Building a Mobile Computing Security Strategy

Posted by Lou Person on Jul 08, 2011 in Cloud Journey
Part two: Who Needs to Know What
One Size Fits None

These days more organizations than should, are spending more money than necessary, on securing more resources than are practical, from more risks than make sense.  

Yes, it is true that:

  • Security breaches are on the rise.
  • There are laws to obey, standards to uphold, best practices to follow.
  • Bad things sometimes do happen to good people.

But it is also true that:

  • Statistically speaking it’s not happening as often, or to as many, as you may think.   
  • From a liability standpoint negligence is not to blame nearly as much as may suspect.
  • Legally, there may not be as much that you can do about it as you may hope.  

So how much security is enough?
It depends on who you are and what you do, according to an in-depth InfoWorld report [1] on the subject released in March 2011. If you happen to be the leader of the free world or Agent 007, then by all means deploy everything you can get your hands on. If not, a more practical, “who needs to know what” approach proves to be far more effective. Especially when you take these game-changing realities into account:

  • Not all information is sensitive or valuable.
  • Not all people have access to sensitive or valuable information.
  • Not all information can/should be protected in the same ways.

Here is a quick look at the four basic security risk groups InfoWorld suggests that you consider addressing (when appropriate) in every area of security planning, including your Mobile Security Strategy:
 
People who deal with routine business information 
(Rarely have access to anything personal or sensitive)

  • Types of professionals: Truck drivers, graphic designers, restaurateurs etc.
  • Types of issues: Lost devices etc.
  • Types of solutions: PINS, etc.

People who deal with important business information
 (Could cause harm worth preventing, but won’t sink the ship)

  • Types of professionals: Mid-level managers, IT professionals, consultants
  • Types of issues: Access to somewhat sensitive systems, lost devices
  • Types of solutions: Complex passwords. SSL encryption, remote wipe, etc.

People who deal with sensitive business information and technology 
(Can cause significant harm)

  • Types of professionals: Finance, medical, regulatory, product developers
  • Types of issues: Access to somewhat sensitive systems and devices
  • Types of solutions: Complex passwords. SSL encryption, remote wipe, access control

People who deal with top secret information and technology 
(Can jeopardize lives, or national security)

  • Types of professionals: Military, government, spies
  • Types of issues: Access to extremely sensitive systems, lost devices
  • Types of solutions: Military grade encryption, discreet lock down control

_______________
InfoWorld Deep Dive: Mobile Device Management, March 2011