With mobile usage on the rise, enterprises today faced the daunting task of securing data on phones. The mobile ecosystem is most vulnerable to data security issues. According to the 2012 Data Breach Investigations Report, published by the Verizon RISK Team, about 855 data breach incidents were reported in 2011.
With an increase in such cases, encrypting mobile data on devices is gradually gaining momentum. With the right data encryption techniques, IT can prevent sensitive enterprise data from being compromised, if a mobile device is lost or stolen. In the coming year, IT professionals will have to manage not just threats of data leakage and identity theft, but also growing consumer and employee concerns about data privacy.
The Need for Encryption
Enterprises are now approaching encryption as a proactive defensive measure rather than something they did after a data breach. “Instead of worrying about the amount of mobile devices, we need to focus on enabling access to the apps and data needed by the appropriate individuals regardless of device. This will allow us to be more strategic and enable us to focus on our biggest BYOD problems; security, access rights and data leakage,” says Carol Fawcett, chief information officer, Dell Software Group. Instead of encrypting data only on a companyowned device, we can see the growth of innovative products from companies that enable us to secure documents no matter where they reside or from which device they are accessed. Encryption is enabling the easy access of data from anywhere in a secured manner. However, even then, enterprises struggle to adopt mobile data encryption practices.
The researchers have already observed a significant increase in mobile malware volume and believe that this skewing is about to change even more dramatically starting next year. IT has to tackle mobile data encryption from 2 perspectives– data on devices and data transmitted to and from those devices. A number of data encryption techniques exists, but challenges from management perspective remains apart from the major issue of cost of encryption.
“The challenge with data security solutions for most organizations is trying to balance the expense of the solution against the productivity of the users. Maximizing that total cost of ownership (TCO) of the solution is critical,” says Nameet Dokare, head, India Sales, Winmagic With so many different kinds of devices, IT struggles to find a mobile data encryption strategy that will work for every device and every user in an enterprise.
On-device Data Encryption: IT’s biggest challenges rest with the devices themselves for ondevice encryption. Some mobile operating systems give devices the functionality to encrypt some, if not all, on-device data. With other devices, IT must rely on third-party products to manage mobile data encryption.
Transmitted Data Encryption: IT should also make sure that any sensitive data transmitted between mobile devices and the enterprise is encrypted. That’s no easy task, given the variety of devices employees bring into the enterprise. Ideally, any organization should be able to encrypt both on-device and transmitted mobile data. “Encryption must cover data in motion through GSM encryption and secure protocols over TCP/IP. Symmetric encryption of data in rest must protect it in storage online and offline. This I think is not being done currently at all levels,” says airtel spokesperson.
If an organization supports a variety of mobile devices–different manufacturers, different operating systems, etc– IT must take each device’s encryption capabilities into account and use them to their fullest potential.
IT Manager should consider 3 relevant areas when choosing an encryption solution of any type:
Critical for M-payments
Talking about various applications running on mobility devices, mobile banking and payments come out to be critical space for data breach. The data flowing to thirdparty service providers has dramatically changed the mobile banking and payments landscape and has made valuable financial information a prime target for criminals. With so many m-payment gateways and apps, security at many levels are ignored. “Too often, the rush to develop these applications has resulted in a development life-cycle that lacks a sufficient security focus. The institutions thus remain largely at risk as the lack of sufficient security focus leaves the application users and the organisation vulnerable,” says Pradip Bhowmick, executive director, PwC India. Data encryption services are an important factor in providing such services as encrypted data is unlikely to be susceptible to any kind of misuse, says Debasis Chatterji, CEO, Netxcell Limited.
However financial services in IT organizations are in various stages of adopting security practices to meet the challenges driven by an evolving mobile market. Integration of mobile application security into the Mobile SDLC; Strong authentication using mobile specific information or applications; and encryption of sensitive information on the device are some of the leading security practices in use. “A simple way to achieve this is to use secure socket layer (SSL) encryption, for example using HTTPS instead of HTTP in the context of mobile web.
While using HTTPS, it is very important to use 256 bit encryption since 128 bit encryption has been found to be vulnerable,” says Bipin Preet Singh, CEO and founder, MobiKwik. Most of the solutions in this space are being provided by the existing IT partners of the banks and other financial entities which follow stringent guidelines of RBI.