Tag Archives: mobileiron

Protect company data by securing the personal cloud – a cautionary tale

Screen Shot 2015-02-08 at 8.53.17 PMI was part of the leadership team at a small technology company based in Europe and North America. As with many multi-national companies, there was friction around the strategic direction of the company and what verticals provided the greatest revenue opportunities. Unfortunately, the friction was never resolved and festered into a deep level of distrust between the US and European based business units. At times it got down right ugly.

The CEO convinced the Board to focus our technology in the financial services vertical where we had the strongest foothold and generated enough revenue to break even. Other members of the leadership team had very different points of view on where the product should evolve and several stealth projects started popping up. Yes, it is wise to focus on innovation and to make longer-term bets on where and how the market or technology may evolve. However, this can’t happen at the expense of making customers happy.

As a result, several “skunk works” projects were started, engineers ran amok and no one was in control of the code. Our CTO mentioned to me in passing that one project was being coded on a unsecured personal laptop…and the director of the team was not aware of it. When I heard that, I busted out the Rolaids. Oh boy. Clearly these “skunk” projects were stinking up our offices and needed to be reined in for corporate data and proprietary code was at risk.

An eagerly anticipated employee was hired and brought under management by the product organization. This employee was cherry picked from a competitor and had great knowledge of our type of technology and how to apply it to the financial technology vertical. He quickly got started creating innovative products and the team was excited to reap the benefits of a growing revenue side. Sounds great, right?! The company will own innovative products and the code to meet the lucrative financial technology vertical! WRONG!

Screen Shot 2015-02-08 at 8.42.21 PMThe leadership team learned that our innovative product dynamo was developing code on a work laptop, but was backing up to a personal cloud service. Our IT team had no policy in place to prevent or address this. Yikes. The company lost control of a proprietary asset. This employee was quickly reprimanded and asked to back up to a secured back up solution. Unfortunately, the relationship quickly soured and the decision was made to fire the employee. The employee was escorted out of the building, but a copy of the code was backed up to the personal cloud only hours before the termination. Clearly the employee saw this coming. Shit…the code was gone. The investment in the employee’s talents was wasted and company assets were outside of the company’s control.

Obviously once this incident happened, there was A LOT of finger pointing for why the right data policies and technologies were not in place to secure the personal cloud. This unfortunate tale is not uncommon and points to the many challenges company leaders, especially CIOs, face in a fast paced and innovative world. These many challenges are made even more complex with the adoption of cloud solutions and mobile devices in the business environment.

This personal yarn I’ve spun points to the importance of having CIOs and other IT leaders think through how to protect company asset. The first exercise is to implement a mobile enabled network access control (NAC) solution and policy. This technology will enable IT managers to define who and what devices have access to the corporate network. Speaking from my experience, a NAC solution and policy would have prevented employee personal laptops from accessing the secured network. IT would have easily identified the laptop’s posture and directed the employee to access a public Wi-Fi network. Given the wide adoption of mobile devices, it’s important to consider a NAC solution that is also mobile aware. Imagine the competitive implications if our code dynamo was able to access proprietary code through a powerful tablet he brought in the day we terminated his employment? By not controlling this device access, a company is leaving a back door open for data to escape.

A second exercise is to consider implementing a mobile security solution to secure the personal cloud. This is of paramount (I LOVE that word!) importance given how many productivity solutions are moving to the cloud. From my experience working for a multi-national company, cloud technology is very important to enable cross time-zone collaboration. However, it is mission critical that access to this cloud is controlled and managed. Cloud collaboration should only be occurring in secured environments where employees have the approved device posture and access credentials. If the right cloud solution is not in place, the company risks experiencing the code floating out the door accidentally or through deliberate nefarious employee activity.

Heed my words, young IT Jedi, or risk having your “Death Star” plans slip right through your fingers.*

*Star Wars fans, yes, I understand I’m mashing together a lot of Star Wars quotes with this sentence.

Advertisements

EMM solutions required to address consumer demand for BYOD

Screen Shot 2014-11-13 at 8.39.41 PMA recent survey by MobileIron found that 80% of respondents are now using personal smartphones or tablets in the work place. Intuitively this makes a lot of sense. I work in the heart of the Silicon Valley and see a ton of badged employees checking their work email on their personal devices as they wait for the salads at Specialties. It’s really easy to tell who works in marketing or BD (iPhone user) and who works in IT or engineering (Android)….or who moved here from the EU (Microsoft) and is still waiting to upgrade their device.

I still marvel at why people want to bring their own device to work…and why companies allow it with very little consideration given to data security and device management. I remember how excited I was in the early 2000s to get my company issued mobile phone. “Wow, I can make business calls AND personal calls…and I don’t need to buy my own phone! Or pay for my plan! Killer.” Now that attitude has evolved to me wanting to access my work email on my own device…and wanting my company to pay for the service plan. After all, I am using my personal service plan to make work calls and check work email. Given this use case, why shouldn’t I want my company to buy the phone as well? Seems logical to me.

We use our laptops for business and personal use and we expect the company to buy those as part of the workplace. It’s RARE that someone wants to use their own laptop at work…and is even greeted with a degree of suspicion for what kind of secrets he or she wants to steal. For example, I had an employee who wanted to write code on his personal laptop. I was adamant that he writes code only on a company laptop out of fear that we’d lose control of the code…let alone having the code physically leave when/if he left the company or lost the laptop. Clearly this was during a time when consumer facing cloud storage solutions were not prevalent.

Screen Shot 2014-11-13 at 8.35.02 PMSo why are there varying employee expectations for mobile devices and laptops? I think the big difference lies within HOW the employee uses the mobile device and what technology is available on the handset. The handset is a camera, online radio, game console, and an access point to social media. All these use cases are driven by personal preference and interest. I can think of only three common use cases on the work front: check work email, make work calls on the road and dial into WebEx meetings while commuting. Conceptually, the mobile device represents an employee’s personal life…and the employee wants to connect their personal life to the company and all it’s proprietary information.

Let’s take a 15 second commercial break and ponder the significance of this and the implications it has for businesses.

OK…we’re back.

Controlling how much access these “personal life” devices have to company data is MISSION CRITICAL for protecting proprietary information and conforming to regulatory environments. Controlling access is also critical to protecting customer data and preventing breaches from unscrupulous employees. Unfortunately, I can speak to several occasions where I’ve witnessed colleagues opening up sensitive data on their phone…to then upload a file to a personal cloud service. Or instructed company visitors to log on to Wi-Fi…to unknowingly providing them access to the same network files that NDA’d employees have access to. Wow, this is scary when you think about it, isn’t it?

So what to do? No matter how small the company, business must embrace the fact that employees want to bring their own device to work…or better put, want to meld their personal life with their professional life. Internet technology managers must also make implementing an enterprise mobility management (EMM) solution a top priority to control who has access to what company data and through which access points.

There are several EMM solutions out there and it’s up to IT leadership to assess their solution needs and approach the right vendor. However, the lagging IT manager will rue the day that he/she pushes off implementing a solution “until next year.” The Internet and cloud connected nature of mobile devices is a ticking time bomb for important data to leave the company. It’s just a matter of time until the data escapes.


Mobile platform security is key for mobile payments providers

I was at one of many Christmas parties and conversation topics, of course, covered “where will you be for Christmas” and “are you done with your shopping.”  Almost everyone was done with their shopping, but the big follow up question was “Well, did you end up shopping at Target?” There were a handful of people at this gathering that did shop at Target over the ill-fated shopping period.

The conversation very quickly involved everyone around the buffet table and included comments like, “I can’t believe hackers actually were able to break into a huge chain like Target” and “your credit card information is not safe anywhere!” Clearly EVERYONE at this party will be checking their credit card statements very closely in January!

However, one comment made really grabbed me. “If my credit card can be swiped by hackers at Target, I’m sure as hell not going to want to use my phone to pay for stuff.”  Obviously this exclamation sparked another round of fervent debate and discourse. A few well-known coffee and pastry shops in the area were called out in conversation as using new mobile payments technologies and were “flagged” as potential places to monitor for card fraud.

The implications of the Target data breach on the mobile payments vertical are HUGE.  There are serious challenges that must be addressed both on the consumer and business side of the equation for the many emerging mobile payments technology providers.

First of all, consumers have the perception that it’s no longer safe to use even debit or credit cards at physical retail stores.  According to one account of the Target breach, a security analyst at a major bank was made aware that cybercriminals were planning to sell online a new stock of stolen credit/debit cards.  The analyst bought the stolen card numbers of his/her bank customers using Bitcoin.  Presumably, these transactions lead to the discovery that these card numbers were stolen from Target.

One could easily make the assumption that Target was not even aware of the breach until the bank analyst made these card number purchases from the cybercriminals. Yikes! This lack of awareness of the problem scares me deeply at the consumer level.  Would Square be able to quickly inform a merchant that consumer’s payment data has been swiped and is being sold by cybercriminals? Could Square inform users that their data was stolen?

Secondly, business and IT executives at Target and all major retailers are wondering how and why the Target payments system was hacked.  Obviously, there are fast and furious internal investigations within Target as their legal and technical teams prepare for a barrage of lawsuits coming their way from banks and consumers.  These Target executives will be pounding on the doors of their payment system providers and their 3rd party vendors as well.

The discovery phase of these lawsuits will get UGLY FAST.  Moving forward post breach, all physical and online retail payment platform providers will be evaluated with much greater scrutiny with a focus on platform security, ability to detect a data breach and processes to quickly inform users that data has been compromised.

Emerging payment providers such as Square, Dwolla and PayPal need to address these implications head-on to address consumer and business needs in a post Target data breach world.

Platform security is now a big focus.  Yes, each provider does have website messaging that talks to how secure their platform is.  However, security requirements and technology must be increased especially as the payments platforms are being sold into individual SMBs and at the enterprise level that use multiple mobile devices to process transactions.

Mobile payment providers can quickly equip themselves with cutting edge mobile platform security technology through strategic partnerships.  Industry leaders include MobileIron, Good Technology, or AirWatch.  For example, by partnering with MobileIron, Square can provide a layer of mobile platform security to their SMB customers who use the payment platform across multiple mobile devices (payment terminals).

Addressing the mobile platform security needs will help address consumer concerns as well that their payment data and money are safe at the payment platform level. Square, Dwolla and PayPal must educate consumers on WHY their payment data and money are safe.  Providers must clearly explain what happens if a Square account is hacked and the PIN number and cash balance is stolen.  Can these providers stand behind a guarantee that transactions are safe?  Can they back up consumers’ cash balances if the money is stolen?  These are all key concerns that must be addressed for consumers to feel safe in using mobile payments technology to pay for items at physical retail.

Personally, I keep a very low balance in my mobile PayPal account that is connected to a low balance bank account.  Why?  I still don’t trust that the receiving terminal is that secure and nefarious code could somehow steal my account numbers and distribute across the world…all through an unsecured wireless connection at the SMB’s business location.  Maybe I’m just paranoid and uneducated.


%d bloggers like this: