The two clearly are deeply related. At their core is the idea that the security and control that the IT and security departments is gone. Now, folks essentially are traipsing all over the country – and the world – using any number of devices. These devices are all over the map in another way: The company has little or no control over the type of device or even the operating system. In most cases, they don’t likely even know there is a device being used at all.
There also are legal and corporate issues. When a phone goes missing, at what point is it wiped of data – including family photos and other data that is important to the owner? What happens when an employee is terminated, especially when the parting is acrimonious?
These and other questions have a direct impact on data security. Luckily, a pretty good answer is clear: Encrypt data, not devices. It is, actually, just the beginning of the answer. But a good beginning it is.
A post by Hummingbird’s John Ciarlone discussed the importance of data security as it relates to the healthcare sector. His first bit of advice: Employ universal encryption. In the medical realm, patient data simply must be encrypted. He points to other common sense steps, such as segregating employee and guest access and physically securing access points. The point is that encryption is an important part of data security – but only one element.
It also is important to recognize that encryption also must be done correctly. The highest profile cyber hack of the year – and probably the century – was the leaking of millions of identities of users of the dating cite Ashley Madison. Ars Technica reports that data was encrypted using bcrypt that it would take centuries to decrypt – if the technology was used correctly. However, programming errors made more than 15 million account passcodes “orders of magnitude” easier to crack. The crackers, the story says, are well on their way to outing most or all of the 15 million bad boys.
There are two morals to the story. One, of course, is to behave and not use sites like Ashley Madison. The other is that data encryption – and security of any sort, for that matter -- must be implemented by the book and without shortcuts.
This brings us full circle to BYOD and mobility. In the old days – just a few years ago, in reality – IT departments were tightly controlled and managers rode herd on (mostly desk top) computing gear. Those days are as dead as disco. Data security is a much more fluid endeavor. The place to start is end-to-end encryption. It isn’t, however, the whole ball game.Click to edit your new post...