On the July third Virtualization Security Podcast, we discussed mobile security with Harry Labana, CPO of CloudVolumes, and Ben Goodman of VMware. Actually, it was not necessarily about mobile security as much as it was about security in accessing corporate data from mobile devices, regardless of device and location of data. What came out of this conversation was twofold: some actionable items you (the end user, security, stakeholders) can take today, and a desire for something more—a way to wrap a security context around some data accessible by any program.
While the end goal is security context–wrapped data, there are several things you can do today to improve your overall security posture when accessing your data from mobile devices. Harry Labana called this the human firewall component of security. The human firewall comprises the actual users of the mobile devices. When we look at mobile device security, we must be cognizant of this aspect. All the technology in the world will not remove the users from the picture. In essence, from a security administrator’s perspective:
Security should remain invisible until the user strays off the beaten path. While on that path, security should not get in the way. Yet, security should provide the necessary training and education on what is and is not acceptable when accessing corporate data.
From the users’ perspectives, we are asking them to do the following, which requires training and some effort by users:
- If you are attempting to use or want to use a cloud service, ask your security team for advice on the best approach. They should be placing the knowledge in in-KNOW-vation. Work with them to gain that knowledge.
- Know your surroundings; situational awareness is crucial. For example, accessing sensitive data from a security conference (or any conference) without taking the proper precautions is a really bad idea.
- Be aware that each user is responsible for corporate security; no one can take that responsibility from you.
- Realize that multifactor authentication is a general requirement, and the extra effort is there to protect the user as well as the organization.
In essence, accept the responsibility and do your job, using common sense. While mistakes happen, this is where good security tools come into play, perhaps by asking for further authentication or the like.
Beyond what you can do today, the future is very interesting as well. If we are to place a security wrapped context around our data, we need a mechanism by which to do so. There are a few possibilities currently. The first is to create a new set of tools that can interpret the context, act upon it, and then present the data stored within. The other is to modify existing tools and access methods to impose a context on the data. The later is done by AFORE Solutions with its SecureAPP and SecureFILE products. For Windows users, this is an interesting set of tools. For Linux, there are ways to encrypt volumes, but nothing that is truly per-file based. Perhaps Docker could assist here.
Docker presents a container into which is placed data, binaries, etc. Perhaps Docker can be modified to include a robust security context that would invoke the appropriate tools to verify policy and then allow access to the data. Yet for Docker to be successful, it also needs to work within a Windows framework. Perhaps Docker can at least be that starting point?
Application virtualization has many flavors, but those that embed security contexts into data will allow one’s data to move around and be accessed through a secure method from any device, based on policy. This would also allow for general security protections around data, regardless of the SaaS in which the data resides. It is imperative to wrap our data with some sort of security context—in some ways this includes some sort of policy control container that invokes a tool of the appropriate type for an operating system from which the data is accessed.