Five steps to a secure mobile workspace
Mobile working environments can be highly productive and cost effective. They come in various forms, with employees working from home, on the road, or at office locations specifically designed for hot-desking flexible workers.
But while they can save on commute times and office space, they carry a potential downside: IT security challenges can escalate when employees aren’t tied to a single, highly-managed location.
A survey by US secure USB data storage vendor Ironkey found that 73% of IT decision makers worldwide were confident that data accessed by employees would be free from theft. That dropped to 55% for employees working at home, and just 47% for workers on the road, indicating some of the fears around
How can organizations protect their data as they innovate with mobile working environments? Here are five key success factors, gleaned from conversations with industry experts.
1. separate the mobile workspace from the corporate network
Mobile workspaces are amorphous and designed to be flexible. Workers often come and go, sitting at different desks, perhaps even in different office locations, from day to day. Their devices will be used at home and in office spaces, and may not even be owned by the organization. These shifting, multi-faceted workspaces should therefore be treated as demilitarized zones, says Andrew Mason, co-founder and technical director of security and compliance company RandomStorm.
“Class the mobile workspace as an external connection and treat it as such, by firewalling it from the main network, connecting inbound traffic via a VPN (using SSL, or IPSec) and using strong authentication,” he says.
Separating the network in this way helps to protect the main network, with its sensitive resources, while maximizing the flexibility that defines the mobile workplace.
2. define roles and responsibilities
Part of this separation also involves outlining acceptable risk levels and defining access privileges accordingly. There are many factors to consider. The role of the mobile worker in the company is important, along with what they are accessing, and where they are accessing it from. A sales manager may need to access more sensitive resources than an account executive, for example. But those resources might still be prohibited for the sales manager when accessing from a public Wi-Fi hotspot, versus a company-owned hot-desking facility.
“You have risk based on the data you’re accessing,” says David Chismon, a security consultant at cybersecurity and compliance specialist MWR Security. Chismon was the lead author for the UK Centre for the Protection of National Infrastructure’s mobile device guidelines.
“There’s a flip side to that, which is that if you know they’re going to be in a hostile area but still need access, you could provide a non-sensitive view of that data, so it doesn’t matter so much if it’s compromised,” Chismon continues.
3. divide personal and corporate resources
The bring-your-own-device (BYOD) phenomenon poses its own challenges for the secure mobile workspace. Gartner believes that half of all companies globally will ask workers to provide devices for use in the workplace by 2017. Not only could corporate data be at risk if the device is lost or stolen, but there is also the danger of employees simply leaving the company and taking the data with them on their device.
“Sometimes the employee will leave with the phone, along with all the contacts, emails, and documents that he received on the phone,” says Ilia Kolochenko, CEO of Swiss cybersecurity services company High-Tech Bridge.
Mobile data management is one potential solution. IT departments may choose to install agents on users’ devices that can be used to encrypt and potentially wipe sensitive data from devices. Containerization is an associated technology that can ‘sandbox’ corporate apps and data within a separate area of memory, logically preventing malware or other intrusive elements from snooping.
Virtual desktop technology can also be a solution. It allows enterprises to create and destroy desktop sessions every time the user connects from their mobile device, leaving no residual data on the client.
4. define policy and get staff on board
For all of this to work effectively, enterprises need to update their policies and involve the legal department, says Jamal Elmellas, technical director of Auriga, a data, ICT and security consultancy. “Consider your existing policy stack and try to tie those policies into the BYOD project,” he says. “For example, data retention and deletion should be considered as part of data loss prevention [DLP].”
MWR’s Chismon describes the ‘baby photo problem’. If a member of staff agrees to allow their device to be wiped if lost, do they also realize that their baby photos might be erased as well? These things must be well defined in policy, so that both employer and employee know where they stand, and what they’re agreeing to.
5. embrace device diversity
IT departments negotiating mobile workspaces must try to manage devices as effectively as possible. Understanding the capabilities and limitations of the various client platforms will help them to clarify how robust the security options are. Even different versions of the same platform are important here. Different devices could be granted different privileges based on their security capabilities.
Security in mobile workspaces is achievable, but it requires a healthy mix of technology, policy, and buy-in from employees if it is to work effectively. With some sensible guidance, organizations should be able to navigate their way through a tricky process, and reap the benefits.
Find out more about new workspaces from Orange Business Services