IBM‘s aggressive stance against the use of unsanctioned applications grabbed headlines a few months ago, but the trend toward “Bring Your Own Device” (BYOD) has put pressure on IT in all businesses, large and small. As a manager of cloud products at Symantec, I frequently work with chief information security officer (CISOs) who are sweating over whether to allow the use of these services and accept the very real risks of data leakage and sprawl, or follow IBM’s lead and prepare for battle against that stubborn executive hell-bent on accessing his data in the cloud.
Both scenarios are enough to give any CISO heartburn, but neither option is the right answer. IT needs to provide a sanctioned alternative that allows employees to be überproductive while still maintaining security and control. For IBM, this came in the form of MyMobileHub, a homegrown solution that hosts all data onsite. That’s great for IBM, but the rest of us would be better served by partnering with a trusted cloud vendor. Here are some critical criteria that will help you differentiate between BYOD-friendly and BYOD-adverse vendors.
1. If my data is stored in the cloud, who has access?
The inherent benefits of data storage in the cloud are obvious: virtually limitless storage, no required maintenance or upgrades, and little to no administration overhead is required. But how can businesses trust that their data is safe when it’s stored in third-party data centers? A universal set of requirements seems to have standardized around encryption, backup, audit logging and check-the-box certifications. However, IT should press vendors to explain how data is protected at all layers in the security stack. Will data or credentials be cached and stored in the clear to optimize product performance? Will the vendor provide and manage the encryption keys that give full access to that sensitive data? Are the right controls in place to block unauthorized access by employees at the vendor site? Visibility into data access practices will help differentiate between vendors when AES-256 encryption at rest and 256-bit SSL encryption in transit become the norm.
2. How do existing security controls, such as data loss prevention (DLP) and eDiscovery, apply to my data in the cloud?
Productivity apps should not be exempt from any security or compliance policies that keep your business data protected. This means that interoperability is key. Are the audit logs associated with the service exportable in a format that can plug into a downstream log management tool? How does the vendor’s platform comply with eDiscovery mechanisms, including search and legal holds? Can your existing DLP policies map to affect the actions your users take within the productivity app? When looking for a vendor, try to find services that compliment your current security posture rather than introduce new complexities.
3. How can I differentiate between business data and my employees’ personal data?
One of the major concerns with BYOD is identifying which data belongs to the user and which belongs to the business. The legal headaches that accompany an accidental wipe of personal data is enough to scare IT away from BYOD altogether. How do the vendors you’re evaluating approach this dilemma?
Although the risks aren’t trivial, a future where BYOD is fully embraced within your business may be near. The good news for IT is that vendors are aware of the challenges and are developing innovative technologies to help facilitate a more confident transition. 2011 was the year of mobile device management (MDM), and 2012 will focus on extending a new level of protection to the actual applications and data on all devices, whether personal or corporate-issued. Partnering with a trusted vendor will enable IT to focus on solving the issues that matter, rather than funding and allocating resources to an internal “Siri-for-business” initiative.
Anthony Kennada is Symantec’s senior manager of emerging cloud products. Prior to joining Symantec, Kennada worked at LiveOffice (now part of Symantec) and Box.net.