It's easy to say that we must take a more holistic approach to enterprise mobility and security, but what does that really mean? How would we best explain it to a user or customer?
Follow the data
You've heard the adage, "Follow the money." But we're trying to mitigate the risk of data loss, so let's change that to "Follow the data."
There are seven steps along the path from device to data center. Let's examine the challenges at each step.
The first thing we need to know is if you are really you. Username and password are simply inadequate today. Many IT managers add multi-factor authentication (MFA), which may be a small device or app that generates a unique number every time you press a button. You then add that to your password, combining something you know with something you have, to gain access. Thieves can certainly learn your password and steal your token, so various biometric approaches, such as fingerprints or facial recognition, have been incorporated.
It's important to note that targeted phishing attacks may trick employees into giving up their credentials to a malicious third party, so you need to pursue a two-pronged approach here: educating users to recognize and rebuff phishing attempts, and setting up measures that will notice unauthorized login attempts.
Next the mobile device you're using needs to demonstrate to the network that it is what it says it is, and that it is configured to access the network securely and safely. Network Access Control interrogates the device to assure that it is approved.
Software applications usually come in the form of executable files, which are also a prime target of most malware. It is crucial to prove that the app is genuine, and that it is free from viruses, Trojans, worms, or other nasties. Like users, apps often have specific rights to use specific corporate resources, so those will have to be confirmed, as well.
The fact that the data comes right in the middle of our list of seven steps is no accident, because the data is definitely the crux of the matter. The popular perception is that data must be encrypted while in transit across the network between the mobile device and the servers in the data center, and that's correct. But data is every bit as vulnerable at rest in storage as it is in transit. Very often, it is a server that is compromised, not a data stream, and data is stolen or corrupted. The simplest and most effective solution is to always encrypt data, whether in transit or at rest. By carefully protecting your encryption keys, you assure that any thief attempting to steal your data will only get gibberish.
Once the user and their mobile device are authenticated and authorized, data can begin to flow. While it can be intercepted along the way, keeping the data encrypted and the keys protected will assure that interceptors don't get anything valuable. On that subject, don't forget to monitor data egress, even from authorized users and systems. Intrusions are often undetected for long periods of time because this crucial step is overlooked.
Data resident in servers and storage must be encrypted. Develop solid discipline around regular near-line and offsite backups, too, even though those jobs (backup and encryption) may cause a bit of a performance lag. Be sure to test well and set expectations, and adjust the schedule to avoid peak usage times, so as to minimize the impact.
With all of the authentication, encryption, intrusion prevention, firewalls, and other systems we can implement to protect networks and data, an unlocked door to a data center can be our undoing. Physical security is every bit as important as everything else we do.
Look into surveillance cameras with remote viewing capabilities, physical asset management policies, and physical access policies -- and make sure your service providers do, too. If you are in a leased facility, the vendor should be able to provide you with a service guide that covers the physical security practices. Most will have a third party attest that the standards are being met via routine audits.
The tools required to accomplish every one of these seven steps are available in Microsoft Enterprise Mobility and Security (EMS), Windows Intune, Windows Information Protection (WIP) and related software.
Learn more about how Microsoft EMS addresses these seven critical steps.