As data moves to the cloud and becomes accessible from anywhere, it’s more important than ever to ensure that both corporate and personal devices being used to access data and services are secure. There are many options for addressing these security concerns, but choosing the right tools and configurations can quickly become complex. Considering what to do about devices like laptops, tablets, and smartphones while in the office, at home, and while traveling can become overwhelming or cumbersome. Some organizations may find a secure one-size-fits-all solution, but many will want, or need, a little more flexibility.
Understand Your Data
Most organizations have data with varying degrees of confidentiality. Classifying data helps to ensure that you can implement appropriate security where it's needed, but not so much that convenience and productivity are impacted unnecessarily.
You may want to be a little more relaxed with access to presentation materials to ensure they’re readily available from a variety of devices and locations, but perhaps you want the medical records of your clients to remain locked down to company-owned devices located inside your offices. Many security solutions allow for this level of granularity, even for data that’s stored in cloud services.
Determine Safe Places to Store Data
Next, determine what systems are acceptable for storage of these different types of data. For example, most organizations will want to implement reasonable protections for access to email, but allowing regulated information like medical records to be contained there will require you to implement a variety of controls that may make access to this common, and sometimes critical, communications tool overly burdensome.
Security and usability, as an example, can be greatly simplified by requiring moderate security on email, high security on SharePoint Online, and ‘linking’ confidential files to email instead of ‘attaching’ them.
Determine Safe Devices for Different Data Types
Now that the data is properly classified and stored in secure locations, you need to decide which devices can access it. Most modern consumer devices can be made secure, but in some cases, increased security must be traded for company control, and sometimes even a small amount of end user privacy.
In many cases, such as with Microsoft Outlook and Word, that balance can be further fine-tuned by implementing additional control and security over the business apps and data on the device instead of the whole device itself. A good example here would be allowing email in the native iPhone Mail app, but only allowing Microsoft apps to access the SharePoint Online site. Or, if highly sensitive data must be transmitted via email, then perhaps allowing email on personal iPhones, but requiring it to be accessed from the company-controlled Outlook app is a reasonable compromise for organizations that want to allow bring-your-own-device (BYOD).
Implement Security Controls and Create Policies to Fill the Gaps
In some cases, it may not be possible to enforce the security you require with technology. For example, you may be required to use a third-party Electronic Medical Records system that simply doesn’t integrate with, or offer, the protections you want. These technology gaps can be filled by guiding behavior with various policies such as an Acceptable Technology Use Agreement or Employee Handbook. Similarly, sometimes the technology fails or isn’t properly configured. It’s important that end users understand, and acknowledge, what is acceptable and what their role is in maintaining appropriate security.
Gaining a deeper understanding of the complexities of securing data can be a daunting task. Understanding the data, determining safe places to store it, and enforcing security requirements to access it from trusted devices will help you ensure you have appropriate protections in place.
Struggling to manage and secure your organization's data? Click here, or on the button below, to begin with securing mobile devices.
Would you rather speak with a Systems Engineering representative? If so, email info@syseng.com or call 888.624.6737.
Erik Thomas, Manager of Professional Services for Systems Engineering, has over 15 years of experience with IT, application development, and business operations. Erik consistently serves as a Virtual CIO for many clients, bringing leadership and expertise to enable exceptional outcomes for businesses.