3 Comments

Summary:

In our increasingly BYOD world, employees expect to have open and mobile access to their work and apps. Meanwhile, IT still needs to keep sensitive business data secure. What’s a stressed out CIO to do? Find a BYOD-friendly cloud vendor, says Symantec’s Anthony Kennada.

cloud lock_FutUndBeidl

IBM‘s aggressive stance against the use of unsanctioned applications grabbed headlines a few months ago, but the trend toward “Bring Your Own Device” (BYOD) has put pressure on IT in all businesses, large and small. As a manager of cloud products at Symantec, I frequently work with chief information security officer (CISOs) who are sweating over whether to allow the use of these services and accept the very real risks of data leakage and sprawl, or follow IBM’s lead and prepare for battle against that stubborn executive hell-bent on accessing his data in the cloud.

Both scenarios are enough to give any CISO heartburn, but neither option is the right answer. IT needs to provide a sanctioned alternative that allows employees to be überproductive while still maintaining security and control. For IBM, this came in the form of MyMobileHub, a homegrown solution that hosts all data onsite. That’s great for IBM, but the rest of us would be better served by partnering with a trusted cloud vendor. Here are some critical criteria that will help you differentiate between BYOD-friendly and BYOD-adverse vendors.

1. If my data is stored in the cloud, who has access?

The inherent benefits of data storage in the cloud are obvious: virtually limitless storage, no required maintenance or upgrades, and little to no administration overhead is required. But how can businesses trust that their data is safe when it’s stored in third-party data centers? A universal set of requirements seems to have standardized around encryption, backup, audit logging and check-the-box certifications. However, IT should press vendors to explain how data is protected at all layers in the security stack. Will data or credentials be cached and stored in the clear to optimize product performance? Will the vendor provide and manage the encryption keys that give full access to that sensitive data? Are the right controls in place to block unauthorized access by employees at the vendor site? Visibility into data access practices will help differentiate between vendors when AES-256 encryption at rest and 256-bit SSL encryption in transit become the norm.

2. How do existing security controls, such as data loss prevention (DLP) and eDiscovery, apply to my data in the cloud?

Productivity apps should not be exempt from any security or compliance policies that keep your business data protected. This means that interoperability is key. Are the audit logs associated with the service exportable in a format that can plug into a downstream log management tool? How does the vendor’s platform comply with eDiscovery mechanisms, including search and legal holds? Can your existing DLP policies map to affect the actions your users take within the productivity app? When looking for a vendor, try to find services that compliment your current security posture rather than introduce new complexities.

3. How can I differentiate between business data and my employees’ personal data?

One of the major concerns with BYOD is identifying which data belongs to the user and which belongs to the business. The legal headaches that accompany an accidental wipe of personal data is enough to scare IT away from BYOD altogether. How do the vendors you’re evaluating approach this dilemma?

Although the risks aren’t trivial, a future where BYOD is fully embraced within your business may be near. The good news for IT is that vendors are aware of the challenges and are developing innovative technologies to help facilitate a more confident transition. 2011 was the year of mobile device management (MDM), and 2012 will focus on extending a new level of protection to the actual applications and data on all devices, whether personal or corporate-issued. Partnering with a trusted vendor will enable IT to focus on solving the issues that matter, rather than funding and allocating resources to an internal “Siri-for-business” initiative.

Anthony Kennada is Symantec’s senior manager of emerging cloud products. Prior to joining Symantec, Kennada worked at LiveOffice (now part of Symantec) and Box.net.

Image courtesy of Flickr user FutUndBeidl.

  1. Hello and thanks for this nice article!

    When you say “The legal headaches that accompany an accidental wipe of personal data is enough to scare IT away from BYOD altogether” sounds ok although (apart from an actual accident) there’s no reason a company delete personal datas from an employee’s device unless the later is lost. And even in this case I bet everybody would be glad someone delete the wedding pictures, etc.

    So I agree CISO are (death)scared when it comes to BYOD but I personally think it’s more because of a cultural shift than anything else (not as much sense of belonging as before).

    What do you think?

    Rémi
    @orangebusiness

    Share
    1. Anthony Kennada Monday, August 6, 2012

      Thanks, Remi. I think the idea is that what CISOs actually care about is not the device itself, but the corporate information that lives on that device. When personal data is compromised, whether via remote wipe on a lost device or an employee leaving the company, the organization is held liable.

      I certainly think culture has a lot to do with it, however we’re seeing new technologies come to market that are helping make the transition less of a pipe dream. We should be seeing a radical shift in culture in the coming months!

      Share
  2. Timothy Weaver Tuesday, August 7, 2012

    I wonder whether the real cultural shift we’ll see will ultimately be a great acceptance of lower data security by enterprises, similar to the change we’ve see in the public’s general willingness to give up privacy around their online behavior. It seems to be typical that security vendors want to tell corporations you can (or eventually can) “have it all” – freedom of personal devices, tight data security, easy discovery mechanisms, etc.

    What is interesting is that we haven’t really seen any big problem crop up yet for organizations that have gone all-in on the cloud and BYO. There must be some companies out there who have done it, so maybe the reward vs risk is significant enough that these issues can be accepted. I’m not suggesting there isn’t eventually going to be a security breach, but there have been a lot more breaches in private “secure” networks than public ones.

    Share

Comments have been disabled for this post