November 15th, 2010 by Guest Author
Mobile Security: Critical Protection for Enterprise Organizations
This article is part of a series of guest editorials on StorageReview.com that effort to bring a unique perspective from industry insiders to our audience. To suggest ideas or to participate, please contact us.
By: John Jefferies, vice president of product marketing at IronKey
Mobility and remote access are the new staples for enterprise IT organizations. Contingencies for continuity of operations in a variety of departments, a more mobile workforce, and the growing need to securely share information with other entities, all necessitate a new focus on mobile data.
Smart phones, USB flash drives and other mobile devices typically carry sensitive information, and their small size makes them strong candidates for loss or theft. A recent study* found that 51 percent of enterprise users store confidential information on USB flash drives, and 39 percent have lost flash drives or laptops. Perhaps equally disconcerting is the fact that 72 percent of these failed to report the loss promptly.
Since these highly portable devices now have the capacity to hold millions of pages of data, they provide an easily concealed package that hostile agents or forces can use to steal confidential enterprise information, IP or other sensitive business secrets.
Lost or stolen flash drives containing everything from multiple customers’ private data to confidential product planning to plans for upcoming mergers and acquisitions have the potential to end up in the wrong hands. Whether measured in enterprise security or legal costs and remediation for the affected organization data breaches such as these can have devastating consequences. Organizations also risk the damage to their brands that can result from mandatory data breach disclosures.
Managing these risks without nullifying the significant productivity and efficiency benefits of mobile devices has become a delicate balancing act facing IT departments. Rather than banning the use of these devices or going back to archaic practices such as disabling USB ports, IT managers need to ensure the security of the data stored on them, while maximizing their potential to deliver everything from greater productivity to rapid disaster recovery. The following best practices represent a good roadmap for organizations that are grappling with this important challenge.
Encrypting Mobile Data: The Bare Minimum in Security
Regardless of industry, organizations cannot afford to leave sensitive data unprotected on mobile devices. Strong encryption provides the best first step in the battle against loss or theft of information from mobile devices. According to a US government study, it would take approximately 149 trillion years to crack a 128-bit Advanced Encryption Standard (AES) key.
Nonetheless, when deploying an encrypted device to employees, it pays to make sure that it uses the recommended mode of AES encryption. Electronic Codebook (ECB) is the easiest to implement but it this does not provide serious confidentiality for files. AES Cipher-Block Chaining (CBC) provides a much greater degree of security, but because it’s much harder for manufacturers to implement in hardware-based encryption, it’s not always used. Enterprise devices should also be FIPS 140-2 certified, which includes an examination of entire systems and ensures that device designs and encryption methods have been implemented and performed correctly.
Encryption solutions that store passwords and encryption keys in hardware can prevent these types of brute force attacks, especially since software-based solutions allow hackers to rewind the counters designed to limit the number of times an incorrect password can be entered. They also protect against so-called “cold boot” attacks, where hackers gain access to the encryption keys from RAM memory, as the keys can remain in computer RAM for a period of time after the device has been powered down.
No matter what type of encryption used, it is only as strong as its weakest link – the user password. A number of readily available password guessing software and hardware tools enable a hacker to quickly guess the user’s password by hammering away at the device with millions of guesses per second.
Users themselves represent a strong risk as some write down their various passwords and carry the list in the same bag with the mobile device. While other users themselves represent the malicious insider threat. For these reasons, encryption alone is not enough, and organizations should use encryption within the framework of a centrally managed solution, including the ability to remotely disable or deny access to compromised devices, or wipe them clean.
It’s All About Control: Centrally Managing Mobile Devices
An estimated 300 million USB drives are in use worldwide. There are so many devices in the hands of users that on any given day most organizations are unaware of the multitude of devices that are connecting to their networks. With little control and even less knowledge of how the devices are used, these legions of mobile devices represent a significant security risk.
Some organizations have already taken steps to implement centrally managed endpoint data protection solutions for their desktop and laptop PCs. This needs to be implemented on mobile devices with capabilities for tracking usage and enforcing security policies remotely, including the ability to lock a mobile device after a number of incorrect attempts to guess a password, or destroy data when a device is reported lost or stolen.
With always evolving threats of viruses, Trojans, botnets and other malware, it’s critical for organizations to implement policies and best practices to protect against such attacks. In addition to port control, some of the other preventative steps include automated and regular malware-protection updates, secure manufacturing processes, secure provisioning and quality assurance processes, as well as real-time anti-malware scanning.
Enabling your Access Port Force-Field
In addition to managing the devices, organizations should also consider controlling the ports to which they connect. Since employees need access to these ports to do their jobs, IT security professionals should employ business-friendly approaches, such as whitelists, that through a number of commercially available device control applications, can be as granular as specifying individual device serial number.
By using port control to allow only authorized devices that use strong, hardware-based encryption and centralized management to connect to machines, organizations can virtually eliminate the risks of data loss and data leakage via mobile devices.
Secure Remote Access: Establishing Double Authentication
For the many varying enterprise applications, IT administrators need to define policies for remote access, including acceptable network connection methods and authentication policies that define who is allowed what type of access, and to what specific data. By incorporating some form of two-factor authentication, remote devices can become part of the solution.
Digital certificates and secure, one-time password generators—such as RSA SecurID authenticators—extend secure authentication beyond passwords. Eliminating the need for a physical token or other additional device by having this type of two-factor authentication built into an encrypted USB flash drive, for example, can improve security because the user cannot access the credentials until they securely log onto the device. This approach also reduces costs while streamlining both administration and the end-user experience.
Educating Your Workforce: The Final Hurdle in Mobile Data Security
The strongest encryption and authentication measures implemented to secure mobile devices are of little use if employees find a way to circumvent. Studies show* that when faced with getting their job done or following data security policies, 95 percent of employees chose the former. Carrying sensitive data on these devices against policy or using the devices on insecure networks where bots, keyloggers and pharming code can load themselves surreptitiously allows access to secure enterprise networks.
Over 80 percent of respondents in a recent survey* said their company has no policy or they are unaware of such a policy that restricts the changing of security settings on workplace computers. Unless employees fully understand the magnitude of the threat and importance of reducing these risks, they will see security policies simply as barriers to productivity.
Security awareness campaigns are vital to helping staff understand the reasons for these policies and encourage them to become active partners in security. Education programs should focus on the risk the policy is designed to mitigate, demonstrate how appropriate controls protect the employee, and keep employees informed of new threats, vulnerabilities, policies and individual accountability.
Uniform Mobility, Flexibility and Survivability: The Required Returns
The benefits for assuring the continuity and survivability of operations include a variety of scenarios. By having a securely managed infrastructure of mobile devices, employees could, for example, carry a virtual PC desktop on an encrypted flash drive. In the event of a fire, flood, terrorist attack or other disaster where workers could not reach the computers inside the facility, they could instantly set up a fully functional replica of their work environment on any computer, including access to all their data and applications. Having two-factor authentication built into the device would further ensure the employees could quickly and easily gain access to the network.
This same approach would benefit organizations in the event of a flu pandemic that could keep workers at home. Or, absent a catastrophic scenario such as these, provide an easy way to securely transport a complete set of work data and applications can answer the growing need for telecommuting as an answer to skyrocketing energy costs and employees desires for flexibility.
By following these best practices—which address encrypting data on mobile devices, controlling access that the devices have to enterprise networks and centrally managing mobile devices—organizations protect themselves from the risk of data loss and leakage, enabling new levels of flexibility and mobility, thereby ensuring continuity of and survivability of enterprise operations.
* Source: Survey Data Provided by Ponemon Institute Report: Data Security Policies Are Not Enforced, 2007
IronKey, Inc., founded in 2005, is the global leader in providing secure managed portable storage, authentication, and trusted virtual computing. Its best-of-breed product portfolio meets the highest security, performance, and privacy standards of the most demanding Fortune 500, enterprise, government, and military customers.