How to Move Mobile Data Without Leaking
Adding further complication, users readily share or copy this same information into their mobile and cloud queues, or personal email accounts, in ways that make theft easier. Breaking down weak, patchy and missing mobile data defenses is far easier than penetrating corporate firewalls.
“Mobile users don’t respect traditional boundaries. The information itself must be protected.”
“Typical security defenses fail in mobile settings because they protect boundaries rather than information,” said John Girard, vice president and distinguished analyst at Gartner. “Mobile users don’t respect traditional boundaries. The information itself must be protected.”
The need to manage information security at the data level has become critical now that mobile devices, cloud services and bring your own (BYO) have made it impossible to guarantee security on computing devices. Users expect to copy and sync their files through multiple storage queues that can’t be monitored or controlled by the company.
Eliminate Four Mobile Data Protection Flaws
Gartner recommends eliminating the following common flaws inherent in mobile data protection strategies and to take an information-centric view.
Flaw 1: We know the difference between public and private
Assumptions are often made that information is public unless declared private and that private information is handled with care. Unfortunately, protection is not automatic when data is created, modified or shared.
The information-centric view is “assume that information is for company use only unless otherwise declared.” This is complementary to conventional boundary defences, actionable and can be scaled by use of apps that can evaluate access controls embedded in the data.
Flaw 2: We use disk encryption and VPN —that’s enough
Don’t assume that basic data at rest encryption (file, folder, drive) and data in motion encryption (VPN) are the best efforts to protect information on mobile devices. Conventional security boundaries no longer exist in the mobile world. Encryption cannot be guaranteed by platforms, operating systems or apps.
Taking an information-centric view assumes that information is at risk unless restricted. It will account for the possibility of poorly defended devices and networks, targeted attacks at offices, conferences, etc. Data should be continuously encrypted at rest and in motion.
Flaw 3: We’ve never experienced mobile data leakage
Don’t assume that your information is not important enough to make you a target for a data breach or the chances of a leak are too small to bother. In reality, every company has valuable information about customers, suppliers, investors, bank accounts and more.
The information-centric view assumes an incident can happen to any company and any person. Protecting all information by default is better practice than assuming that data in the clear within the defense perimeter would not be accessed. This protects not only your own company, but also your supply chain, investors, contractors and others for whom you retain information.
Flaw 4: We can talk our way out of this data breach
Don’t assume your investors, customers and supply chain will accept excuses after a breach. No one who’s been the victim of information theft feels empathy for the company that lost their information. While cyber insurance is a valid business investment to cover loses after breaches, claims will become harder to collect and prices will go up.
Information-centric data protection is your safety net when other defenses fail to stop leaks.
Information-centric data protection is your safety net when other defenses fail to stop leaks. It also gives mobile users far more flexibility to work safely with and to share protected information.
Security leaders must remember that the ultimate goal of attacks is to obtain information. Organizations have ethical, moral and legal imperatives to protect the information entrusted to them.
Gartner clients can read more in the report Data Can Move Without Leaking — Eliminate Four Flaws in Your Mobile Information Protection Strategy.
Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2016 taking place in Sydney, Mumbai, Dubai and London. Follow news and updates from the events on Twitter at #GartnerSEC.