Deciding How to Store Data with the Mobile Cloud
When the topic of mobile cloud computing comes up, one of the first questions I hear is centered on data. Usually it is an iPad or Android tablet user who finds some useful productivity applications and is now considering working remotely, perhaps from a coffee shop or a school sporting event. The user wants to access data on this device outside the office. So they ask a question like, “Is it safe to keep sensitive files and information on my device?”
Personally, I love that this question gets asked because it illustrates that users are aware of the need for data security. As wonderful as the awareness is, however, the question still stands and demands an answer.
There is no automatic answer to the question of mobile data storage. To properly determine whether data should be stored on the device, the cloud application, the corporate server, or some combination of these, requires some additional information.
I always ask the user three questions that get me enough information to make a confident decision.
What Data Are You Accessing?
Some information, such as electronic medical records (EMR) and financial transactions, are governed by laws and industry guidelines. This data must not be accessed from or stored outside secure systems that your organization directly manages. Other data should be handled on a case-by-case basis and subject to your data classification system. You do have a data classification system, don’t you?
What applications are you using?
Some applications are more trustworthy than others. There are, for example, several dozen data storage and file synchronization applications for mobile devices. There are dozens more cloud-centric productivity applications, like word processors and spreadsheets, that integrate with cloud storage. I research the application to determine whether the vendor is trustworthy, usually by examining the application, how it stores and accesses data, and by reading the company’s privacy and security policies. I need to be comfortable with the application vendor’s security and privacy before permitting the activity. Most often, using an application is approved but storing the data locally is not. That ties in closely with the third question.
What mobile platform are you using and how is it configured?
Android, iOS, Windows Mobile, and many more mobile operating systems are in the market. In most cases, the OS is independent of the device (with Apple’s iOS the notable exception). The combination of the OS, the device, and the security configuration all combine to paint a picture of how secure local data really is. Almost universally there are gaps in the mobile application security landscape, including the difficulty of centralized configuration management and lack of detailed penetration testing. These devices usually do not meet corporate security requirements, but can be configured to only access cloud-based data without a local copy.
The answer to the question, “Is it safe to keep sensitive files and information on my device?” depends on what data you are using, what applications you are using, and what mobile platform you are using, as well as how it is configured. I find that most often approving users to use mobile cloud applications that do not store sensitive data locally is a good balance between security and usability, giving users the flexibility that comes from mobile cloud applications and services while preventing most security incidents.
If you have comments on this article please join Mike on twitter @mikedancissp.