The majority of business leaders in the UK believe that they relinquish responsibility for data security when it is stored in the cloud.
You'll also need to keep reviewing information security at each and every step of the transformation "to ensure that the information and security triad of Confidentiality, Integrity and Availability (CIA) is maintained," McNeil adds. CIA can be defined as:
- C: Protecting information from disclosure to unauthorised parties;
- I: Protecting information from modification by unauthorised users;
- A: Ensuring the information is available to authorised users.
Getting specifically secure
The generalisations are now out of the way. But what about best practice as it applies to securing the specific business transformational technologies of BYOD, cloud and virtualisation?
BYOD
Once an employee connects their mobile devices to the office Wi-Fi, you are facing a mobile file management situation. Often organisations will take this a step further and allow them to connect to the corporate email. However, by doing this, you then become responsible for the management of the information and content that enters and leaves your company network from their device.
"There are problems when people start bringing in different devices with different security levels and features," warns Alan Laing, vice president of Acronis in Europe, the Middle East and Africa (EMEA). "For instance, some older Android devices run operating systems that are not very secure, so you can have people sharing files over the company network and sending emails to themselves. Then the device will get forgotten on the bus ride or on an airplane and you have a serious data breach."
Newer devices like iPhones or iPads do have restrictions that can be applied, such as not allowing the use of Safari, email or locking the camera. Companies are able to do this if they add a small file to the device. However, the employee has to willingly provide the device for this. "For other devices, companies can provide mobile file management solutions which enable businesses to apply their own rules," Laing adds.
"You have a remote control, which allows you to see who has an iPad or an iPhone or who has six tablets and two smartphones and so on and then you can distribute those rules to those devices."
One of the most basic restrictions an administrator can enforce is access to the server on an iPhone. You can enforce a pass code to come up as soon as someone tries to connect a smartphone or tablet. "There are also apps that manage access to corporation information on devices," Laing says.
He continues: "They can be downloaded from Apple's App Store or the Android Market (Google Play) and give employees access to the enterprise network. They start accessing share points and network resources on mobile devices within the restrictions of the application. This means that devices aren't locked, but a company is able to ensure that its employees have something efficient and that is easy to use and gives them quick and easy access. This solution stops staff being able to send themselves emails or add corporate content to Dropbox or Skydrive."
