The best practices and technologies involved with data loss prevention (DLP) on mobile devices aim to protect data that leaves the security of the corporate network. Data can be compromised or leaked for a variety of reasons: Device theft, accidental sharing by an authorized user or outright pilferage via malware or malicious apps.
The problems associated with mobile data loss have been compounded by the uptick in employees bringing their own devices to work, whether they have permission from IT or not. In a BYOD situation, the user owns the device, not the organization, and makes security somewhat trickier for IT to establish and maintain.
At a minimum, any mobile device that accesses or stores business information should be configured for user identification and strong authentication, should run current anti-malware software and must use virtual private networking (VPN) links to access the corporate network.
In addition, the IT department should implement the following strategies to offer the best protection of corporate information in a mobile environment:
- Regular data backups, which are also regularly tested for recoverability
- User education on DLP
- Application of data classification standards
- Enforcement of information assurance policies
- Use of mobile DLP software
Each of these strategies will be discussed below.
1. Data Backups: You Know the Drill
We don't have to go into much detail on the issue of data backups. Simply put, they're necessary, they must be performed regularly and the resulting backup files must be tested to ensure they can be recovered if necessary.
2. User Education: The More They Know, the Safer Your Data Is
Educating your users on the dangers of data leakage is a useful and valuable process for the majority of users. Whether you get the word out through annual security training, brown-bag lunch seminars or a monthly newsletter, teach your employees about security. Tell them what sensitive information is and show them what it looks like.
Most employees will help protect an organization's assets once they understand what constitutes "confidential" information. They must also understand the consequences to the organization if such information goes public — damaged reputation, corporate espionage, loss of revenue, regulatory fines and penalties, and even a risk to the personal safety of certain employees. Share some actual instances of data leakage encountered by the organization (if possible) and dissect security breaches that made headlines.
3. Data Classification: For Whose Eyes Only?
The ever-increasing use of mobile devices for work, more than almost any technology in the last few years, has brought the importance of data classification to the forefront. Most mobile DLP technologies (see below) rely on some form of data classification to prevent data leakage. Your organization should begin by creating a data classification standard, if one isn't already in place, and then implementing that standard as soon as possible.
A classification scheme consists of broad categories that define how to treat information. The U.S. military classification scheme, as defined in National Security Information document Executive Order 12356, consists of three classification levels: Top Secret, Secret and Confidential. A business or educational scheme might use Highly Sensitive, Sensitive, Internal and Public categories. (If your organization must adhere to specific laws and regulations that govern certain types of data, incorporate appropriate language and measures into your data classification standard.)
Because information comes in many different forms — word processing documents, spreadsheet and emails, as well as marketing, general business operations, executive correspondence and customer service emails — some information can be challenging to classify. Also, how do you handle documents that have been altered for other purposes? What if portions of a document classified as Highly Sensitive are used elsewhere, for instance? Should those portions be considered Highly Sensitive as well, or do they require a round of review and, possibly, reclassification?
Be aware that labeling data and classifying data are two different things. A label identifies the required level of protection and is usually a mark or comment placed on the document itself or in the metadata. For example, you could insert the word "Confidential" in the header or footer of a document or add it to a file's properties sheet. When you classify a file, on the other hand, you might or might not apply a label.
4. Policies: Protect Data in All Its Forms
Your data classification standard must be incorporated into your organization's overall security policy. Policies must be clear as to the use and handling of data, and the approach you select will drive the cost of handling data.
Security policies, standards and procedures establish different requirements on data and information, depending on the lifecycle state (creation, access, use, transmission, storage or destruction). The goal is to protect data in all its forms, on all types of media and in different processing environments, including systems, networks and applications.
Be sure your policies state that users of information are personally responsible for, and will be held accountable for, complying with all policies, standards and procedures.
5. Mobile DLP Software: Watching Mobile Users
Many mobile DLP products offer monitoring, which lets IT view the data a mobile user accessed and/or downloaded from a corporate server. The beauty of mobile monitoring is that it provides warning signs, which give IT a chance to act on a possible breach or policy infraction. However, it takes time to differentiate between general noise and real security threats, so it's often used more like a log for keeping track of actions. The challenge is selectively preventing sensitive information from being transferred to or stored on a mobile device in the first place.
The latest products from well-known DLP application and appliance vendors such as Symantec, McAfee and Websense provide data classification features to label messages and documents (metadata labeling), as well as features that analyze content and filter it when a mobile device interacts with a corporate server.
Referred to as content-aware, these technologies are highly useful for organization-issued as well as employee-owned devices. They can prevent certain emails, calendar events and tasks from synchronizing with a smartphone or tablet from a Microsoft Exchange server, for example, based on the mobile DLP policy. The technologies enable an administrator to separate personal and business email and to prevent business information from being stored on a mobile device.
[ Analysis: Attack of the BYOD-Killing MDM Software ]
Some products prevent sensitive information from being transferred to devices based on a user or group rather than a device ID. An administrator simply sets mobile policies for the Sales and Marketing groups, or User03, User04 and User07. You can also find solutions that support role-based messaging to meet military usage requirements.
Content-aware DLP is compatible with mobile device management (MDM) solutions. Nothing needs to be installed on the mobile device; the DLP software can leverage MDM configurations to force the device to make a VPN connection to the corporate network. There, the DLP technology scans and analyzes the content and applies policies.
Virtual environments can be protected as well. DeviceLock, for example, offers a data leak protection feature called Virtual DLP, which protects local virtual machines, and session-based and streamed desktops and applications. Virtual DLP supports Citrix XenApp, Citrix XenDesktop, Microsoft RDS and VMware View.