Security "Bits"

What Did Data Say To The Device? - "It's Not You, It's Me"

By Annie Wang | October 30, 2014 at 5:40 AM

Securing Data


“Every user device must be viewed as untrusted and the focus must shift from securing devices and networks to securing the data” – Nat Kausik, CEO Bitglass

Mobile device security for employees is all the buzz these days. In fact 87% of IT managers believe that the biggest threat to mobile device security comes from careless employees.  Various government agencies must be compliant with FIPS and healthcare orgs must be HIPAA compliant, placing pressure on these groups to protect mobile data. This raises some questions about how to secure employee devices and whether or not existing methods are reliable.

Android vs. iOS

Just last week Samsung got some negative attention about their Knox security layer for Android devices, after gaining government approval. Researchers found that {not so} Knox could be “completely compromised” given the fact that the encryption key security was alarmingly weak. FYI, the new Android update, Lollipop, will be incorporating some of the stronger security features of Knox into the new platform-wide update scheduled for November of this year, a strategy aimed at stealing market share from iOS.

In the meantime, Apple’s iOS platform continues to dominate Android in the government agency and enterprise data protection space, with the superior security of their operating system (AES 256 crypto engine built into the DMA path).

Trusted Devices

Then you have “Trusted devices,” a method common in most major banks, which in most cases is a laptop loaded up with a ton of security software. Employees then take these laptops, travel the world (unknowingly picking up all kinds of malware and phishing attacks along the way) and then re-enter the secure firewall, with laptops still deemed as a “trusted devices.” This is most likely what caused the whole JP Morgan fiasco a few weeks back. Not the safest approach to mobile device security.

With all that being said, is protecting the DEVICE the right approach? Not anymore.

A New View on Mobile Device Security

Enterprises and goverment agencies need to make improvements in their security. They must realize that the trusted vs. untrusted device method is no longer the best way to secure sensitive company data. Hackers have evolved. This is evident in the fact that anti-virus software now detects less than 5% of all malware (I’m no gambler…but a 5% chance…dang). Organizations must evolve their security architectures as well. All user devices should be deemed “untrusted”, which will shift the focus from securing the device to securing the actual data itself. This also means that all data access should be subject to contextual-access control and alerts. These alerts can then notify IT if a laptop or mobile device begins downloading crazy amounts of protected data.

Remember, the answer to mobile device security is to secure the DATA not just the DEVICE.


Product Marketing Manager

Tweet @Bitglass for any questions or comments you may have.



see all