Today, IT managers and corporate management aren’t just focused on big data, despite its overwhelming media coverage. In fact, when we discuss data security concerns with IT managers, there are three other factors getting as much of or even more of their attention:

  • * The consumerization of IT.
  • * The drive toward virtualization.
  • * The challenges of the cloud.

IT managers face a tough fight on all three of these fronts, as they manage tighter budgets with the critical requirement of providing  security for the data flowing into and out of their enterprise organizations every day.  
Regardless of which of the three areas takes priority in your IT organization, a successful data security strategy is not merely about protecting the confidentiality and integrity of your data, but also about ensuring its availability to all authorized users.

The Consumerization of IT

The BYOD onslaught became real in 2012 and will only get more pronounced in 2013. In October 2012, Forrester reported that two–thirds of employees regularly use two or more devices at work, with 12 percent using tablets. A Juniper Research report from June 2012 predicts that the number of employee-owned smartphones and tablets used in the enterprise will grow from 150 million devices in 2012 to 350 million in 2013.

All of this doesn’t even begin to take into account the threats posed by lapses in physical security. Mobile phones are frequently lost or left behind; think about how much confidential corporate data can become exposed by someone circumventing a password or lock – a relatively easy task for any seasoned hacker. Stolen devices can compromise even the most protected encrypted data, as well as lead to unauthorized access to corporate services, such as email and the VPN.

This consumerization of IT presents serious data security challenges for IT departments, as the number of entryways opened through smartphones, tablets, netbooks and other managed or barely managed devices multiplies quickly. 

The drive toward a BYOD environment is being driven by the end user. Everyone from a C-level executive to the clerk in the mailroom wants to apply the ease of use they get from their personal devices to their corporate responsibilities.  But as that happens, the number of access points into the enterprise from outside the firewall continues to grow exponentially. And then the likelihood of a serious security breach skyrockets without the proper measures in place.

Today, too many IT generals are still fighting the last data war with security measures built for a time when IT controlled every device accessing the network. That’s just not the case anymore. They need to look anew at the systems in place and their capacities to plug all of the new security holes created by the consumerization of IT.

For instance, one of the biggest challenges in the BYOD environment is the greater risk posed by mobile malware. This malware can come in many forms, from stealing and possibly corrupting data, applications and communications on the devices themselves, to becoming launching points for advanced network attacks, such as advanced persistent threats and denial-of-service attacks. Cybercriminals use APTs to steal critical data and even revenue over a long period of time, and they can also be used in state-sponsored attacks on other countries. So-called “hacktivists” also use APTs to disrupt service or deface a website. 

Any attack launched from a compromised mobile device poses additional difficulties for those trying to understand the who, where and why of the attack. Since the attack doesn’t often originate from a known server or fixed IP address, it is difficult to trace and even harder to combat or defend against. This is complicated even more by the fact that the mobile devices being used to generate these attacks roam from one wireless hotspot to another. Even worse, these attacks can often occur without the knowledge of the device owner.

As more mobile devices are rolled out with support for HTML5, it’s only going to get worse. Now browsers  will provide access to mobile device features, such as cameras, test messages, JavaScript and more – all opening up more and more gateways for malware to attack the enterprise network. In today’s app-driven world, this presents a significant challenge for enterprise IT departments to just keep up. Just because an application is available through an app store doesn’t mean that it is secure enough for your enterprise.

Both Google’s Android OS and Apple’s iOS platform are ripe for the malware picking. Malware for Android rose 400 percent between 2010 and 2011, according to a Juniper Networks study. And iPhones and iPads are losing much of their security capabilities because of “jailbreaking,” which removes limitations imposed by Apple and allows users to gain root access to the operating system so they can download additional apps, extensions and themes not available through the iTunes App Store.

In both cases, compromising the internal security doesn’t just threaten the security of the device – it can compromise the confidentiality, integrity and availability of data inside of enterprise IT networks. IT organizations have to understand the full scope of these threats and then create new measures to address those issues.

Virtualization and the Cloud

The push toward virtualization is changing how and where data is being stored and accessed. It’s also causing a lot of security concerns. Previously, if one server went down or was compromised, it could be relatively easy to trace; in a virtualized environment that becomes more complicated. 

In today’s virtualized world, a host device can take down 30 virtual machines running on top of it. That can greatly impact the availability of data, especially in a global distributed enterprise network.

That is why it is so important to take a cluster approach to managing host devices. In a cluster environment, disaster recovery tools can automatically shift servers from a failed host device over to a machine that is up and running, preferably in a separate data center. 

In addition, enterprise IT organizations need to take a long, hard look at the security controls they have for the virtualized world. They need to ask themselves, “Are these controls correct for a virtualized environment?”  Today, too many companies still assume that a virtual machine runs just as a physical server did, so they can use the same security controls, such as antivirus and intrusion protection software, to combat and prevent attacks. What many IT organizations still don’t fully take into account is that a virtualized machine is sharing resources with other virtualized machines. Running one of these old tools on one virtual machine can have a significant impact on the other servers shared on that host device. Organizations must employ variants of these controls that address the nuances of the virtualized world and won’t adversely affect the overall health of the environment. 

The same basic scenario is playing out in the cloud, with the emergence of platforms such as Office 365 and other back office applications that used to be hosted internally and are now being outsourced to a cloud environment. 

As more companies consider migrating to a cloud environment, they must continue to take into account the basic data security principles. They still need to ensure that the basics, such as back-up, recovery and restoring data, are taken care of and that assurances are made and committed to with respect to confidentiality, integrity and availability. A move to the cloud should only be done after completing due diligence to address the proper risk management. 

Risky Business

The only constant is change when it comes to the IT world. There are a lot of new technologies that enterprise IT organizations have to consider today – whether it is mobility, virtualization or cloud computing. 

But, in the end, it always comes down to the basic principles of managing information security. Just because the hottest new technology platform is being rolled out doesn’t mean that an enterprise IT organization should ignore or reject the foundation of security principles that have been preached for years. One of those principles is the proactive monitoring and management of core IT business security areas, such as firewalls, intrusion detection systems and intrusion prevention systems.  While the resources of many organizations are constrained by tighter budgets, organizations are increasingly taking advantage of managed service providers to help.

Consumerization of IT, virtualization and the cloud all offer significant productivity and cost benefits to businesses today. But in trying to be responsive to a corporate sense of urgency about taking advantage of the latest technologies, it is also important to be sure that security plans have been vetted and are up-to-date so they are the best fit for your organization and the incoming technology.

First, IT departments need to create risk profiles before they prepare their organizations internally for the execution of the rollout. They need to assess each risk that mobilization, virtualization or the cloud presents and determine whether they already have the proper security controls in place to ensure the confidentially, integrity and availability of the data and services on their network.

Only then should they build out a security strategy, complete with a prioritized roadmap, to ensure that corporate data is protected over the long haul. For instance, if an organization is looking at taking a BYOD approach, the roadmap will finalize the architectural structure needed to support the requirements. This architecture will need to include network, security, end points, operational needs and proposed applications for a BYOD rollout. 

Companies also have to determine if their existing enterprise tools are applicable for the new environment. It’s great if they are, but often they aren’t going to be a good fit. Be sure to identify the critical technologies and feature sets that match up with your requirements and architecture. A technology scorecard that weighs those features can help you make the right decisions to protect your network data.

Training and education is a key piece of the puzzle that is often neglected. Companies don’t communicate with employees enough about why they are making the changes and what is expected of them as they adopt these new technologies. End users are basically the first and last firewall, so it is critical that they understand their role and responsibilities in safeguarding the data on the network. 

Yes, you should look to achieve the productivity gains that these technological advancements promise, but make sure you don’t do it at the expense of the confidentiality, integrity and availability of your corporate data. Mobility, virtualization and the cloud are not going away anytime soon. So while big data grabs all the headlines today, don’t forget about the basic principles of data security as you look to reap the benefits of these other approaches. 

Image used with permission from Thinkstock.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access