix active directory authentication and then by protecting applications with a password or PIN. Despite these technical measures, we cannot exert the same level of control over personal devices as we would over hospital-owned equipment. With that in mind, how can we ensure users make the right choices about accessing and storing sensitive information? And how should we protect data in cases when users make the wrong choice?
Sounding Board's Discussion Points:
Data access – Application-level security – Corporate policies – Personal security risks
Secure the applications and information
I am not naïve enough to think that I can anticipate every security threat mobile devices pose; the space is too big already, and it’s rapidly expanding. But security at the device level is cost-prohibitive. Instead, we attacked it at the application level, taking great care not to disrupt the user experience that makes devices like the iPhone so popular.
We allowed end users to connect to corporate applications through the Web or, if possible, mobile applications. In fact, to say “we” is a bit disingenuous, because the end users themselves did most of the work. We showed them how to connect their devices and they gained access based on the privileges and permissions afforded to them at the application level. We did not use Citrix because it added an extraneous layer of complexity that annoyed end users.
However, we did exert a modicum of control behind the scenes. If an end user tried to connect to our system, they were asked to register the device with us and to fit it with a device password. Registration granted us access where, in the event the device was stolen, we could perform a remote wipe on the device and erase any locally stored information. In addition, we tracked and controlled access to specific documents through our document-management system, so sensitive information remained password-protected even if the device was traveling 30mph down Main Street in the back of a cab.
Educate users about personal risk
To secure mobile devices, our policies for device and data protection were fairly liberal and not that much different from those for laptops. I was very conscious of the goodwill toward IT that these devices provide and did not want to do anything that might negatively affect end-user productivity. To access corporate systems, users registered the device with IT and accepted password protection in line with corporate standards, including software to allow remote wipes for lost devices. We did not go the extra step of monitoring Web traffic or automatically flushing cookies. We also relied on end-user awareness about potential security threats. But education about those threats always ran the risk of falling on deaf ears.
End users do not behave the way we would like them to because the threat is too abstract or the tactics are too invasive. They do not fear corporate data intrusion as much as they do a lost credit card number. Because personal mobile devices hold a lot of personal information, we emphasized the risks end users were more likely to accept and act on: personal ones. If I could convince the user of a personal risk—both in terms of likelihood of a breach happening and the potential severe impact of data being accessed or lost—they were more likely to accept our controls. It just so happens that protecting personal information also protects corporate information in the process, and we have yet to experience a security intrusion via mobile devices.
Interviews done by Carrie Mathews