Tuesday, August 21, 2012

Mobile document and data security: avoiding the Big Work-Around

A week or two back, the Ponemon Institute released some survey data about just how frequently employees in large enterprises are using external, cloud-based services to store and send critical data.

The answer?  Quite a lot.

Penny Crossman of American Banker termed the usage of these services a “huge security hole” in her article on the survey (with the slightly unsettling headline: “Are your bank’s secrets floating in the cloud?”).

After BYOD comes…BYOA

Some folks are calling this the “BYOA” era.  You see, first there was BYOD – Bring Your Own Device.  The logical follow-on is that employees then start using those personal mobile devices to access non-approved -- or at least non-managed -- applications (that’s the “A” in BYOA).  These could be services like Dropbox, Evernote, and Yousendit!, which they’ve downloaded onto their device or can access in the cloud.

In describing this BYOA trend in a Forbes article, Matt McIlwain of Madrona Venture Group saw this as a great way for small start-ups – the ones selling these applications – to get a foothold in the enterprise by finding a balance being “alluring to individual users and small teams” while making themselves “palatable to IT departments.”

While McIlwain thinks these innovative apps that are capturing the attention of users will usher in an era of greater transparency for IT, folks responding to the Ponemon survey I mentioned earlier see it as a big problem.

"These file sharing and file transfer technologies are very convenient," says Larry Ponemon, chairman of the research group. "The take-up rate of these technologies in the workplace is enormous.”

However, Ponemon cautions, “a lot of company confidential information exists in documents — PowerPoints, Word documents, email and such. If you're a cybercriminal, that's where you're going to find the company's crown jewels."

Nobody makes sure employee work-arounds are secure

Some companies are practically forcing their employees to use such services because they don't provide remote access to documents that their staff needs when they're traveling or working from home or a remote office.  Faced with a brick wall, employees who just want to get their work done will find a work-around.  Those work-arounds often become a big part of their day-to-day processes.

With sensitive corporate data involved, what seems like an insignificant compromise becomes the Big Work-Around -- a serious deal.  By definition, nobody’s in charge of making sure those Big Work-Arounds are secure.

There's a war going on around document and data security, says Ponemon. "You are constantly battling the issue of convenience," he says. "The traditional security model is, we'll just turn it off. What we've seen over the last 20 years or more is a move to empowering the end user through things like cloud computing, virtualization, remote devices and the ability to do your work from remote locations. The issue is, can you create solutions that are convenient and allow the users to do the things they need to do? Security has a voice, but there's a bigger voice called productivity and profitability."

Exactly.  So, how do you strike the balance?

To me, it sounds like the description of a strong potential solution is in the problem statement:  give your employees a way to access documents when they’re using their mobile devices that passes the security sniff-test, but doesn’t require unnatural acts by the employee.

OK, but how?  I’ll give you the Framehawk suggestion for doing this as one potential solution:  don’t have employees pull the documents or data onto their devices at all.  Instead, leave everything behind the firewall, but enable very fast, very secure remote access.  It took a bit of product development investment on our part, but it’s working.

How customers are keeping data off the mobile device

In fact, we’re seeing some of the early customers of Framehawk do exactly this.  With Framehawk, they keep their applications and documents behind their firewall, even if their users are accessing them on a mobile device like an iPad or other tablet.  We create a disposable browser stack in our cloud.  Customers get trusted access to those browsers.  Our mobile-optimized protocol delivers only images from these browsers to the tablet, while handling high-speed, secure communications back and forth between the device and the employee’s documents or applications. Nothing is downloaded onto the edge device.

One Framehawk customer sees this as a great way to keep their field team’s mobile usage of salesforce.com in compliance with their security rules.  Their reps can interact with salesforce.com from their iPads, but none of the names, phone numbers, or other sensitive data from the application (or its reports) finds its way onto those devices.

Of course, one of the big potential stumbling blocks that you’d expect in a scenario like this where everything is remote is performance.  That’s a place where our communication protocol shines (thanks to a strong bit of NASA heritage).  The protocol doesn’t rely on TCP/IP (the wait times to make sure information arrived are just too long) and is optimized for mobile networks and the security requirements of enterprises.  Those design points mean this nothing-on-the-device architecture I described actually becomes feasible.

OK, enough of the infomercial.  The point is this: with BYOD comes a very real temptation to use un-secured apps.  Corporate data is at risk, even in corporate-approved applications like salesforce.com, when tablets are involved.  And IT must somehow deal with this.  And like, the Ponemon survey respondents, we think it’s a real issue.

So real, in fact, that we architected an enterprise-focused solution for it.  Ping us if you want to see a demo or start a more detailed discussion.

This post also appears on the Framehawk blog.