It’s 2013: do you know where your corporate data is? Not so long ago, the answer would have been relatively simple. From financial spreadsheets to business proposals, product designs, customer lists, and beyond, virtually all company information used to be housed, managed, and readily available on corporate servers or tape—all (or at least most) safely under IT’s thumb.
Today, however, even the most sensitive files are just as likely to be sitting on your CEO’s tablet, your sales manager’s laptop, your HR director’s smartphone, or in a cloud-based storage service. Centralized control has dissolved under the onslaught of mobility, free online file sharing services, changing work habits, and the consumerization of IT. In the process, enterprises have lost security, accountability, and other protections necessary to thwart data thieves, comply with regulatory mandates, and satisfy needs like forensics and legal discovery.
Clearly, governance must be reinvented for the “post-PC” world. Governing devices is not enough, regardless of the mobile device management (MDM) solution. All endpoint data must also be brought under IT control— whether on PCs, laptops, tablets, or smartphones, and whether at rest or in motion—and integrated into a single audit trail. Only then can IT have the full visibility necessary to manage and protect enterprise information assets.
WHO’S MINDING THE STORE?
The decentralization of data has multiple causes. An estimated 80 percent of knowledge workers now use their own mobile devices for work, placing many files outside IT reach. Sixty-six percent use a consumer file sharing platform like Dropbox or YouSendIt to store or share corporate documents, further fueling data dispersion. Forty-four percent telecommute at least once a week, increasing mobile file exchange because of the need to collaborate with remote colleagues.
In addition, the average user now has 2.8 connected devices, each potentially housing multiple copies of the same file in document libraries and/or e-mail attachments. With all of these changes in computing and work habits, Gartner has calculated that nearly 30 percent of all enterprise data now resides exclusively on end-user devices. Given the fact that thousands of these devices go missing from offices, cars, taxis, airports, and elsewhere every year, one would think that every IT team would be adjusting its risk management programs to prevent the loss of that data.
Yet many are failing to take the obvious first step: backup. According to Druva’s latest survey on the state of BYOD and data protection, more than 45 percent of organizations don’t back up employees’ desktops and laptops, and 93 percent skip backup on tablets and smartphones. Correcting that oversight is the first step in building a data governance strategy for the mobile enterprise.
A comprehensive backup program must cover every endpoint in the organization, including PCs, laptops, tablets, and smartphones. The goal is to create a single authoritative source and audit trail of all endpoint data at rest. This lays the foundation for the entire governance initiative.
With this complete data repository, any file can be easily recovered in the event of device loss or theft. Entire document libraries can be quickly restored on replacement devices. Tools such as remote wipe can be used to delete data from a missing device without the risk of losing the only copy of critical information. Data required for compliance audits, leak investigations, litigation requests, and other purposes can be supplied without needle-in-a-haystack searches through disparate hardware devices used by hundreds or thousands of employees.
Having a master record of all endpoint data also makes it possible for mobile users to access their files remotely from whatever device they are using at the moment, eliminating the need to move files from one device to another or into a consumer file sharing service to ensure anytime/anywhere availability. This in turn supports data governance by limiting the distribution and associated exposure of a given file.
IT-MANAGED FILE SHARING
Another key governance building block involves replacing Dropbox-type services with secure, centralized, IT-managed file sharing. With the right product, all internal and external file exchanges can be consolidated into a single activity stream that provides the same visibility, traceability, auditing, and reporting abilities for data in motion as the backup function supplies for data at rest. This approach also enables policy management to control access to shared data.
Admins can typically configure sharing privileges at the group or individual user level, for example. Admins or end users can set limits on the number of viewers and downloads for any shared file, and restrict any shared file to view-only in order to reduce data leakage risk by preventing downloads. Other security features, including automatic data encryption and, in some cases, the use of links that again prevent downloads, can be set to expire to limit access and provide a mechanism for determining who has viewed the file as well as when and how often. None of these controls are available with consumer file sharing services.
Solutions that integrate backup and file sharing simplify governance efforts by enabling global data searches by file, user, or any other filter; eliminating redundant policy and user management on separate point products; and providing a common user interface that encourages employee use by avoiding the need to open multiple applications for different functions. Admins can also drive adoption of their internal file sharing system by blacklisting services such as Dropbox and YouSendIt on employee devices through the app management feature on most MDM products.
AUDIT TRAILS AND OTHER PROTECTIONS
A strong data governance program should also provide both end user and administrator accountability, data leakage protection (DLP) strategies that mitigate the risks associated with lost or stolen devices, and separation of personal and corporate data on the same device to enable easy disablement of enterprise information.
In the area of accountability, enterprises need to be able to reconstruct all activities related to corporate data use. That includes the ability to trace actions such as remote file retrieval, file sharing, and data restores by end users; and policy configuration errors, password resets, sensitive data access, file sharing permission changes, and remote erasure of data on a stolen laptop by administrators. These abilities— stemming directly from backup and file sharing audit trails—streamline problem resolution, trend analysis, regulatory compliance efforts, and data leak investigations.
In the case of DLP capabilities, the governance plan should include not only encryption for shared files but also remote deactivation for lost or stolen devices, geolocation of user devices, and the ability to selectively delete data on user-owned devices to prevent departing employees from taking corporate data with them. These features advance governance by strengthening risk management powers.
Separating personal and corporate data through containerization gives IT personnel control over enterprise information even if it resides on a personal device. In the event of a device loss or departing employee, IT can then choose to remotely erase only the corporate data in that virtual container, ensuring protection for enterprise information without also shredding personal data against employees’ wishes.
Taken together, all of these strategies form a road map for restoring data governance to enterprises dealing with the IT consequences of the mobilization and consumerization of the work environment. From taming data sprawl to preventing device thieves from viewing files in clear text and beyond, businesses can take back control to protect themselves against data loss, compliance violations, and an inability to trace the source of a data leak. This is not an option; it’s a necessity. The future of your business may be at stake.