How many mobile devices do you use for business? I personally use three — a laptop, a tablet and a smartphone (four if you count my “only makes phone calls and nothing else” phone with my business number). I am pretty well average there. I do not store business-related data (or personal data for that matter) on the actual devices. However, I do have two of the devices set up for a remote wipe should I lose or misplace them.
Because my data is stored mostly in the cloud when working on these devices, I figure the most I would lose in a remote wipe is my contact list. (Granted, that would be a killer. Cell phones make it way too easy to never remember another phone number again. And this is a good reminder that I should download pictures to a hard drive.)
So I read with interest a blog post by Tom Porter, senior director, enterprise security at Fortinet, who questioned the validity of the remote wipe as a security tool. On the surface, he says that remote wiping seems like a reasonable approach. I’d be among the first to say, absolutely, remote wipe is a necessary tool in this world where the average worker owns 3.5 mobile devices, and with the rapid growth of BYOD. After all, somebody has to be in charge of protecting the security of company data on your personal phone.
However, Porter says, while nuking the device’s data is a good idea on a company-owned phone, those personal devices used for work present a trickier dilemma. Remote wipe on BYOD, according to Porter, doesn’t work. He said in his blog post:
Even when implemented and managed correctly (the exception – not the rule), remote wipe does not lower risk in any significant way; it obfuscates the workable processes that do function to protect remote confidential data and creates the potential for very real privacy-related litigation.
Bottom line: Porter argues that the remote wipe of personally owned devices is a fallacy, and that neither IT nor employers can rely on it as a primary security tool. His post goes into great detail of why that is the case and explains away a number of the myths.
As I read the piece, it made a lot of sense to me and, while I’m not giving up the remote wipe options on any of my devices anytime soon, I think his words will make me a smarter mobile device user. Bottom line: Remote wipe may be your goal, but you can’t trust the endpoint. Porter said:
They can only be authenticated. Well … they can also be lost or stolen. Most information security professionals recognize this, and they understand that, fundamentally, the integrity of an endpoint is always suspect. To that end, rational design of any data protection strategy depends upon integrating and managing a number of possibly related security controls (defense-in-depth) regardless of the state of the endpoint.
It’s an interesting concept, this idea that the owner of the device controls the endpoint and that they need to start taking responsibility of their devices’ security. Security directors need to get the word out that remote wipe should be a last resort type of approach to security, that there are other tools and processes out there. As Porter said, none of those tools may be as cool as remote wipe, but they make a whole lot more sense in the long run.