Mobile Security: ContainerizationFiberlink's David Lingenfelter on Mitigating Mobile Risks
As recently as a year ago, mobile security conversations were dominated by the topic of device security. But that discussion has changed. Today's focus is data security. And a great way to approach it, says Lingenfelter, information security officer at Fiberlink, is through the practice of containerization.
"People are now focused on the data and making sure the corporate data is really contained within a manageable piece of the device," Lingenfelter says.
Rather than making sure the entire device is secure - which can limit the end-user from being able to use a smartphone to its full potential - the containerization concept is to create a compartment within the device, where the corporate data and applications are segregated from the user's other apps.
"The reality is that [containerization] allows the end-user to retain full control of the device and be able to do whatever they want to with it in their own time, outside of the corporate environment, and yet enabling them to have access to their corporate resources wherever they are - and not have to worry about it being leaked out or exposed to other systems."
In an interview about mobility and data security, Lingenfelter discusses:
- The concept of containerization;
- How the practice helps organizations comply with diverse privacy regulations;
- Where to begin securing data accessed by mobile devices.
Lingenfelter is a seasoned security professional with nearly 20 years of experience in risk management, information security, compliance and policy development. Currently in charge of security and compliance for Fiberlink Communications, he has managed projects to get Fiberlink SAS70-Type2 and more recently SOC2 Type 2 audits. He also recently led Fiberlink through audits to receive Federal Information Security Management Act authorization from GSA for Fiberlink's MaaS360 Cloud Service offering. Lingenfelter helped design Fiberlink's cloud architecture model several years ago and is an active member of the Cloud Security Alliance, including being a co-chair for its Mobile Working Group. He also is a member of the NIST Cloud working groups.
TOM FIELD: To start out, will you tell us a little bit about yourself and your own experience in mobile security, please?
DAVID LINGENFELTER: I've been in the security field for about 20 years now, doing consulting and then came on over here to Fiberlink, where we've been doing mobile management for pretty much the entire time that I've been here. I also work outside of the company with other organizations to help build strategies and guidelines, including the Cloud Security Alliance, where I run their mobile working group.
BYOD: Top Concerns
FIELD: BYOD has been the popular acronym for about two years now. In terms of the whole bring-your-own-device phenomenon, what do you see as organizations' top concerns today?
LINGENFELTER: BYOD has kind of become a buzz word in the industry that some people are shying away from. Others are keeping it on the top of their mind. But, really, I think that's shifting from, "Do we allow people to bring their own devices?" to "How do we protect data?" That's really the top concern today, particularly with BYOD, because people know that the end users are doing things with their phones outside of the business, maybe sharing it with family members or using it for things that don't really jibe with what's going on in their business. Data is definitely the top concern these days.
FIELD: That's a good point because even as recently as a year ago, people were talking about securing the device. But now the Holy Grail is how you secure the data. Talk about how organizations can do this, the practice of what you've called containerization.
LINGENFELTER: You hit it right on the head. People are now focused on the data and making sure that the corporate data is really contained within a manageable piece of the device. Rather than making sure the entire device is safe and secure, which can limit the end user from being able to utilize a smart phone to its full potential, the concept is to create a compartment within a device where the data is stored, where the corporate applications are stored, and all that data is safely shared within all those resources. But resources outside of the container, whether it's a document-sharing utility, another e-mail app or some other file-sharing app, can't even get to that data that's within that container. That's really the concept of containerization. Utilize corporate applications and corporate resources in a subsection of the device which is contained and kept private from all the other software that's on the device.
Myths and Realities
FIELD: I know you get lots of questions about what containerization is and what it isn't. Tell us what some of the myths and realities are of containerization.
LINGENFELTER: One of the big myths - and this happens a lot in our industry - is people see it as the end-all solution. 'If we implement containerization, we're good to go; we don't have to worry about anything else.' That's really a misnomer because, yes, the data is protected, but you still have the threat of loss of the device itself or somebody getting into the device while the device is unlocked. The fact that you have containerization on there is yet one more step to securing the device. You can't forget all the other components that are still required when it comes to security and safety.
The reality of containerization is the fact that it really allows the end user to still retain full control of the device, be able to do whatever they want to with it in their own time outside of the corporate environment, and yet it enables them to have access to their corporate resources wherever they are, whether they're at a soccer game or at a Starbucks. They can get to the corporate data and not have to worry about it being leaked out or exposed to other systems.
Navigating International Privacy Regs
FIELD: One of the issues I hear organizations talking about increasingly is that when they're doing business around the world, they've got just a maze of privacy regulations to deal with in each of the regions. How does the practice of containerization help organizations to be able to make it through this maze?
LINGENFELTER: It goes for more than just region. The EU, for example, has very strict rules around personal privacy. But even within the European Union, Germany, France or the individual countries still have their own rules and their own requirements. It gets really segmented. Then Asia has its own requirements. Australia has its own requirements. The United States does, and Canada. Everybody has different requirements. The ability to manage the phones or the mobile devices in a general sense will help to some degree.
But depending on what region of the world you're in, just managing the device itself may restrict a device to a point where it's not as useful as it could be. So on top of just the management of the device itself, add that idea of containerization and that idea of, "Let's allow the device to be whatever it wants to be for the end users but still protect the data." That's really the separation. A lot of these regulations come down to protecting the personal data, personal information. It's just as important, or in some countries even more so important, than protecting corporate data. It's up to the corporations to realize, "I have to separate my data, the corporate data, from the personal data, allowing the people/end users to do whatever they want to on their phones and their tablets, and I won't even be able to see any of that because I'm only concerned about my one section of that device."
That's really at a high level where people need to start thinking about this whole global privacy regulation thing. Wherever you go, it's going to be different. If you're a global company and you've got people in Europe and you've got people in Asia, you can simply create and put them into different groups within your overall corporate policy, and each of those groups can be either ramped up from a security perspective or ramped down from a security perspective, depending on what the needs are of those regions and what the requirements are.
Tips for Organizations
FIELD: Here's my final question for you, but it might be the biggest one I ask. The question is: Where to begin? What tips do you offer to organizations that recognize the problem in mobile security but haven't quite begun implementing a solution such as containerization?
LINGENFELTER: The first thing you need to realize and understand - and this isn't anything new to the mobile world - is you have to understand what your data is and what you're trying to protect, not just the physical ones and zeros of the bits, but from a legal perspective, from a compliance perspective and from a customer-exposure perspective. Once you understand the level of security you need for your data, you can understand, "What lengths do I have to go to ensure that I protect that data across my entire environment?"
Once you understand the data needs, you look at your mobile strategy and you say, "Okay, I've got people globally. I've got people protecting medical records, or I've got people using banking records." Now you know that you have to meet certain regulatory requirements, and that's when you start looking. Up to this point, you haven't even started looking at a solution. You're simply realizing what you have, what you need to protect and what the rules and laws are that you have to follow to protect that data.
Now you start looking at the solution, and you say, "I need to make sure that my employees are able to do what they need to do for work, while still utilizing maybe their personal device the way they want to use it." Then you have to look at the solution that you want to implement and say, "I only need to control a little piece of this device and that's all I care about, and that's why I'm going to have to go with containerization."