March 04, 2013

Apps, Data, People & Risk: Problem vs. Requirement?


Mashery’s own Delyn Simons, VP of Developer Outreach, and John Oberon, VP of Engineering, were featured in a New York Times article titled “Where Apps Meet Work, Secret Data Is at Risk.” The article focuses on the risk of data exposure in a world where employees work and live using the apps and devices they choose; where employees may be sending and sharing sensitive information using apps like Dropbox, Box, YouSendIt, Teambox, Google Drive, Skype, Evernote (which was just compromised yesterday, requiring 50 million users to change their passwords), and other apps to do their jobs and manage their lives more efficiently.

So why is this a problem? Most people don’t want to leak sensitive data that could expose confidential customer information or their company’s intellectual property (those who do are an entirely different problem). It’s certainly not what anyone in IT wants people to do. So how do you prevent data leakage in a world where it’s increasingly easy for people to pick an app, share some data or files, and potentially put confidential information at risk?

First, as one Java architect we know says, recognize that “it’s not a problem, it’s a requirement” to understand that people are using apps to share and access files and information on smartphones, tablets, and laptops to get their jobs done. Even bankers, who work in a highly regulated industry, must find ways to access company information when they travel – and if their employers don’t enable it, they circumvent the rules and hope they don’t get caught. Hope is not a strategy most of us want to take when we could put our jobs at risk. Understanding it’s a requirement to figure out ways to support appropriate needs for securing sensitive information while letting people use the apps that help them do their jobs is step one. 

Second, according to Oberon, there are a few key things every company should do to help manage data leakage:

  1. Know what information needs to be secure and make sure that information is always protected. Role-based access management and monitoring/reporting tools help with this.
  2. Educate employees about potential issues with the apps they use. Policies are well and good, but it’s better to have a regular dialogue through internal meetings, online employee communities, newsletters, and conversations. Most people are concerned about their own online privacy and security of their personal information, so that can be a great entry point for a conversation.
  3. Recommend apps IT prefers and encourage employees to use them. Explain why you like them better – for example, point out which online  file sharing app keeps customer data more secure and tell employees why that’s important.
  4. For broader company use cases, look for applications and platforms that provide the level of security that supports your business needs – for example, Mashery supports PCI compliance and OAuth, so apps running on Mashery don’t expose personal information and data.
  5. Monitor what’s out there. Regularly go out and look for information leaks that could be risky for your business. If you find an issue, address it and let anyone who has posted confidential information know that they should be more careful – getting punitive is not the answer, unless the “leak” was intentional (which as mentioned above, is an entirely different matter).

Finally, accept that your data is out there - personal data, company data, confidential data - stories abound about compromised apps. Twitter, Evernote, Dropbox, and others have all faced hacks that exposed user data. Just as you have plans for evacuating your office building in the event of an emergency,  have a plan for addressing potential data exposure.

And remember, apps that make people happier and more productive are a good thing. Figuring out how to support them while managing business risk is not a problem – it is a requirement.