How important is Mobile Security in a cloud enabled world?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

A vast majority of workers these days carry around mobile devices which have the capability of accessing the internet. Some of these devices are supplied by organisations, but in most cases they are the employee’s own personal devices.

The issue of Bring Your Own Device (BYOD) has been done to death of late with many vendors claiming to have a solution to address the issues of staff using their own technology in the office. Often these solutions involve intricate work-arounds, enabling staff to access corporate resources with scant regard for the security measures they have just circumvented—all in the name of making their life easier.

There is no doubt they are here to stay, so the business needs to deal with it. Confiscation of devise upon entering the workplace is not going to cut it.

Cloud technologies also are hitting the headlines as the answer to every IT managers budgetary concern—a game changer no doubt, akin to the virtualisation revolution several years ago. Promises of lower data handling costs and increased redundancy and availability— it’s a compelling proposition. However, it also increases a company’s risk profile significantly, which causes the risk team to go through the roof—particularly when trying to ascertain exactly where the enterprises information is being physically stored.

So what happens when employees realise there is the distinct possibility their device may be misplaced or stolen? Their precious photos gone, and so are company data. A backup solution is needed, so with a flick, cloud services are enabled which transparently, and on the fly, synchronise the data on the mobile device. Now, even for the most paranoid enterprise still evaluating the cloud, most are actually already and inadvertently in the cloud. Multiply that by the number of employees who all chose to circumvent the controls implemented.

Who is liable? Who is responsible? How does one even pursue such a breach (which may be cross-jurisdictional)?

If a breach does occur in the cloud, or the cloud provider’s End User Licence Agreement (EULA) states the provider does have equal access and usage rights to information uploaded to their service, it’s clear who will suffer–your business.

Your comments and thoughts are invited.