The End Point
News and views on the threat of data leakage, by Sacha Chahrvin, Managing Director, DeviceLock.com UK.
Monday 19 October 2009, 9:43 AM
Mobile Encryption is not Enough
Every instance of data leakage through a mobile device is a two-step process: firstly, uncontrolled data transfer from a corporate server/host-based resource to the device and, secondly, further unauthorized transfer of this data from the device to the outside. To efficiently mitigate against this, existing Data Leakage Prevention (DLP) solutions for mobile devices include two layers of defense. Firstly, DLP components residing at servers, PCs or dedicated network appliances which intercept and filter data in all communications channels used by those devices. Secondly, device-resident infosecurity components that prevent data from uncontrollably leaking from the mobile devices.
There is currently only one truly effective mechanism that directly prevents data leakage – the device-resident encryption. Typically implemented as ‘file/volume encryption’ or ‘whole device encryption’, it blocks access to encrypted files and other objects stored in the memory of stolen or lost devices, as well as removable memory cards.
Security vendors
also tout remote data wiping as an additional mechanism for preventing data leakage from missing mobile devices. However, realistically, this is not a reliable means of protection as any cyber thief will immediately remove the memory card of the stolen device for analysis on a ‘failproof’ device.
All other device-resident security components – FW, VPN, device/port control, anti-virus/anti-malware, IDS, application control, NAC, user/device authentication – are not designed for data and type filtering and, therefore, cannot be used to determine whether outbound traffic contains any leak to block. As for anti-spam device components, they work in the opposite direction, filtering data coming in rather than preventing the downloading of unsolicited data to the device.
Although cryptographic solutions like “whole device encryption” could completely eliminate data leakage from stolen or lost mobile devices, they are not a DLP panacea for mobile devices. This is because applications use data in RAM rather than in plain, decrypted form; so nothing prevents users from deliberately or accidentally sending plain data to an external destination from within an opened network application like email, web-browser, or instant messaging (IM). As a result, a negligent employee could forward an email with order delivery instructions to a subcontractor without noticing that the attachment to the email contains clients’ personal data that should not be revealed to third parties. The only way to achieve truly encryption-based protection against mobile data leaks would be in a physically isolated intranet-type system without any external communications at all. However, this scenario is useless to any business or public sector organization as their operations are inherently based on external communications.
Without underestimating encryption as the most effective security technology for preventing data leakage from mobile devices today, it should be acknowledged that once the data gets to the device there will always be, a high risk of it being uncontrollably leaked to the outside. This is why, for the foreseeable future, a critically important layer of corporate defense against mobile data leaks needs to be the intelligent control over data delivery channels to the mobile device.
There is currently only one truly effective mechanism that directly prevents data leakage – the device-resident encryption. Typically implemented as ‘file/volume encryption’ or ‘whole device encryption’, it blocks access to encrypted files and other objects stored in the memory of stolen or lost devices, as well as removable memory cards.
Security vendors
also tout remote data wiping as an additional mechanism for preventing data leakage from missing mobile devices. However, realistically, this is not a reliable means of protection as any cyber thief will immediately remove the memory card of the stolen device for analysis on a ‘failproof’ device.
All other device-resident security components – FW, VPN, device/port control, anti-virus/anti-malware, IDS, application control, NAC, user/device authentication – are not designed for data and type filtering and, therefore, cannot be used to determine whether outbound traffic contains any leak to block. As for anti-spam device components, they work in the opposite direction, filtering data coming in rather than preventing the downloading of unsolicited data to the device.
Although cryptographic solutions like “whole device encryption” could completely eliminate data leakage from stolen or lost mobile devices, they are not a DLP panacea for mobile devices. This is because applications use data in RAM rather than in plain, decrypted form; so nothing prevents users from deliberately or accidentally sending plain data to an external destination from within an opened network application like email, web-browser, or instant messaging (IM). As a result, a negligent employee could forward an email with order delivery instructions to a subcontractor without noticing that the attachment to the email contains clients’ personal data that should not be revealed to third parties. The only way to achieve truly encryption-based protection against mobile data leaks would be in a physically isolated intranet-type system without any external communications at all. However, this scenario is useless to any business or public sector organization as their operations are inherently based on external communications.
Without underestimating encryption as the most effective security technology for preventing data leakage from mobile devices today, it should be acknowledged that once the data gets to the device there will always be, a high risk of it being uncontrollably leaked to the outside. This is why, for the foreseeable future, a critically important layer of corporate defense against mobile data leaks needs to be the intelligent control over data delivery channels to the mobile device.
Previous
