One of the great things about working at BlackBerry is being able to chat with world-class security experts. We sat down with Jay Barbour from the BlackBerry Security team to talk about “containerization” – the separation of work and personal data and usage on mobile devices – to get a good understanding of why it’s so important.
Inside BlackBerry: Jay, we know that healthcare organizations are a hot target for hackers. Recently, there was a massive breach at insurer Premera which impacted 11 million customers. And yet, one of the biggest data security problems in healthcare, and finance for that matter, isn’t only external attacks, it’s data leakage from insiders. What exactly is data leakage and why does it matter to regulated industries?
Jay Barbour: Data leakage is the unauthorized or unprotected transfer of data outside an organization’s controlled environment. In the mobile world, data leaks often happen when sensitive data is shared through personal use cases and apps, but there’s a big risk of malicious insiders exfiltrating data as well.
Inside BlackBerry: What’s different about data leakage scenarios that happen via mobile devices versus PCs, where personal and work usage commingle as well?
Jay Barbour: Desktops and laptops are almost always owned by the company, and desktops operate behind the firewall, so IT has a lot of visibility into what’s happening with the data. Laptops are trickier because they are often outside the firewall, but laptops have a lot of security software tracking and controlling sensitive data. With mobile devices, they are increasingly personally owned and the security controls must be much less intrusive and more efficient, so as not to impair the user experience. Also, personal privacy is critical and users won’t tolerate IT intruding on that privacy.
Inside BlackBerry: What are the kinds of risks organizations should be watching for when it comes to mobile data leakage?
Jay Barbour: Data leaks are problematic on devices that have uncontrolled commingling of personal use cases and work information. Here are some common scenarios of employees jeopardizing corporate data without realizing the security risks:
- A financial services marketing manager forwards a file attachment of 5,000 customer accounts to a personal email account so they can work on it from home.
- A healthcare employee uses a non-secure instant messaging app, cutting and pasting the diagnosis of a patient to share with a co-worker.
- A government employee downloads a personal app that silently captures data and uploads it to a third-party server.
Of course, most employees do not have malicious intent, but there are some that do. We’ve seen this as well, where an employee who is about to leave a company copies customer records to a USB drive and takes them to another company. Or a healthcare employee takes patient information to commit prescription fraud. This happens more than you’d think, and for regulated industries, the consequences are damaging and costly.
Inside BlackBerry: Are you seeing these issues crop up frequently in mobility today? What are the risks and potential impacts?
Jay Barbour: Data leakage is a growing problem as more enterprises mobilize their sensitive business processes. Unlike the breaches we read about in the news, mobile data loss is more frequently about small amounts of data leakage over many devices, rather than one large data breach on a single system. To compound the problem, very few mobile devices have data logging and auditing capabilities, so organizations can’t even see it happening. Since mobile devices connect to public networks, they become open gateways into an organization. If a mobile device has uncontrolled commingling of work and personal data, hackers can potentially access work data on that device, as well as internal enterprise systems over the device VPN.
Inside BlackBerry: What can companies do to get a handle on data leakage? What exactly will these solutions protect against?
Jay Barbour: “Containers” separate personal and work data, creating an effective security solution to protect against mobile device data leakage. For example, any data that’s contained within the “work space” cannot be copied and pasted, forwarded, offloaded or accessed in any way outside the work space. It remains secured and controlled by the IT department.
This is the optimal solution for both employees and businesses alike. Employees’ personal information remains private and separate from work use while ensuring corporate data is secure.
Inside BlackBerry: We know that healthcare has traditionally been more conservative about adopting new technology because of cost constraints, concerns about complexity and the user impact. In finance, we often see quick adoption of new consumer technology followed by a retraction because of recognized security risks. Why are some of these organizations hesitating to adopt mobile data leak protection if solutions are readily available?
Jay Barbour: Most of the time, these organizations understand there are risks with non-containerized devices but they are concerned about the cost of container solutions, as well as the impact on the user experience. Unfortunately, these same organizations are underestimating risk because there is little transparency in how data leaks from devices. However, look carefully and there are mature containerization tools that have a native look and feel, and include a secure enterprise app environment. All of this adds up to a great user experience that doesn’t compromise personal privacy.
The most effective containers also bundle a full suite of productivity tools and apps out-of-the-box, so employees are immediately productive without any complicated setup or additional cost to IT.
Inside BlackBerry: Jay, you talk to a lot of end-users — what do employees who use containerization technology say about their experiences?
Jay Barbour: Users are picky. The smallest inconvenience can turn them off from using containers so it’s important to ensure native look and feel. They want easy to use work apps, a responsive and user-friendly UI, and complete privacy of personal information, so that IT can’t see personal usage or access personal data. Integrated containers that come with the device, and “app wrapping” containers that are installed by IT onto the device, also leverage native platform APIs and SDKs to take advantage of device features and functionality, making it an empowering experience.
Inside BlackBerry: We’ve focused here on healthcare and finance. But what should organizations in non-regulated organizations take away from this discussion?
Jay Barbour: The massive strategic security issue facing organizations is the loss of intellectual property to overseas competitors. All companies, large and small, need to understand that they are being targeted. This has cost companies hundreds of billions in lost revenue because of stolen R&D, manufacturing processes, and other sensitive business information. Mobile devices without containers are increasingly part of this large issue, either through user initiated data leaks or malware installed as personal apps. The acid test for a CSO happens when a data breach hits and he/she is asked whether or not reasonable measures were taken to protect the data against expected risks. When you lose data on a mobile device that was not containerized, it’s going to be hard to avoid the responsibility that follows.