We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

How to Secure the Virtual Office

The explosion of mobile devices requires cloud-based solutions—and means that companies have to pick and choose what data they protect.

Employees are increasingly gobbling up Internet-connected mobile gadgets: they’ll buy nearly a half billion smart phones this year and more than 50 million tablets, nearly triple the number of tablets sold in 2010.

Source: Gartner

Employees using such gadgets to connect remotely to company servers and e-mail accounts can boost efficiency; but the practice also creates security challenges. Companies will have to learn how to overcome those challenges for the distributed office of the future to succeed.

This story is part of our September/October 2011 Issue
See the rest of the issue

Companies have long recognized that mere “perimeter security” around the office network doesn’t work anymore. That security model was killed off by the laptop. But traditional solutions to managing laptops—including running security software on them and setting up encrypted communications channels known as virtual private networks (VPNs)—don’t really succeed. Attackers have learned to customize malicious programs that can remain undetected for days or weeks. And VPNs only protect against eavesdropping. They’re useless against already-infected devices.

The results can be ugly: witness the Department of Health and Human Service’s Wall of Shame, a list of medical-record-related breaches, including 32 incidents this year, of which 18 were caused by lost portable devices or laptops. Such security issues are widely expected to worsen.

The problems have forced information-technology teams to switch tactics: rather than trying to secure the device, they’re coming up with ways to protect sensitive data even if the devices are compromised.

For example, Heartland Payment Systems, the credit-card processing firm—chastened by the loss of 130 million records during a conventional 2009 server breach—now treats all devices, whether mobile phones or remote point-of-sale terminals, as compromised. So these devices only refer to credit-card data using tokens; that is, special codes that correspond to the actual data, which sits in a protected digital vault, says Kris Herrin, the company’s chief technology officer.

The security firm Symantec focuses on protecting its source code, financial data, and intellectual property, ensuring that such information cannot leave the company without significant protections, says David Thompson, Symantec’s chief information officer.

Cloud security solutions, from companies such as Websense and Zenprise, are another option. Websense’s cloud service brings e-mail and Web security to any device that connects to the Internet. Rather than forcing users to connect back to the home office for security protections, a Websense proxy filters out malicious code and spam. Zenprise, meanwhile, helps companies manage their devices through the Internet. For instance, it can remotely erase the memory on lost or stolen devices.

Given the exploding need, the Radicati Group, an analyst firm, predicts that the market for cloud security services will double, to more than $2 billion in worldwide sales, in the next four years.

A different way of dealing with device proliferation is to place a small secure program—known as a virtual machine—on an employee’s device to interact with corporate data. The model, which is used by an increasing number of banks to enforce security on customers’ computers, lets companies claim a piece of the user’s device as a fenced-in compound.  

When banks use such technology, consumers are allowed to opt-in to the service and install the plug-in. Then, when a consumer connects to his bank’s server, the virtual machine does all the communicating, separate from the device’s original operating system. The technology isn’t foolproof, but it stymies attacks that could get by antivirus and antifraud monitoring.  

“I actually think that enterprises can learn from banks and financial institutions on how to secure their employees these days,” says CEO Mickey Boodaei of Trusteer, which offers banking customers such a solution, and is beginning to offer the technology to companies that want to secure devices owned by employees, but used for work.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Business Impact
The Future of the Office

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.