Nearly everyone in a responsible position will agree that companies and public institutions must place increasing emphasis on data security. However, I would like to challenge the sense of how this is currently enacted in regard to mobile access.
Whereas increasing mobility presents a continual challenge to data security, current processes are largely based on the requirements of the past. The reason for this is that most companies attempt to construct mobile solutions around a core IT structure in order to enable Internet connectivity and mobile access, thus maintaining their IT systems in place as ‘safe havens’. This may serve to explain the lack of confidence in Cloud solutions as opposed to traditional trust in conventional solutions, along with permanent references to insecure mobile devices – regardless of whether they are Apple or Android products.
However, I think this is a fallacy.
In contrast to legacy applications, modern Cloud-based solutions are designed for mobile Internet access. Hence, they come fully equipped with state-of-the-art technology and functions which facilitate access for designated users whilst limiting its scope as required.
The introduction of web based extensions of existing solutions in a DMZ (perimeter solution) is often performed with copies (or partial copies) of the original data to minimize risks. But does it matter whether it is the electronic original or the electronic copy that is stolen? I was personally affected by such a situation last year, as I received a ‘nice’ letter from a company asking me to check my account, as my data ‘had been lost’. In this particular case it was a partial copy, as it ‘only’ affected those customers who had used the website forms during the past 3-5 years.
I also don’t agree with the argument that data are stolen but cannot be manipulated, as it will be possible to amend the data in most cases and these changes would be incorporated into the central system again.
Another underestimated risk is the theft of notebooks containing copies of confidential information. This nightmare for any secret service came true when NASA lost a notebook with control codes for the international space station ISS. And, given today’s high storage capacities on Smartphones and tablets, these losses are likely to continue.
The way I see it, it is therefore high time to adjust the strategy and redefine the objective:
- Online access to a central, well protected original, which is only available via secure interfaces at data record level.
- Usage of secure electronic IDs.
- Online connectivity of mobile devices storing only the minimum required data on the mobile device!
- Permanent monitoring and improvement of data center and mobile systems and technologies.
Incidentally, the first point isn’t new; it was called for in conference keynotes ten years ago by Oracle’s boss Larry Ellison.
I am aware that the mobile devices currently available on the market have many, quite serious security issues. But as there will be no way to stop the trend towards mobile devices, the goal must be to eliminate these security issues.
In an interesting approach to system monitoring, the Federal Office for Information Security has published a traffic-light catalogue of weaknesses sorted by products and manufacturers
The article only reflects the author’s personal opinion, but maybe you are of the same mindset…