While slippery is an adjective oft-associated with eels, at-large criminals and other elusive creatures, the descriptor is also applicable to corporate data, which has a way of wiggling its way outside the oversight of IT. Mobile devices, especially those that contain a mixture of work-related and personal data, offer one of the best escape routes for sensitive information, as well as an access path into the corporate network for malware attacks and other intrusions.
Data Leakages with an Organization
In many instances, sensitive work data exits a mobile device, either accidentally or intentionally, through an unprotected communications channel, such as social networking applications, web browsing, webmail, instant messaging or other untrusted personal applications. An external storage device, such as a USB memory stick or microSD card, is another potential path for corporate data leakage or intentional exfiltration.
Without some sort of partition that provides a leak-resistant boundary between work data and personal data that’s directly connected to these consumer-oriented channels, information is susceptible to exiting the network through seemingly innocuous mechanisms, such as file attachment or transfer or a simple cut and paste operation. On the malicious side, work-related data or information on the device or corporate network can be accessed by a rogue application the user may have downloaded from the Internet, or even a commercial application store.
The following examples represent typical data leakage scenarios:
- Bob is away from the office when he receives an email on his tablet with a spreadsheet containing sensitive corporate information. To edit the attachment, Bob forwards the message to an Internet-based email account and copies the attachment to his home PC. Alternatively, Bob copies the work file to a USB device and then transfers to his PC.
- Bob is on the road and is on a tight deadline to deliver a file containing customer data to a contractor. Instead of sending the document through a secure channel, Bob instead delivers the file using P2P file transfer.
- Alice is frustrated over the marketing team-imposed procedural hurdles she needs to clear to promote a soon-to-be-released product. To circumvent these roadblocks, Alice uploads an unapproved product picture to a Web site that is accessible to the company’s competitors.
- A budding epicurean, Alice downloads a restaurant guide application to a smartphone she uses at work. The application, which is actually malware, scans her corporate intranet via the smartphone VPN for sensitive servers to identify in an attack. It also reads Alice’s corporate email in search of keywords that identify messages with potentially sensitive information, which can be flagged and emailed to an overseas server.
- Bob and Alice submit their resignations in preparation of starting up a competitive business. Before leaving corporate headquarters, Bob downloads critical intellectual property from a Sharepoint server, storing it on a removable Flash drive.
Mobile device containerization is providing IT departments with the ability to address data leakage vulnerabilities.