Hi, today we will talk about the mobile organization
So, up until fewyears ago or organization was our fortress. We had the ability to understand what our data is stored. It was in side the organization. People were working remotely at all times and road warriors is not something new – but those employees connected remotely – usually from managed devices, and data was traveling between the organization and those devices in a control manner. Today…. Everybody has its mobile device and everybody expects to use it… so, what are we doing with those devices today?
Need to work on your data when away? Not a problem – its very simple to send it to your personal email address and continue working from your personal mobile device…
Email servers can’t handle large files anymore. Got an error message about the size of the file? Not a problem as well, there are so many cloud-based services that allow us to upload huge files to the web and use them from anywhere.
….so, I’m sure that many of the people in the room say – “well…. those are simple problems, and at our organization it does NOT happen, because that we educated our employees, and block the abilities to do it”. So let’s see what our recent analysis discovered:During the year of 2012, Check Point Software have analyzed the perimeter traffic of 900 organization. A total of 120,000 hours of traffic were collected and analyzer, so our security report is not based on yet another survey that was filled by people, but it reflects reality. So – what have we seen?...
First, we’ve seen that 80% of the organizations are using file storage and sharing applications today. At 70% of the organizations that we’ve analyzed we’ve seen files being uploaded to dropbox, followed by Windows Live, Yousend it and other web services. That’s a lot of files being uploaded from your organization into the public web.
At more than half of the organizations that were analyzed, there was a severe leak of business data into the network. In 36% of financial organizations – credit card information was sent outside of the buisnessIn 16% of healthcare organizations – some protected health information was sent outside of the business – And all of that – were sent over the web and email to attendees that probably should not have access to this data.
Last, when askingthese organizations, we see that more than 9 out of any 10 businesses today is allowing a verity of smartphones and tablets to access any resources in the business.
So, as we can see, it is simpler than ever to use data anywhere today – On smartphones, tablets, over USB devices and over the web. Users would like to use business resources anywhere, and they have a lot of free and public means to do so. The challenge is that each and everyone of those means can not be controlled by the organization – not the personal smartphones, not USB devices, and of course that not services such as dropbox or public email services. All of these are uncontrolled environments.
So, what are the risks of having data in uncontrolled environment?First, of course that any device such as USB, smartphone or tablet can be very easily got lost or stolen. All data on those devices will be simply available to anybody finds them.Data uploaded to the web is not very safe as well. services such as dropbox or evernote were hacked in the past, and additionally hackers try (and many times succeed) to login to those services with usernames and passwords that were reveleaed in other hackes – since eventually, most of us use the same user and password on many services.Sharing data with external partners is important to do business, but once data was transmitted to a business partner – we consider that an ‘uncontrolled environment’ as well, as we have no way to guarantee that the business partner will not loss this data (by mistake, or maybe on purpose….?)
And finally – malware on mobile devices proliferates in the last two years. Only recently, Check Point discovered and published an interesting case study about more than 30,000 people in the EU that were infected with a virus on their mobile device more than EU36M were stolen from those people. Malware can get today to mobile devices at the same way it gets to PC and access easily data on native apps on the device such as the native email app, calendar, and others.
So, when organizations come today to protect their assets, they usually try to protect data at the same way they protect data in “controlled environments” – meaning control the devices that store the data. Organizations try today to manage the entire device – even if it belongs to the end user, telling the user that “you need to comply with our policy in case that you can to connect to the business”. They will try to block file-sharing applications, although that eventually users will connect to those networks as they can be outside of the business or get connected to a 3G/4G network that is not routed via the business, and last – organizations will try to continue and contain everything inside the perimeter.The question that we need to ask ourselves is whether in the era of the mobile organization – such approach is still realistic. Can we still control the devices and keep all data inside the perimeter?
We need to start to adopt a new way, and for that we need a change of mind. The new way is not looking at the devices – just because that the variant of devices and methods of using data becomes infinite, and instead we need to look at the data itself and understand how can we protect the business data. The new organization will expect data to:Be available anywhereUnderstand the end-users, meet their needs, and allow the security team to roll out a solution successfully. Understand that protecting data is a multi layer challenge ; a one that requires a multi layer solution.so, let’s see how we can think into the future in order to enable the mobile organization and still protect our business data
End-users expect their data to be available anywhere today: On their smartphones and tablets, in USB devices and in cloud-applications such as dropbox, iCloud, Google Drive, etc. The organization needs to enable those devices, and have the ability to encrypt only the business data stored on those devices, without encrypting anything else – that is not considered to be business. The organization should be able to control the authentication to access this data – and set access rights to it – so only authorised users can see it, while others can’t. The business needs to have the ability to get alerts in case that business data is not used properly, and as a result should have the ability to block any further access to it from remote.
And last – as the challenge is very wide, there are also a wide variety of technologies that business can adopt to protect their data. For the ability of the organization to control the security policy in an effective manner – we need to try to adopt a technology that will be orchestrated and provide us added value – such as Data Loss Protection with Data Rights Management, or Data Loss Protection and USB encryption that can protect and set access rights to data automatically once leaving the network. And last – of course that all businesses are expecting to adopt a solution that is simple to manage – as organizations don’t have the ability to increase IT human resources and spend.