Thanks to today’s mobile devices and cloud services, users have more choice than ever in the tools they can use to make themselves more productive. From a Cyber security perspective, the unique characteristics of mobile and cloud computing introduce new challenges for securing the IT environment. Traditional best practices for protecting sensitive information cannot always be fully applied in such environments. Not all cloud services offer robust security protections. As a cyber security practitioner, the value of the information that needs to be protected, the unique threats of each platform, and the mitigations possible to protect the information must all be considered. Mobile devices and cloud services typically live “outside the fence”. Systems are no longer locked away in an office building or behind the company firewall. Today’s mobile and global workforce demands a risk-based, defense-in-depth approach to security.
Draconian security policies will encourage users to just work around them, which is now easier than ever thanks to low cost mobile and cloud computing services. It is important, therefore, to implement sensible security policies that make it easy for the user to do the right thing. Users should sign a user agreement that specifies the requirements of using personal or mobile devices to access organizational information, including proper device disposal procedures. Users should know what cloud-based services are permissible to use and under what circumstances, especially when storing or accessing corporate data. Users should also be trained on proper social networking and blogging policies and the use of mobile cameras, to prevent information release that could be used in a social engineering attack or otherwise damage company reputation. Users should be reminded of their responsibilities at least annually, with ongoing, multifaceted security training. Minimum required security settings and network access requirements for accessing organizational information on mobile devices should be specified and enforced through the use of mobile device management tools.
The risk of damage or theft of small mobile devices is significant, and users should be trained to protect these devices by requiring strong authentication, automatic screen locking, encryption of data, and by enabling remote tracking and wiping capabilities if possible. Separating personal from corporate data on the device is highly desirable. Mobile device firmware and apps should be updated regularly just like any traditional desktop PC. Downloading apps only from trusted sources and not jail breaking devices is highly recommended to mitigate the risk of mobile malware.
The wireless nature of mobile devices also creates additional security risks. Using WPA2 encryption on trusted Wi-Fi networks and layering encryption protocols such as using the SSL encrypted web pages or mobile VPN when using public hotspots is recommended to minimize the risk of eavesdropping. Be especially cautious when pairing Bluetooth devices and be sure to use the latest Bluetooth drivers when possible or disable if not in use.
Other traditional IT best practices such as requiring strong authentication and encryption, disabling unneeded functionality, only permitting the execution of trusted and digitally signed applications, restricting administrator privileges, using host based firewalls, restricting the use of legacy software, keeping important data backed up, and requiring robust system auditing are all still prudent recommendations for both mobile and cloud based IT. Cloud vendors may also have varying policies regarding the export of data, data breach notification, and vulnerability scanning. Different laws and legal protections may apply depending on what country handles the data and must all be considered.
In conclusion, it is possible to support a mobile and cloud-first approach to IT services without sacrificing security by the careful selection of devices and service providers, the practical implementation of sensible cyber security policies and procedures and the application of robust security controls.
Business demand for specialized knowledge in a growing digital world will continue to expand as new technology security concerns arise. Lewis University’s online M.S. in Computer Science with a concentration in Cyber Security teaches students how to identify cyber threats, design combative software systems against an attack and investigate the aftermath using digital forensics tools. To learn more about the master’s degree call (866) 967-7046 to speak with a Graduate Admissions Counselor or request for more information.