• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Protecting data and enabling the mobile enterprise

Protecting data and enabling the mobile enterprise



Informe en el que HP recomienda a las empresas adopatar una estrategia de seguridad móvil basada en estudios realizados en todas las industrias

Informe en el que HP recomienda a las empresas adopatar una estrategia de seguridad móvil basada en estudios realizados en todas las industrias



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Protecting data and enabling the mobile enterprise Protecting data and enabling the mobile enterprise Document Transcript

    • Inform—an HP Insight series business white paper Protecting data and enabling the mobile enterprise
    • Table of contents 3 Executive summary 4 Introduction 4 Protecting data in the modern enterprise 5 Adopting a bring your own device policy 5 Some industry specifics 8 Mobile assets come with higher risk of data loss 8 How can data be lost or compromised? 8  Mobility changes are often driven or led by technology 9  What can a CIO do now? A 5-step approach 10 What about the future? 12 Conclusions 2
    • Executive summary Your employees, your partners, and your customers want instant access to the information they need—now—no matter where they are, what time it is, or which device they have in their hands. With the pervasiveness of personal mobile technology that’s always on, always accessible, and always connected, the “consumerization of IT” is changing the way we work and live. Supporting this mobility is critical in enabling a distributed work model for a global workforce; individuals want to work this way. Chief Information Officers (CIOs) report an increased user demand for access to work email and other key business applications from consumer technologies, including personal and non-corporate devices. Instead of trying to stem the tide or restrict access, you need to develop a plan to manage the associated risk. To protect the company’s core infrastructure, information, and sensitive data, connectivity must be tightly controlled, data access must be secured, and the security of the device must be assured. HP recommends a holistic approach that expands your current security policies to encompass this growth area. It starts with collaboration between the Chief Information Security Officer (CISO) and the business owners to develop a risk-based plan for mobile security investment and policy decisions. This base of good practices and principles should balance options and may involve trade-offs in terms of the degree of risk acceptable to the organization. The end result is a clear mobile security strategy that aligns with the business and determines how it will engage mobility within its risk profile. Of course, this security strategy will be much more fluid than those of the past. However, with the help of security experts, enterprises can plan now for future changes. For example, HP Labs has been researching systems’ security architectures for the next-generation cloud-based enterprise, and has developed innovative technologies to address these IT environments. Our security specialists also use HP modeling to build shared understanding of complex situations and explore “what if” scenarios that help predict security issues as our context-aware work habits continue to develop. As with any security policy, a mobility plan must be flexible enough to allow high volumes of interaction, but pervasive enough to mitigate risk and assure compliance—which means advanced security tools that cover exchanges both inside and outside of the enterprise. When the technology is evolving fast, sophisticated and evolving protection can be a major IT undertaking—but one that positions the enterprise to achieve better results in a competitive world. 3
    • Introduction Protecting data in the modern enterprise Over the last few decades, technology has significantly altered how the enterprise operates, especially on a personal level. Beginning in the 1970s, a wholesale computerization of the office, including the emergence of desktops and laptops in the ‘80s and ‘90s and, more recently, the proliferation of removable media options, has occurred. We’re now adjusting to the widespread adoption of smartphones and “app stores” within the workplace, alongside the advent of the cloud model, de-perimeterization, and the social media phenomenon. Collectively, these trends focus the modern workplace in one direction—mobility. Many obvious challenges arise when workers self-select their technology devices—whether those devices are owned by the individual or by the enterprise—regarding how mobile users operate, what they use, which management controls are (or can be) put in place, and any regulatory implications that might arise. However, adoption is rapid and somewhat inevitable. Organizations cannot afford to ignore the phenomenon or try to “hold back the tide.” Instead, they must adapt to the change and integrate mobility into the IT policy and processes. The biggest behavioral change in this space is the “consumerization of IT,” the expectation that self-selected technology tools—usually from the consumer market—be used in the work environment. This change is often synonymous with “bring your own device” (BYOD), which can be summed up as a desire for access to information “Anytime Anyplace Anyhow,” using whatever device you want. Supporting mobility is critical in enabling a distributed work model for a global workforce, though tension clearly exists between mobility support and data-loss restriction. According to IDC’s Custom IT Consumer Survey (April 2011), the devices most often combined for both personal and business use (in decreasing order) are laptops, desktops, smartphones, and tablets. That order is rapidly changing, however, and we should expect the usurping of the “most common Internet access device” mantel from the PC (desktop/laptop) which has been king since the 1990s. According to the latest Information Security Forum (ISF) Threat Horizon report, the proportion of smartphones—that is, mobile phones with web browser and email support—is set to increase from around 20 percent today to 80 percent in 2013. Supporting mobility is critical in enabling a distributed work model for a global workforce. In fact, CIOs are likely to be judged on how proactive their stance is and how successful they are in cultivating the benefits of the consumerization model while managing its formidable risks. For most enterprises, this will be an organizational challenge. Tension clearly exists between mobility support and data-loss restriction. However, the dichotomy must be addressed in the face of this persistent trend. This paper aims to give insight into the differences in attitude and approach between customers and industries. It also outlines the range of responses being considered across organizations and identifies ways in which HP can help CIOs in implementing a secure and realistic plan for incorporating mobility into the workplace. 4 CIOs should consider the question: “What types of devices will be on my network in three to five years?” The bottom line is this: employees want to use their own devices— and enterprises want to attract the top talent that reflects their consumer base. Employers want Generation Y employees who represent our consumers. Decisions around mobility are often dominated by consumer trends, especially among senior executives themselves; they are often the first to insist on being allowed to use their iPads or iPhones, even when it causes the CISO’s team headaches due to the additional risks and complications to the infrastructure. Looking forward, CIOs should consider the question: “What types of devices will be on my network in three to five years?” But BYOD is not purely a technological fad. A workforce with mobile capabilities is becoming increasingly necessary due to the global round-the-clock nature of today’s business. For example, one respondent has reported having a staff of 51 in 19 locations and supporting 24x7 globally distributed activities. An emerging issue for the CIO develops when employees are allowed (or required) to adopt BYOD. The employees own the devices and feel entitled to use them as they choose, installing whatever apps/ games/social media they want. Introducing confidential enterprise information into this environment is dangerous, and requiring or allowing employees to purchase their own devices, and then tell them how they are going to use them, presents a difficult challenge. Employees want their “personas” to be mobile, too—in a device-agnostic manner. A persona is a person’s identity-related information, e.g., preferences, images, and profiles created on Facebook, Google™, etc.
    • Adopting a bring your own device policy Public sector Allowing individuals to use their personal technology for business use, ranging from productivity improvements, convenience, and operational cost savings to new business innovations, creates strong benefits for the employee and the enterprise. However, adopting a BYOD strategy presents practical challenges. For example: • Device management strategies may be fragmented and cumbersome due to potential proliferation of devices, ambiguity around responsibilities for data, and increasing expectations for how the devices can be used • Rich device functionality, with easy-to-use social networking tools, present challenges for enterprises in providing platforms and software to their employees such that they are fun (and distracting) as well as productive • Corporate/sensitive information may be leaked, distorted, and/or be unavailable when required • Demonstration of regulatory compliance may become more difficult Some industry specifics All interviewed respondents agreed that mobility is essential to their businesses and resulting data-loss challenges exist across all the verticals. As one individual said, “Industry is always behind the curve in making consumer technology ready for the enterprise.” But consumer technology was not initially designed with enterprise requirements in mind, which has led to challenges and delays in adoption by organizations. In their personal lives, consumers may be concerned with losing their emails or latest photos on their devices, but rarely does this result in reputation damage or a lawsuit resulting from divulging personal information—both major considerations for enterprise mobility use. In many parts of this large sector, information confidentiality is generally the main security consideration. For instance, unintended disclosure of information in the context of the military and police can be very damaging. The main focus is on citizen data loss and reputational damage. However, with increasing acceptance of mobile working practices and the use of personal devices, more attention will have to be given to availability of data and its integrity as well. A culture of data classification exists to some degree, in which we categorize information into pre-designated levels with controls regarding who can access information at each level. Human error is also a factor, causing accidental breach of physical media-handling procedures rather than as the result of hacking or malicious insider disclosure. Industry is always behind the curve in making consumer technology ready for the enterprise. Although each sector and business is unique in many ways, common mobility challenges exist. For example, desktop application management is an issue for most organizations due to the monolithic OS architectures that require significant effort to perform upgrades securely. Interviewed respondents noted additional insights and industry-specific concerns as follows: 5
    • Technology companies Financial services In contrast to the technology sector, the financial services industry (FSI) vertical applies tight control over the working environment and thus a high level of enforcement through standardized systems. As many data-loss incidents have been recognized as being due to human errors/abuse, the CSO is widely accepted as belonging outside of the IT function, possibly in a broad risk role. In fact, occurrences of informal insider trading (e.g., traders socializing on weekends) are not uncommon. Financial organizations are generally “backed into acceptance of mobility” by users. Executives are often in the front line, demanding the use of “cool” mobile devices. Next-generation staff may expect the freedom to mix their private and business lives—and seamlessly incorporate their state-of-the-art technology across their personal and professional worlds. Mobility adoption is driven primarily by a need for 24x7 global operations and a disparate, technically literate workforce. Enterprises in this sector are generally early technology adopters, with employees either working from home some of the time or on the move. A respondent stated that only 50 percent of his organization’s operating countries had any “IT assets,” so a huge reliance on cross-border communications and mobility exists. Technology companies also have legitimate needs to support non-standard IT solutions, such as special access or configurations for their technically capable workforce, which often prevents the rollout of standard solutions that help to enable security and mobility. Off-the-shelf options simply don’t fit. The technology industry is also an area where hackers strike on many occasions, and clearly this is a key concern. Such breaches cost massively in terms of recovery and reputation. The main foci are intellectual property loss, reputational damage, and loss of program source code, bringing much attention to protecting intellectual property rights, including a high take-up of laptop disk encryption. Mobile devices play into this mix. As one respondent noted, “there are now enough of them [mobile devices] on the network for attackers to start prioritizing them.” Policy enforcement on employee-owned devices is still in development, however. Mobility is recognized as a big opportunity for innovation in the financial services industry, driven by many perceived benefits, although few have actually been quantified to date. BYOD and near field communications (NFC)—the wireless exchange of data between smartphones in close proximity to one another—are seen as fundamental to these innovations. On the consumer side, payment by cell phone is still an experimental area fraught with challenges regarding the creation and management of new networks of suppliers, but it is receiving much attention. Likewise “digital money,” self-checkout, mobile banking, migrant-worker money transfers, and mobile adjudication of insurance claims are mobile innovations on the rise. Still, the focus for financial services is turned internally: “Risks around use of mobility should be kept in perspective—over 50 percent of security breaches are from insider actions,” said one respondent. For a financial institution, the main concern is protecting consumer trust—a bank collapses after its reputation is hit. Financial services is also an industry with many regulatory compliance requirements, including Basel and Payment Card Industry Data Security Standard (PCI-DSS). In PCI-DSS-affected organizations, loss of card data is a hot topic. Additionally, U.S. banks are obliged to report any security breach to federal regulators, possibly exposing embarrassing process flaws. In Europe, the Middle East, and Africa (EMEA), concern over personal and commercial transaction privacy and compliance with national and European guidelines (strictness depends on country, however) is a major factor, as well as concern around “time-sensitive information” leakage, such as merger and acquisition information, budgets, and accounts. 6
    • Retail Manufacturing According to respondents, increased productivity is perhaps a bigger driver for IT consumerization than employee demand in a cost-sensitive vertical. And usability of apps is key. Employees should not have to navigate complex applications in order to use apps effectively. Although a clear, logical distinction between types of users and their access to data exists, user segmentation is immature in this sector. Any controls are largely implemented across the board. Healthcare Within healthcare, most attacks on mobile devices target the application level; therefore, much work focuses on this area. “The current hot button here is customer data,” said a retail industry respondent. Companies in this sector are now able to collect more information on the consumer via devices such as iPhones and iPads, making mobility services an appealing option for interaction with customers. Mobility is reducing the reliance on supply chain relationships for access to customer data and demographics. However, mobility in the workforce is a little more complex. Respondents stated that a small fraction of the workforce is officebased—the majority are either in stores or in distribution. “In stores, staff turnover is high—they are young and want to bring their own devices to work.” This results in a multi-tier security requirement: certain controls for all (including store staff), with more stringent controls for office workers. Extra filtering/blocking controls required by state laws exert some regulatory pressure. However, our interviewee felt that monitoring tools for mobile traffic were immature and more robust solutions were needed. Executives see risk through a “reputation lens” and data breaches are taken very seriously. This sector is seeing an increased level of hacker attacks, many of them targeting mobile applications and infrastructures. Consumerization is seen as an evolving problem. The era of provisioning of corporate mobile devices is ending. BYOD is considered acceptable for mobile devices but not for PCs due to the lack of standardized apps. Locking everything down can have serious consequences for a company because employees will continue to use their own devices, but without enterprise security policies and safeguards in place to manage access and mitigate risk. BYOD and therefore consumerization are symptomatic of an underlying cause, the real issue being the desire for flexibility/selfservice. Guidelines such as PCI-DSS (for credit card transactions) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (for medical prescriptions and other health information) are important, and generally quite effective. 7
    • Mobile assets come with higher risk of data loss Mobility changes are often driven or led by technology Mobile devices are typically present in a variety of situations, as users want them by their sides most of the time. Because of this, organizations can no longer rely on work-related or enterpriseowned mobile devices being kept in reasonably secure workplaces. Mobile devices are often viewed as fashion accessories, and uptake is affected by society. User mobile behavior is likewise influenced by the technology available and what it can do, with many inherent risks. Mobile devices are also becoming more and more attractive to thieves and hackers, as the devices can often contain business information and be used as portals onto enterprise back-end systems and data. In fact, a myriad of inward routes require protection. Furthermore, consumerization is about personas and personalization, not just devices. For example, employees are likely to want to have access to online identities, such as a Facebook profile, at any time and in a variety of forms. They also want features that find and adjust to their location—like Google Maps™ —and allow access to remote services—like HP ePrinting. All of these options make mobile devices more appealing, but also track and store personal—and usually unsecured—information about the user. Another serious security consideration is that data loss can easily occur through misplaced or compromised mobile devices, and may not be detected for a long time—if ever. How can data be lost or compromised? • Data loss can occur through the misplacement or theft of laptops, tablets, and smartphones containing enterprise data, access to corporate systems, and even local copies of the corporate “address book.” For instance, one respondent told us that his organization loses approximately 1,500 of their 400k laptops each year. • The confusion of corporate and personal mail systems side-byside can cause users to send sensitive corporate information to personal contacts. Mobile devices typically include a single email application that can access multiple accounts, while desktops/ laptops traditionally use different email applications for different accounts. • User carelessness can create inadvertent exposure of corporate information and/or credentials. • Users may deliberately circumvent controls by taking shortcuts (often in desperation or to save time) and sending potentially sensitive business emails to personal mailboxes. • Malware on a device may enable data to be interfered with or copied elsewhere. 8 Due to the speed of technology change as developers rush to keep up with this demand, attackers are likely to target users who do not have sufficiently matured security. If organizations are purely reacting to changes in the mobility mix—for example, a new device or OS upgrade—they will struggle to secure the “bleeding edge” devices in a timely manner. In short, many business stakeholders are not sufficiently informed of the implications of technology and behavioral changes; as one respondent commented, we require “a user-centric view of the world” moving forward.
    • What can a CIO do now? A 5-step approach As with most security challenges, technical solutions are only part of the puzzle. A more rounded approach to the problem is needed, as outlined below: Due to the velocity of change in mobile technology, increased frequency of risk assessments is warranted for certain devices and applications. An informed decision requires an understanding of users’ actual or potential actions, as mobile contexts are more dynamic than devices used within fixed controlled environments such as offices. For example, when entering a foreign country, employees may be asked to surrender corporate mobile devices to the border control officials. Security/Mobility Rewards/Risks Security/Mobility Rewards/Risks 1. Support collaboration between the CISO and the technical or business owners who are driving mobility By understanding the business motivations for the enablement of mobility, a CISO can manage the resultant risk in accordance with the enterprise’s risk tolerance and therefore better support its adoption. The alternative is the too-common situation in which security solutions must be “bolted on” or applications updated and retested, resulting in increased cost—and, with frequent changes to mobility devices and apps, a likelihood of growing security gaps. 3. Utilize good practices, principles, and technology Mobility is inherently about people, process, and technology, thus making standard approaches to risk analysis difficult. The following approach is recommended: • People—train and raise awareness to encourage employees to perform the right actions • Process—provide the appropriate channel and auditability to securely enable users • Technology—present the appropriate tools to rely upon Security/Mobility Rewards/Risks 2. Develop a risk-based approach to mobile security investment and policy decisions However, the reality is that these basic guidelines don’t always work in practice. HP’s Security Analytics professional services offering, a commercialization of HP Labs’ Trust Economics research, uses economics and cognitive science to more rigorously explore options and trade-offs. When considering BYOD as an option, the following high-level questions should be asked: CIOs need to be confident that their CISOs have established principles and practices to ensure a base level of security in all processes that the business relies upon—and that they are collaborating with relevant stakeholder groups to maintain this level. • What level of risk is acceptable? CISOs must consider the risks of mobility enablement due to the loss of centralized control when determining potential business rewards, such as increased revenue derived from the ability to innovate, or the attraction of talent due to a business’s perceived progressive stance on technology use in the workplace. • What technologies will be used, e.g., Web 2.0? By undertaking a formal risk assessment of an enterprise’s mobility strategy, the CISO can more fully understand the risks these mobile devices can introduce and the threat they pose to an enterprise’s critical assets. However, understanding the risks is only the first step. Risk management teams must then determine the maximum risk the enterprise wishes to entertain and how much residual risk it should accept, and perhaps even consider transferring to an insurer. • Will users be educated and made aware of mobile security risks on an ongoing basis? • Who are the groups of users who need to be mobile? (And which users will be mobile whether they need it or not?) • What mobile platforms need to be supported? • What applications—both professional and personal—will be used? • How will these applications be deployed and managed? • How will devices be secured and managed? • How will regulatory compliance be achieved? • How will access be provisioned and revoked? 9
    • • Are security technologies like remote wipe, two-factor authentication (or strong password enforcement), self-service password resetting, device encryption, sandboxing of application, and automated OS patch management possible on the proposed devices (especially if the device is owned by the individual)? Security/Mobility Rewards/Risks • Do data classification policies exist, and are these enforceable on the selected platforms? • Will monitoring and logging capabilities be enabled on device and management systems? • Are there specific processes for detecting, correlating, resolving, and reviewing mobile data-loss incidents? The last question is very significant, as CIOs/CISOs need an effective way to revoke access in the event of employee separation, whether voluntary or involuntary. In the past, this has meant reclaiming the device from the employee, but, with BYOD, enterprises must create a process to revoke access and reclaim data without taking possession of the device. Security/Mobility 5. Develop a clear mobile security strategy that aligns with the business Consider a mobile security maturity model. Mobile security is a wide area; as such, it requires a phased approach. How the enterprise engages with mobility and how mobility supports the business’s objectives must be understood, and the security strategy should explore risk management and mitigation through a combination of people, processes, and technology. Risk review frequency should follow the pace of mobile technology releases and the business’s own change frequency. By regularly reviewing new technologies and business trends, an enterprise can better support its mobility strategy and manage its risk profile as well as the threats introduced by these changes. Rewards/Risks What about the future? 4. Develop secure applications specifically for mobile users and platforms Including security requirements such as “authentication” and “segregation” and consulting expertise within the software development lifecycle will lead to a wider understanding of security risks within the development process. Doing so creates a more proactive security culture—reducing costs by shifting security spend from high-cost last-minute activities to a model in which security requirements are captured at design time, with application functionality built around these requirements. Including these features should result in reducing the number of security defects on end-user devices. Enterprises should also consider creating an enterprise app store to provision applications to users, giving them a one-stop shop for all their business apps. Because an app store is a controlled portal, app submissions can be restricted to only internally developed, tested, and trusted apps, thereby reducing user education and easing adoption of mobility. Trust economics—business-aligned decision support Decision-making and risk assessment for mobility and data loss is very difficult because: • Enablement and risk mitigation present a challenging trade-off • Stakeholders maintain different views/incentives/knowledge/ responsibilities • Human factors—not just technology—hold significance To address these changing variables, HP Labs has developed modelbased methodology to analyze risks, allowing stakeholders to build shared understanding of complex situations and explore what-if scenarios using HP’s models. These scenarios have worked well in process and technology situations such as identity management, system-on-chip (SOC) design, and vulnerability and threat management. In collaboration with academic economists and cognitive scientists, we have extended this methodology to account for human behavior (see http://bit.ly/rXL5F3) in relation to the exploration of issues like USB stick policy, digital rights management (DRM), and other mobility and data-loss situations. To better understand how HP is helping its clients to better manage their risks, watch the following case study (http://bit.ly/xC9GFB). 10
    • “Wouldn’t it be great if we could express policy once and the infrastructure would know how to implement our requirements whether the device is a desktop, laptop, tablet, or smartphone?” HP Labs has also been researching systems security architectures for the next generation of cloud-based enterprise, and has developed innovative technologies such as: • Trusted Computing A system architecture for remotely verifying a device’s properties in order to establish trust • Trusted Virtualization A device architecture that can provide container-based security policies for multiple operating systems on a single device, simultaneously supporting multiple independent IT domains to be managed securely on a single client device Today, HP Labs is researching how to use such state-of-the-art developments in order to facilitate cost-effective, cloud-based security management enterprise in a consumerized world. Level 4 Mobility maturity matrix •  ommunity engagement to improve understanding C of mobility drivers •  ommunity interaction to understand how to incorporate C human and economic factors into risk assessments •  trategic use of mobility-related cloud services S Level 3 Research promises to take containerization-based security management models to mobile devices more generally, with the appropriate cloud integration for manageability as these technologies mature. HP recommends a systematic approach to mobility adoption and management, taking steps to progress up through the maturity levels of the model below. •  onger-term strategic view (rather than risk assessing each L case on its merits potential link to containerization strategy) Level 2 Many of the current issues in enabling mobility are due to the inability to enforce security requirements relevant for data classification(s). By containerizing our data, we gain not only the ability to separate corporate from personal data, but can selectively introduce functionality such as remote wiping, advanced threat monitoring, or intrusion prevention. Mobile security maturity model (supported by good governance, risk, and compliance practices) •  ISO team collaboration with (or embedded in) mobility and C business teams Level 1 Managing cloud communities with trusted cloud-client management solutions—“safe and cost-effective end-toend security management in a consumerized world” •  obility strategy not overly focused on technology M •  ood practices and principles established G •  isk assessments completed for each situation R •  doption of some mobility-related cloud services A Throughout the process, remember a few important considerations: HP experts believe that, from an IT department perspective, “cloud communities” could be defined and securely managed throughout, from the end-user cloud client devices to the data center. Importantly, the HP Labs approach is designed to allow end-user devices to be registered with multiple communities, rather than being limited to just one personal and one business persona. • Take a holistic and evolutionary approach that includes people/ process/technology, which reduces dependence on solely technical solutions By supporting multiple personas, next-generation devices and services will allow multiple IT departments to have advanced security management control over their communities of mobile users and business applications, enabling end users to maintain privacy and choice for their own devices, within other cloud communities, or within personal applications. • Automate controls as often as possible • Perform a risk assessment for each new mobility-use case • Establish strong governance mechanisms including communications between stakeholders Additionally, the IT team should support users in a consumerized environment just as they have always done in the workplace. The key aspects are: • Set clear expectations • Provide support options that work on the users’ terms • Allow access to as much support as possible • Support what you control—the data and environment; devices will come and go • Maintain a baseline and use it as fall-back 11
    • Conclusions All industries need to embrace mobility as an evolution of IT in the workplace. But this adoption must deal with the information-related risks that come with this. The main challenges around embracing mobility in a controlled manner are: • High user expectations due to the advent of consumerization • A wide variety of devices and systems to manage—many of which may not belong to the enterprise • The velocity of change in mobile technology, which means constant re-assessment of security measures • A broadening of technology into personas and personalization, not just devices, which opens the user to greater vulnerabilities • More opportunities for data loss than in traditional workplace IT These challenges are largely common across industry sectors. However, nuances and specific requirements must be taken into account as policies are developed. Further, to mitigate risk to corporate and other sensitive information, the CIO should both be sure that the CISO’s team has established principles and best practices and involve this team in the right loops and conversations to understand and support mobility business policies. Finally, the need to continually assess risk and be agile in appropriately adapting new mobility solutions always exists. This is a rapidly developing area that adds both complexity and opportunity to the organization. HP recommends: • A holistic and evolutionary approach that incorporates people, process, and technology—specifically to reduce dependence on solely technical solutions • A risk assessment for each new mobility-use case HP Enterprise Security has the expertise and insight you need to tackle these emerging challenges. Our focused framework leverages our full portfolio to meet your specific mobility needs. HP Labs is also working on bleeding-edge research in risk management and technology to address future problems, and is actively working with our clients to implement forward-looking plans. While other security companies focus on security threats and lock down information in order to protect it, our success is driven by viewing information security differently. HP takes a proactive and risk-based approach, ensuring that technologies like workplace mobility fit within and around the organization while creating new opportunities. Let us help enable your organization to respond to changing expectations of IT. Contributors Christine Atkins—Senior Vice President, Group IT Ahold Ralph Loura—CIO, Clorox Neti Hanumantha—CISO, Clorox Elinor MacKinnon—CIO, Blue Shield of California Sherry Ryan—CISO, Blue Shield of California Michael Cunningham—CTO, Kraft Foods Rene Steenvoorden—CIO, Rabobank Simon Arnell (author)—Information Assurance Consultant, HP Enterprise Services Neil Passingham (author)—Technical Solution Director, HP Enterprise Services Betsy Hight—Vice President, Cybersecurity Solutions, U.S. Public Sector, HP Enterprise Services James Cooper—Distinguished Technologist, Portfolio Research and Development, HP Enterprise Services Boris Balacheff—Senior Security Researcher, HP Labs, Cloud and Security Lab Simon Shiu—Senior Research Manager, HP Labs, Cloud and Security Lab • Strong governance mechanisms including communications between stakeholders Rich Armour—Vice President, Global Cyber Security, HP Global Information Technology • Automation of controls as often as possible Larry Ryan—Chief Technologist, Financial Service Industry, HP Financial Services Get connected hp.com/go/getconnected Share with colleagues Get the insider view on tech trends, support alerts, and HP solutions. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Google™ and Google Maps™ are trademarks of Google Inc. 4AA4-0919ENW, Created April 2012; Updated June 2012, Rev. 1