Managing Mobile, Cloud and Social Media Security
By Bob Violino
Organizations are dealing with three IT megatrends that show no signs of slowing: the move to cloud computing, rapid growth of mobile devices and applications in the workplace, and the emergence of social media in the corporate environment.
Each of these areas offers huge opportunities for benefits, including enhanced collaboration, increased productivity, more efficient operations and improved customer services. And each creates unique security threats, which, if not addressed, can lead to serious problems for organizations.
With mobile technology, the dual nature of the devices—which are used for both personal and professional purposes—"suggests that organizations are more limited on what they can deploy on the device and what they can demand the user do or not do," says Ariel Silverstone, a security consultant and former security executive.
Among the security challenges of the cloud—especially externally hosted cloud services—are that organizations lose the ability to physically possess information, and have much more limited capability to perform legally and contractually required audits, Silverstone says.
Social media presents a different challenge: What employees say, where and to whom can become an issue when it comes to security and privacy.
"I find that addressing these issues requires working with your employees, as opposed to [trying to] force them," Silverstone says. "Develop a social policy that encourages employees to participate in a conversation, while gently reminding them of confidentiality [concerns]."
A growing number of organizations that are leveraging cloud, mobility and social media are creating strategies to address security in these emerging areas.
Addressing Security in All Areas
Walz Group, a communications and compliance services company in Temecula, Calif., is grappling with all three IT trends. Employees use smartphones—mainly Android and Apple devices. With the cloud, the firm is using software-as-a-service (SaaS) offerings such as SalesForce.com's CRM software. In addition, for more than four years, it has operated its production applications and business services on a private cloud, using infrastructure-as-a-service (IaaS) offerings based on NetApp and Cisco Systems platforms.
Walz is also using social media for business, with a large percentage of its employees having accounts on Facebook, Twitter and LinkedIn. They also are using other online communications and collaboration resources, such as Skype.
The company is taking steps to address security in all of these areas.
"Smartphones can collect, monitor, store and distribute data very effectively, since most devices are now equipped with cameras, storage, Internet connectivity, application marketplaces" and other functions, says Bart Falzarano, chief information security officer. "The security challenges that exist with these devices [involve] maintaining the appropriate safeguards and controls" so that data privacy, company intellectual property and client data are protected at all times, and in accordance with data security standards and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
Walz has taken a number of steps to ensure better security, including disabling USB ports on systems containing sensitive data; training employees about secure use of devices; and placing restrictions on where, when and how the devices can be used. In addition, the company has established centralized controls for remote data wiping, and has its wireless carrier perform scans and assessments as part of its security offering.
For public cloud SaaS and IaaS offerings, the security challenge involves controlling public cloud services sprawl. Employees can easily sign up for some of these services and begin using them, Falzarano says.
Other security challenges include data ownership, data encryption and key management, and controls for data replication. "When storing data on public cloud services, for example, does the public cloud services provider replicate that data nationwide and/or internationally?" Falzarano asks. "Are there control policies available to the client to opt-out or limit the replication of data?"
To mitigate some of the concerns with public cloud services, Walz has deployed its production applications and business services on private cloud platforms, allowing it to meet stringent information security requirements. In addition, the company provides security training for employees regarding the installation and use of third-party software and cloud services, and employees must sign off on their acceptance of system usage policies.
As for social media, that creates its own challenges. "Numerous threat vectors exist from these sites, and the security challenges have been controlling, monitoring, and logging employee usage, data exchanges and information communication flows," Falzarano says. "We've managed the risks associated with these challenges and concerns by blocking some social media sites through firewall and other edge-device rules and policies."
The company also uses data-loss prevention appliances, and it's training employees in secure use of social media.
Through all these efforts, "we have been able to meet information security safeguards and controls, business continuity/disaster recovery and data privacy requirements," says Falzarano.
Security Versus Usability
Automatic Data Processing (ADP), a Roseland, N.J., provider of human resources, payroll, tax and benefits administration services, is using mobile technology and the cloud to enhance its business.
"Mobile is a uniquely enabling strategy in that it connects ADP to an enormous amount of new opportunity," says V. Jay LaRosa, senior director, converged security architecture, at ADP's Global Security Organization. "Our ability to leverage these devices to facilitate things like faster access to data, close sales quicker, or allow our clients to manage employee's payroll from their mobile devices is a true market differentiator."
But security versus usability is always a concern, LaRosa says. "If you are too draconian with your security policies, the value of these fast, flexible-computing devices is lost," he says. "We are taking a hard look at how we balance the usability aspects with security through a risk-based approach."
The company created an assurance level model for security controls, which is mapped to data and privilege-level requirements. As access to higher levels of information is required, ADP uses "step-up" authentication on an as-needed basis. For example, when an employee is checking in with a time clock application from a smartphone, that requires a much lower level of authentication than if a payroll administrator is adding a new employee to the payroll.
Cloud services such as the firm's Dealer Management Platforms and Human Capital Management platforms have become a staple of its business model, LaRosa says. Cloud-enabling technologies that allow secured use of IaaS are starting to emerge, and ADP is working with service providers to align their solutions with its needs.
"The ability to encrypt all our data—not only at rest but in motion, and while it is in use in these public clouds—is just starting to become a reality," he says. "With these new capabilities, we can truly guarantee our data will be secure because we retain the keys and manage them at our facility and not in the cloud."
Defining ADP's global security standards has been a collaborative effort between IT and development operations. "In the last 24 months, the Global Security Organization has been able to help the IT and development teams solve some very complex and challenging problems, while maintaining the delicate balance between usability and security," LaRosa says.
The strong partnership has allowed ADP to build the appropriate levels of security in these new areas up front, instead of trying to bolt on security after the fact, he adds.
As mobile computing and cloud-enabled services become more pervasive, "hackers and fraudsters will begin to take advantage of any shortcomings they can to steal money, information or anything else of value they can monetize," LaRosa says. "We need to move toward newer technologies that provide hardware-based isolation, enabling dangerous tasks to be run with minimal access and privileges."
ADP is looking at how technologies such as micro-virtualization, which abstracts applications from hardware and runs them in isolated environments, can help it defend against the next generation of threats in the cloud and mobile environments.
Securing Mobile Devices
Also dealing with the security issues of mobility and the cloud is Loring Ward, a San Jose, Calif., provider of investment and business management services. "Because Loring Ward is a nationwide firm, the use of mobile technology is very important," says Randy Rudolph, vice president of corporate infrastructure. "Of paramount importance is the ability to secure the data on the mobile devices."
The firm recently initiated a bring-your-own-device (BYOD) policy, enabling employees to access the company's secure platform using their own smartphones and tablets. As part of this program, Loring Ward is using a mobile device management (MDM) platform from Fiberlink that lets it manage devices remotely and encrypt data that belongs to the firm, while not touching employees' personal data or applications.
"We have the ability to lock the device and perform geo-tracking and geo-fencing of the device, as well as [conducting] a device wipe or just [wiping] the firm's data contained on the device," Rudolph says.
Loring Ward has a private cloud, which it uses for critical internal systems and applications such as email and voice over IP communications, as well as for disaster recovery. Multiple departments in the company "use some type of cloud-based service that enables them to perform at a much higher level than before," Rudolph says.
To secure data in the cloud, Loring Ward uses the Box platform that provides a central repository for most of its data. It also includes security features such as single sign-on, data encryption, access controls and audit logs.
In addition, the company has established security guidelines "that exceed the regulatory guidelines we are to follow," Rudolph says. "Each in-house system, as well as those in development and all of the cloud applications, must adhere to these strict security guidelines. We will not employ cloud-based services that cannot match or exceed these stringent guidelines."
Clearly, it's critical for organizations to implement strategies, technologies and processes to deal with the security threats created by cloud, enterprise mobility and social media.