A data centric rather than device centric security model turns IT security on its head but it leaves the enterprise more secure and it is also more realistic and simpler to deploy and support.
We have talked about devices being treated as “tools” for employees and not IT infrastructure. That is a radical shift in thinking. A related concept that we also firmly believe is that security must focus on enterprise data and not devices. This concept is another radical shift in IT thinking.
Device security currently focuses on securing the endpoint or device. These device centric models are flawed because:
• As soon as the device is compromised, the enterprise network is exposed as well as data on the device and back in the network (see jailbreak discussion below).
• Endpoint based security creates separate architectures that become increasingly complex and unwieldy (for both mobile and fixed access) with increasing layers of solutions needed to be added to plug the next gap in the model (VPN, Anti-Virus, Firewall, MDM, MAM, etc).
• Increasingly the device may not be owned by the enterprise, applying IT security policies to personal devices is fraught with issues and ultimately does not work.
A data centric approach focuses on the actual enterprise data and–or applications. The model focuses on sensitive corporate data and creates a robust encryption barrier surrounding that data, both at rest and in transit. Data is protected regardless of the device operating system or device state (e.g., rooted/jailbroken, protected with a device management policy or not, etc.).
The model also aligns well with personally owned devices/BOYD because IT only looks to secure and control its own “assets” – the enterprise data and-or the enterprise apps. This is a much more collaborative and reasonable position to pitch to employees whose support is critical for success.
A data centric security model adheres to a few essential principals:
• All data must be encrypted, in transit and at rest, and all encryption keys must be generated from strong credentials that are device independent.
• All encryption technology is implemented independent of the underlying device platform, ensuring that attacks on the OS don’t compromise the app/data.
• All sessions must be authenticated with strong credentials, and IT must be able to implement secure session management policies.
• All communications must be verified, end-to-end, precluding the possibility of unauthorized proxy access along the way.
• IT must have the tools available to implement the principle of least privilege. Data should be available to mobile employees who have a legitimate business case for using that data on a mobile device, and it should only be available under the circumstances (online/offline, location) justified by that business case.
To learn more: