UC: Data security in a mobile world

0

Unified Communications (UC), collaboration, and mobile technology are increasingly one and the same thing. Suppliers certainly agree: when even large-enterprise technology behemoths, such as IBM, Oracle, and SAP, start using the language of cloud, collaboration, and small business units, and when desktop giant Microsoft bets Windows 10 on a mobile, collaborative future (incorporating Skype for Business), then we can assume that computing has left the corporate desktop for good.

This has changed the enterprise itself. For some organisations today, ‘the office’ is a mindset and a set of shared practices, rather than a place that people travel to. We used to talk of a ‘work/life balance’, but now it’s more a case of subtle and constant integration.

However, the fact that the once-clear boundary between work and play is blurring means that security is becoming more complex in the always-on mobile world. Indeed, there is a sense that our legacy concept of ‘the enterprise’, with its 1990s roots in client/server computing, is breaking apart in the cloud.

The upside is increased collaboration, but when so much in communications is becoming a stream of personal choices rather than a clearly defined space, that poses a data security challenge – both for the organisation and for its customers, stakeholders, and employees. For these reasons, security must primarily be about policy, common sense, good practice, and business goals; supportive technology comes second.

‘Square one’ of the mobile UC security game is recognising that corporate data still belongs to the core organisation, and not to the individual; it needs to be secured centrally, and then accessed remotely by well-managed, rigorously enforced authentication.

Strong authentication and access control are a must, and yet research consistently shows that ‘123456’ and ‘password’ (or ‘Passw0rd’) are still the most common passwords found online. Also, storing logins and passwords locally is only convenient when the device is in your possession; if it’s stolen or lost, any still-active sessions gift the finder an open door into the organisation.

Thanks to Bring Your Own Device (BYOD) schemes, people’s own choice of mobile device is often the one they use for work too, so it’s important to emphasise that the organisation’s BYOD and data security policies don’t just apply in the office during traditional work hours.

Dispersed organisations of remote, mobile, flexible workers need to be held together by a shared mission, clear data-protection policies, and common technologies, so not downloading apps independently of the IT team is core to the principle of UC: it’s called unified communications for a reason!

Wrapped up in all this is the growth of ‘shadow IT’, as employees (and sometimes departments) mix and match their own technologies informally. The temptation is clear: a world of new mobile apps and cloud platforms is out there, each promising to make the employee’s job easier. But any one of them might have been rushed to market, and so be full of bugs or exploitable weaknesses. Some might even be malware.

However, business and IT professional should see that desire to be creative as an advantage – it signals that employees are enthusiastic and keen to do their jobs. Put together a suite of approved, standards-based tools that can be centrally managed and secured.

Mobile UC is also about common sense. Proactively managing and changing passwords is just one sensible measure, as is logging out of enterprise applications if your device is used by other people.

Other security practices cover everyday behaviour, because fallible human beings are always the biggest weakness when it comes to data security. For example, don’t take part in private videoconferences or virtual meetings in public places, such as on trains, in cafes, or in departure lounges. Anyone could be listening or taking notes, from journalists to customers, investors, or competitors.

Similarly, don’t use free public wifi hotspots in cafes, hotels, or even conference centres when engaged in collaborative business: use them at your own risk, not at your organisation’s. That tempting password-free hotspot might be a community resource, but equally, it might be someone in the next room, scraping all the data from your device. Use the official channels.

For employers, and for digital-native employees who have never known a world without mobiles and cloud platforms, security has a cultural dimension, too. The millennial culture of openness, downloading, peer-to-peer sharing, and constant communication may run counter to some organisations’ aims, not to mention their responsibilities to customers and their regulatory obligations.

Also, be aware that buying a collaboration tool doesn’t make you a collaborative organisation. To benefit from such tools demands a shift of culture, together with a supportive management team that isn’t threatened by flatter, less hierarchical workflows. (As ever with IT, buy technologies to support business goals, not the other way around.)

But of course, security is a technology challenge too. ‘The enterprise’ was once a secure silo with on-premise technology, a dedicated data centre, authorised hardware, enterprise software, and a clear perimeter: the office firewall. But in many cases, that has been replaced by something more nebulous: a fog of code, and sometimes of responsibility too.

And just visible on the horizon is yet more disruption: the Internet of Things (IoT), the emerging world of interconnected devices made possible by IPv6. In that world a mobile device might be a tablet or a phone, but it might also be a car, a camera, or telepresence robot: anything that can connect to a local network and then to the internet, or be controlled remotely by a smart device.

The implications for UC should be obvious. Over the next few years, international real-time meetings, and collaboration on anything from simple documents to complex engineering projects, will be the norm, and that means that a huge variety of smart devices may be controlled remotely during those collaborations, from smart whiteboards to 3D printers.

Recent research by IBM has showed that countless smart devices can easily be hacked, including: a car’s telematics unit (hacked via a modified MP3 file, which disabled the car’s brakes); a building’s HVAC and security controls; smart lighting, which exposed a building’s wifi passwords, and so on.

In this new, interconnected world, IBM recommends (alongside secure authentication) the use of a secure operating system with trusted firmware guarantees and a unique identifier. IBM says: “While IPv6 is key to identifying ‘things’ on networks, ‘things’ also need a subscription to a trusted identity database. The concept of traditional authentication doesn’t apply.”

Data privacy protection is also essential. For example, with mobile payments starting to appear on smartphones, credit card information may be accessible to any devices that are linked to them, via wifi or Bluetooth, along with any corporate credentials that are stored on the device.

Data and transmission encryption are both essential, and yet it is astonishing how many of the cloud platforms that have been hacked or compromised in recent years contained unencrypted customer data, including logins and passwords.

In the mobile environment, strong application security is also a must, now that vulnerabilities arising from software bugs are commonplace – as the recent Heartbleed and Bash Shellshock cases have proved.

With mobile UC, always remember: you carry the enterprise – along with everything and everyone connected to it – in your pocket.

(A version of this report was published in The Times earlier this week. Reproduced with permission.)

About Author

Chris Middleton

Chris Middleton is a widely respected business and technology journalist, author, and magazine editor. In recent years he has been Editor of Computing (where he remains Consulting Editor); co-founder and Managing Editor of Professional Outsourcing – a magazine he developed from scratch and grew to be the leading magazine in its field; Editor of CBR in its most successful year; and co-founder and launch Editor of Sourcingfocus.com. Today, he is co-Director of EastwoodMiddleton Publishing, and founder, designer, and Editor in Chief of Strategist magazine (UK), the boardroom magazine that provides strategic insight for business leaders, and of its mobile-first digital edition at www.iamtheStrategist.com. He is also co-founding Editor of Child Internet Safety magazine, and a contributing Editor of Diginomica.com. Over the years Chris has also written for, among many others, The Guardian, The Times, the BBC, and Computer Weekly. He is the author of several successful books on digital media, and a commissioning editor of more than 50 books.