16The spate of recent headlines can only feed the well-founded paranoia of corporate IT managers struggling to serve their colleagues’ quest for mobility. The enterprise’s demand for data on-the-go naturally includes e-mail and requests for proprietary corporate information, including access to the corporate network-sending the paranoia-meter sky high.
- “Lost Memory Stick Reveals Bank Account Information,” reads one headline.
- “School Alerts 3,000 Affected by Laptop Theft,” screams another.
- “One Mobile Phone Stolen Every 12 Seconds,” intones a third.
Pick an industry and a suitably paranoid fantasy and the inescapable conclusion is that one well-publicized breach of corporate security could doom your business. There are dozens of headlines to choose from to send you running into the arms of a mobile security vendor.
Add a dash of legal considerations: the federal Sarbanes-Oxley Act is designed to curb the destruction of corporate records in the wake of the Enron scandal, thus it requires proper storage and protection of corporate data. Additional federal laws in this area are under consideration. Meanwhile, 22 states have enacted a patchwork of data privacy laws regarding the stewardship of consumer-related data; under some laws, companies that experience a breach in security must report it-more fodder for crippling publicity.
One tell-tale aspect of the emerging device-security space is the frequency with which one hears a consultant or vendor say, essentially, caveat emptor-let the buyer beware. Everyone has a slightly different riff on this time-honored warning, typically shaped to differentiate one’s security offering from the next one. Everyone has something to sell and in a space suddenly crowded, most project a degree of gravitas to communicate that they understand your business’ very existence rides on getting good advice.
According to the Yankee Group, the market for enterprise-class remote endpoint security products was $20 million five years ago and, this year, it is estimated to reach $260 million.
Bob Egan, research director for emerging technologies at Tower Group, a consultancy that advises financial services companies on wireless data security, offers a disruptive concept on the topic of handset security for the enterprise-and, in so doing, clearly underscores the prevalent theme of “let the buyer beware,” of offerings other than one’s own.
Despite the distinction some solution vendors make between focusing on the protection of data-in-motion (network to handset, handset to handset, handset to network) and stored data, Egan said corporations must take a holistic view that considers all data as data-in-motion.
One fundamental reason (and a chilling realization): 80 percent of all data theft is undertaken by employees, according to Egan. Therefore, a corporation’s policies for data access must address traditional notions akin to a journalist’s lead sentence: who, what, when, where and how. Roughly translated, this mantra might be articulated as: who needs to access data, what are they authorized to do with it, when and where do they really need it and how can a corporate IT department establish patterns of use that will allow it to spot likely unauthorized uses?
Leased data
Tower Group thus has developed the notion of “leased” data that ties into these parameters for authorized use. Limit the access to those who need it, when and where they need it, and proactively manage those parameters to ensure that exceptions to actual usage patterns raise a red flag. Data can be designed to disappear if any parameter is violated. Some companies allow enterprise to develop these parameters and detect suspect patterns. That’s the network and management side.
