Home Top Stories Securing Corporate Data in the Age of Increased Mobility
Tuesday January 06, 2009

Securing Corporate Data in the Age of Increased Mobility

Friday, 15 August 2008 07:37 David Matthiesen, DeviceLock

Consumer electronics and applications are proliferating in corporate IT environments, significantly increasing the threat of lost and stolen data.  Employees come to the office with their own USB flash drives, phones, PDAs and other mobile devices in their pockets.  Encouraged by device marketers, users fully expect to be able to connect to the corporate network for unimpeded checking of email and downloading and uploading of files. An enterprise that has not updated its IT security policies and enforcement tools to manage the use of these devices risks being out of compliance with privacy laws and allowing data leaks.  Those who are proactively managing this “Consumerization of IT” trend are implementing security strategies that are channel-specific and multi-layered.

The two data leakage channels that pose the greatest threat to IT security involve activities that are the most convenient and popular among users:  connecting removable storage devices to local PC USB ports and synchronizing docked mobile devices with PCs.  These common events are allowed by Windows and are generally un-audited. 

A viable data leakage prevention strategy to combat IT consumerization should, at a minimum, protect these channels.  It should also take into account that every instance of data leakage through a personal device is a two-step process:

  • Uncontrolled data transfer from a corporate server/host-based resource to the device;
  • Further unauthorized transfer of data from the device to the outside.

To mitigate this two-step leakage process, it is best to have two layers of defense: centralized control software that manages activity at local peripheral ports and encryption embedded on devices.  The first layer is to prevent the use of unauthorized devices, and the second to prevent any data that has been ‘legally’ downloaded from being accessed by anyone but the device owner.

Stemming Leaks via Removable Devices

Who isn’t carrying a USB thumb drive today?  They are cheap, lightweight, tiny and can store a lot of data.  Memory manufacturers are signaling that we have not seen functionality peak for these devices; there are developers designing applications for USB flash memory sticks that will enable them to evolve into the portable “desktops” of tomorrow.  To have any chance of staying ahead of this trend, policy guidelines and enforcement tools for removable storage devices are needed immediately. 

Fortunately, a dual-layer defense strategy for Windows environments is easy to implement today.  It starts with endpoint device/port control software for the precision setting of permissions with regard to removable devices.  Administrators can set permissions per device port, device class, device type, device model, and even by unique device ID.  Simultaneously, they can grant or deny access per user group and per user, even specifying days of the week and hours they can be used.  Auditing and optional data shadowing of all allowed activity through local devices and ports is also a standard feature of the top solutions. 

With such software in place, security administrators can, as a best practice, enforce a policy such that only pre-encrypted thumb drives of a certain model can be connected to endpoint PCs on the corporate network.  To simplify this complete data security approach, some device/port access control software vendors are partnering with makers of hardware-encrypted flash drives to provide bundled solutions that address both layers of defense.   

Gone with the Sync

There are no equally straightforward solutions to securely addressing local sync communications today.  In effect, every click on a “Sync” button means that highly-valued corporate data may be transferred to a personal mobile device without any way of controlling or tracing the action.

Some administrators believe that they are protected by network-based data leak prevention (DLP) solutions based on file-type detection or content-based filtering.  Products in this category require a lot of configuration and do protocol parsing for the most popular network applications and intercept file system calls from some office applications.  However, local data synchronizations between mobile devices and PCs do not use network application protocols and may not interact with other monitored applications. They also may communicate via wireless technologies (BlueTooth, etc.) or “legacy” ports (serial/parallel) that are not handled well or at all by current DLP content filtering technologies.

Today, the only effective method of eliminating data leakage—or even monitoring it—through local sync is to completely block or at least manage mobile device connections to the PC at the interface or port level with endpoint device/port control software.

Ideally, a local sync DLP architecture should be built as a stack of integrated, or at least complementary, security mechanisms that include bottom-up endpoint device/port control, local sync application parsing and object filtering, file type filtering and content-based filtering technologies.

In this architecture, every layer controls those parameters of the local connection it is designed for by blocking or filtering prohibited elements, and detecting and marking the types of objects to be handled by a higher-layer or complementary architectural component to which the classified data flow is then passed for further processing.

For instance, the endpoint device/port control component is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port  type (e.g. USB, Bluetooth, IrDA, COM), device type (e.g. Windows Mobile, Palm, Symbian, etc.), and ideally device model and its unique ID.

The output is then passed to the local sync parsing component, which parses the sync traffic, detects its objects (e.g. files, pictures, calendars, emails, tasks, notes, etc.) filters out those prohibited, and passes allowed files up to the file type filter.

The file type filtering component checks the input flow to find and exclude any prohibited file types. It delivers the remainder to the content-based filtering component which performs an informational data control check to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.

Conclusion

IT security staff must reckon with the challenge of uncontrolled transfers of sensitive corporate information to inherently less secure personal devices.  The security architecture they devise should be easy to centrally manage, flexible to unforeseen exceptions and economical to implement. The ultimate goal is to promote their co-workers on-the-road productivity and, at the same time, reduce the information security risk posed by new personal technology.

David Matthiesen is Director of Sales – Americas at DeviceLock, Inc. located in San Ramon, CA.

 

 

 

Computer Technology News

Our twice weekly email newsletter
Click here to see current issue or sign up below

Subscribe to CTN

 

Using virtualization to simplify data migration and
tech refresh
- Chris Poelker

Backup - New Answers for an Old Question
- John Lallier

Information Technology Jobs
Keywords:
Location:
Job category: