What’s the issue with BYOD? Data Control… What’s the issue with Data Sharing? Data Control!
Let’s face it, though it took an evolution of about 15 years, industry figured out that Data Management and Control are the underlying security issues. Data is power, knowledge, money, control. If you have it you’re in control. If you don’t, you’re not. If you lose it… you’re in trouble.
There are many ways for data to exfiltrate in the BYOD/mobile device world. It can be (un)intentionally released by employees, extracted by malware, stolen or leaked by malicious apps, you get the idea. Firewalls aren’t stopping it from happening, data loss prevention (DLP) technologies are primarily reactive and still playing catch up in the mobile world, and mobile device management has its limitations on controlling access and distribution (when in use).
There is little chance of stopping the BYOD trend. Users are constantly demanding more flexibility and control over the way they get their jobs done. Data sharing through cloud services is rampant, whether approved or not. Given the proliferation of data sharing, it seems the best way to manage it would be to address data management as a discipline within security. In that discipline, the practitioner will first need to encrypt the data before it leaves the environment; secondly, track who and where it is distributed to; and thirdly, control access to the data by managing the encryption keys. (It would be similar to the concept of some of the old, document digital rights management tools that I used back in 2006.) If you have all of these aspects covered then it seems like you have it pretty well wrapped up. If people don’t have access to the encryption keys, they don’t get access to the data. If they had access to the encryption keys but are no longer part of the club then their keys are revoked and they lose access to the data. The reverse would be true for those who join the club later.
I recently briefed with a new company called Bluebox Security. It came out of stealth mode in February of this year, and its concept of data security resonated with me in just the vein that I laid out above. The solution was simple, easy to use and from a user’s perspective, provided the flexibility to share data as needed to do the job.
Bluebox provides a very strong data management capability. By focusing on securing the data first, it is able to provide both DRM and some DLP functionality. The solution provides monitoring capabilities to track where documents move throughout their lifecycle. At the point the data is considered end of life or in jeopardy, the data owner or the system manager can revoke the keys to access content on the device, or out in the cloud, or remove content from devices in a very surgical manner.
I really enjoyed the time I spent speaking with the Bluebox team and as a previous CISO/CSO this capability resonated with me. The need for data security will only continue to increase as the volume of data continues to increase. Organizations that have not begun addressing security of mobile and shared data are already behind the curve and need to get moving.