Feeds

back to article So: Just how do you stop mobile users becoming leaky lusers?

A note from The Register management: This is a survey, and yes, you're right, that's you giving us valuable time and information for nothing. But we have to pay the bills somehow, so if you like the Reg being here you might consider helping Mr Vile out. And who knows, maybe your views will reach the right ear somewhere and help …

COMMENTS

This topic is closed for new posts.
Silver badge

Stopping data leakage starts with a classification of data, ie becoming aware of what data you have, assessing the risks of leaking/losing it, and implementing measures to protect it. In short, those mostly boil down to policing and monitoring of communication (network, e-mail), data access, and connectivity of mobile storage; encryption of mobile devices and network; identity and access management.

And stopping data leakage ends when management sees the projected costs. Until they get kicked in their teeth by the next employee who sells another DVD brimmed with highly confidential data to foreign tax authorities or a Chinese competitor.

7
0
Bronze badge
Go

Bravo

@Evil: I have to applaud your succinct post that captures both theory and practice.

(Warning: coming from a slightly biased perspective given my job was suspiciously close to your nick. Hint: the evil part was the informal nomenclature)

2
0
Silver badge

Leaky mobile users are not the biggest problem. The problem is leaky mobile *companies*. Take EE for example and the selling of customer data, or Vodafone and 3UK using Bluecoat. Manufacturers are just as bad too - just look at Apple and the location tracking problems that they've had to deal with in the past.

Incidentally I know that the management behind this site likes to maximise the advertising on this site- witness the gaudy and eye watering ads that fill the entire background - but disguising an ad for a survey as an article? Really?

This is a new low for this site.

2
1
Anonymous Coward

Survey as an article?

"Incidentally I know that the management behind this site likes to maximise the advertising on this site .. but disguising an ad for a survey as an article? Really?"

Give em a break, someone has to pay for this website you are reading, and you don't have to take the 'survey' ..

0
0
FAIL

People and confidentiality

Protecting confidentiality of data is an oxymoron.

There are ways to protect the confidentiality of your data:

1) do not generate it

The list is no longer than one entry. (period)

When people have data, you already have a leak. The people are the leak; be it it by shear stupidity or malice does not matter, neither do the means how the data is leaked. When there is data somewhere accessible, you have a non-zero chance of data leaking out. The probability of a leak over time is 1. Live with it or stop generating the data.

2
2
Ru
WTF?

Re: People and confidentiality

There are ways to protect the confidentiality of your data:

1) do not generate it

You seem to be under the impression that 'protection' is some sort of absolute; either you've got it or you ain't. Wrong.

If you hold confidential data on me, you'd better be exercising some due diligence with regards to keeping it confidential, rather than just leaving it on a public webpage and saying 'eh, it would have probably leaked one day anyway'. You might not agree with me, but there are quite a few legal jurisdictions in the world which agree with me, and they're also ones in which quite a lot of business is done.

You seem to have completely missed the rather important underlying point, which is that creation of confidential data and restricting the dissemination thereof is critical to the workings of business, governments, medics and even friends and families. No-one can simply give it up.

Given this constraint that somehow went over your head, what can be done to ameliorate leakage and provide some contingency plans?

1
0
Anonymous Coward

Re: People and confidentiality

1) do not generate it

I have to add:

2) Avoid Google

A few years back I was trying to reactivate my YouTube account that had been suspended for posting Johnny Carson clips. I filled out the forms and got replies from YouTube/Google on my associated email addresses. Still no joy.

I got aggressive and was able to get my appeal kicked upstairs and reviewed at a higher level. I sent an email from my GMail account. To my surprise, a response came back, not to my GMail account, but to my anonymous Yahoo email account that I had never, ever used for Google before. It was a restricted email account that I only used for personal confidential correspondence and Yahoo Groups

Now, I'm very meticulous as to how I keep my communications separate. I keep a log file of memberships, newsletters, anything I sign up for and note the name used and the email address. This email address was used for personal correspondence and Yahoo Groups - absolutely nothing else.

The question becomes why did Google not respond back to my GMail account that I emailed them to in the first place? The reply email included my full name, address, and more. It was scary.

So, why not respond to my GMail account? Because it was of Google's subtle way of saying "we know everything - EVERY-FREAKIN-THING!"

2
2

Re: People and confidentiality

Just take a clue from the pirates.

The real ones.

Dead men tell no tales. Mua ha ha ha ha!

0
0
Silver badge

The biggest hole in any IT security policy?

It's the bosses laptop / smart phone/

4
0

First, WiFi is Internet only. CorpNet is wired, and devices that connect to it are suitably locked down (AD).

Second, Internet-based remote access from corporate (non-BYOD lapstops) is provisioned via DirectAccess.

Third, devices that use WiFi or come in via the Internet use policy enforced using Exchange.

Fourth, corporate apps that employees need on their devices are built either as web apps, or you build native clients.

Fifth, you create a separate AD forest, and use WS-* or SAML to create a forest-level trust, so that CorpNet credentials are never used outside the CorpNet boundary.

Sixth, corporate apps that can be accessed from the outside are protected by an application firewall (BigIP F5, UAG, or similar) - defense in depth.

Seventh, you create or use a native app for devices that copies passwords from for that separate AD to the clipboard, so that they can be pasted into to the corporate app, thus foiling the likes of CarrierIQ and the NSA.

Lastly, if the benefit outweighs the expense, BYOD devices use Chip and PIN challenge/response.

The above is trivialised, but that's my strategy. If it's too sensitive to be accessed from the outside, it's simply not available from the outside.

1
0

And when the CEO demands BYOD ?

Sensible policies tend to give way to corporate bigwigs wishes.

0
0

Re: And when the CEO demands BYOD ?

Then your problem is cultural and political. Which needs to be addressed before you start thinking about technology.

1
0
Big Brother

Main point

> If it's too sensitive to be accessed from the outside, it's simply not available from the outside.

Exactly. +1

Cheers,

2
0
Silver badge

The policies listed by spearchucker are usually the ones I've seen at the places I've worked.

But first and foremost should be nobody is allowed any access with their BYOD. Ever.

1
0

It's not about techniology, it's about risk.

The "problem" comes down to one of risk management. What is the risk to the assets involved versus what access to those assets is worth to the organisation and what it would cost them should they be compromised.

Once you have an understanding of the risks and costs you can start to look at mitigating those risks and the cost of mitigation versus value of the assets and the benefit of allowing mobile access.

In technology terms the solutions are already out there, the question is; do they provide a sufficient reduction in risk to justify the expenditure against the business benefit?

1
0

Re: It's not about techniology, it's about risk.

This is without a doubt where you start. I'd add a contingency plan though. Mitigation reduces probability. You'd want to think about reducing the impact, too.

Whilst there are only 5 threats (spoofing, tampering, information disclosure, denial of service and elevation of privilege), the biggest impact will come from disclosure. What do you do after data loss has happened?

0
0
Anonymous Coward

We all agree, data cannot be 100% secured. Stop BYOD or face the fines because no matter what action is taken, data cannot be 100% secured especially on a 3rd party device.

2
0
Silver badge

I blame BYOD

There is a reason why organisations who are serious about leaks don't allow access to sensitive data on byod devices. Most, in fact, insist you lock your mobile etc in a special deposit box behind the security desk as they scan you on the way in. It's not hard to stay secure, it just requires inconvenience, diligence and a bit of cash.

3
0
Anonymous Coward

'Windows desktop refresh activity'

What's the above point about.........? Anyone know and can fill me in how this relates to mobile leaky users? (thanks)

0
0
Gold badge
Coat

Re: 'Windows desktop refresh activity'

I think that's only in there as Eadon bait.

0
0

This post has been deleted by its author

Anonymous Coward

Stopping data leakage starts with....

...Having meaningful fines for those who incompetently or wilfully mismanage data... But we're such a long way off from that, because politicians don't want to be business unfriendly in a GDP chasing world. So complacency will lead to extreme cases of data leaks until politicians are forced kicking and screaming into getting their act together and passing laws.. Just my two cents....

1
0
RW
Devil

A secret known to two people is no secret

Title says it all.

0
1
Anonymous Coward

Treat the bosses mobile like your childrens' gloves

Belt Clip and lanyard.

0
0
This topic is closed for new posts.