Follow the Info
The release of Mobile Guardian version 5.1 from security firm Credant Technologies aims to solve that problem by introducing the concept of "collaborative mobile data security" -- a hosted system that lets enterprises enforce security policies on data wherever it resides or is transmitted, including on mobile devices belonging to non-employees.
"The one-dimensional view of security is that the enterprise says we will protect an employee working on a device at the office," explains Richard Stone, Credant's vice president of marketing. "But nowadays workers are using many different types of devices -- laptops, USB 'thumb' drives, iPods, and so on -- in airports, hotels, coffeeshops. And it's not just employees but affiliates, even customers."
In theory it's a powerful idea. The encryption "follows the data" and requires authentication to be viewed no matter the device onto which it's downloaded. But it will require significant changes in user behavior and attitudes, since to view a protected document or file, a user must first download a piece of Mobile Guardian software (known as the "Shield") and be authenticated.
"I like the idea that the encryption follows the data," comments Dave Rosenberg, CIO at San Francisco investment research firm Glass Lewis, "but I think that anything that requires users to add another interference point in their process will be difficult to deploy."
That was the case in 2002 at Integris Health, Oklahoma's largest non-profit healthcare organization, when a previous version of Mobile Guardian was installed. For the first time, physicians (a notoriously prickly user group) and other clinical staff had to log in on their mobile devices to access private patient data.
"When we first put it out everybody was complaining," acknowledges Integris senior IT security consultant Randy Maib, who plans on upgrading to version 5.1 later this year. "It's gotten a lot better, mainly from us beating it into their heads over the years, making sure they're aware of the policies instituted by the company to protect that data on those devices. We still have a few naysayers -- but they still have to go through the log-on procedures."
Extending that sort of security protocol beyond the enterprise, to partners, affiliates, and customers, could be even more of a challenge. Credant's Stone is aware of the behavioral hurdles, but says that the added protection will be worth the hassle.
"At the end of the day it's an inevitable truth. We're saying to the user it's not your choice anymore," Stone admits. "One of the key business needs we've identified is to make this transparent to the user, and when it's not transparent it needs to be easy to use."
Otherwise, such added security layers run the risk of alienating users -- or worse, making them unproductive. "Ultimately the users will rebel and [the security protocol] will get kicked out."
At any rate, such extensible, no-choice permissions-based systems may well be the wave of the future as proprietary data comes increasingly unmoored from protected enterprise machines. While the Credant solution is aimed to stop the theft of private information, mobile devices are also increasingly besieged by various forms of malware. (See Virus Leaps to Wireless.)
"The tiny PDA is an easy backdoor into otherwise tight corporate networks," says Cyrus Peikari, Cyrus Peikari, CEO of Airscanner Mobile Security . "For this reason, we have developed an antivirus and firewall solution for the platform -- and it's why we recommend users have layered protection, such as that provided by Credant."
This is one of those cases where dealing with complaints up front may be preferable to risking disaster on the back end.
— Richard Martin, Senior Editor, Unstrung