Although most employees leave the office at 5 p.m. they are often remain virtually tethered to their desks. The smartphone, the company-issued laptop, the USB storage device — all of these mobile technologies give us the flexibility to work from anywhere but keep us connected to the office whether we like it or not.
However, in the world of corporate networks, “tethered” has an explicit meaning. It means a device is physically locked to a certain location and the user can only use it at that location.
The definition of an “insider” used to be only those people you could guarantee were using a “tethered” piece of technology to access the corporate network. The benefit of this approach has been that companies always knew exactly which device and which trusted “insider” was on the network at any given time.
As workers are required to go mobile in order to stay productive (and provide value well beyond the 9 to 5 work hours), the corporate network has had to go virtual – piggybacking on the infrastructure of the threat-ridden public Internet.
This also means that the definition of who and what should be trusted as an “insider” has had to expand. Users often have multiple devices and multiple log-on points to gain access to corporate resources. This means there are several different possible points where trust needs to be validated. It also means that measures must be taken to ensure the devices and points that are placed in the hands of our users do not become leaking sieves for sensitive corporate data.
A combination of both physical and behavioral controls is required to meet the needs posed by these virtual insiders. Physical controls should include encryption and strong authentication enforced through policy for every mobile device that is going to touch corporate data. And behavioral controls should differentiate between information that is corporate and personal and control information when the user is mobile.
Physical controls are the most common and widely deployed “first line of defense.” However, they only protect against one major threat vector – the data is protected in the event a user’s device or log-on point goes missing, is stolen, or otherwise compromised. It does not help against any of the other myriad of threats poised to data being actively used by mobile insiders.