Securing wearable technology in the enterprise
Wearable devices are the latest disruption to the mobile ecosystem, raising new concerns for businesses around security, privacy and compliance.
Indeed, ABI Research projects 90 million wearable devices will ship in 2014. This makes it increasingly important to understand these devices, how they transmit and store data, and how companies can protect themselves from vulnerabilities presented to corporate networks.
Wearable devices are unique in their function and technology. Security concerns arise in each device's ability to interact with the outside world, which companies must first examine before defining security policies.
If Google Glass, for instance, lacked video recording, or if a smartwatch was missing a microphone, there would be no cause for concern about these devices' ability to capture sensitive data. By looking at each gadget's ability to obtain data and interact with the analog world, we can assess the challenges of applying appropriate security measures to protect valuable assets.
Upon this understanding, businesses must examine the mechanisms in which these devices have to store and transfer data. This is a key component of wearable device technology.
The Samsung Galaxy Gear smartwatch, for example, can send and receive text messages, make phone calls and store audio. Fundamentally, the smartwatch can store and transfer data, which makes it a security concern for the enterprise. While the data stored on the watch may be harmless, the device cannot discriminate between intellectual property and neutral data. This easily puts companies in violation of privacy laws such as HIPPA.
The ability of a wearable devices to move and store data is what sets them apart from other technologies, and why they are a pain point for businesses that want to ensure security and compliance, and remain productive. These fundamentals are critical to organizations in industries such as healthcare, finance and government.
While banning these devices is one option, security protocols should consider all new technologies first.
There are two basic principles businesses must consider and act on:
- Understand the capabilities of wearable technologies to create organizational rules regarding them
- Update network security infrastructure so that it can detect, and in some cases, control the movement of data to and from these devices
Establish a clear policy
Creating organizational rules regarding acceptable technology--wearable or not--is always the first step. Now, it's important to understand how a device works with regard to its ability to store and transfer data, as stated previously.
Take the Galaxy Gear watch from the previous example: Typically, its connectivity relies on Bluetooth technology and must connect to a cell phone to transfer information. Without it, the watch has no ability to transfer data. It can, however, store pictures and audio recordings within its onboard memory without a phone present.
In this case an organization needs to ask itself whether or not smartphones are allowed on its network at all, and if so, the additional risks are trivial. After all, most of the watch's functions can also be performed with a smartphone. Yet, if smartphones are not allowed within the workplace due to the risks they bring, a smartwatch should not be allowed either.
There is a scenario where a smartphone might be acceptable, but something like a smartwatch would not. If the organization uses Mobile Device Management for example, to manage what is enabled or disabled on a mobile phone, that organization can lock the phone's camera to prevent image files to be taken, stored or moved within the network.
MDM would not, however, prevent a smart watch from performing these functions. Therefore, an organization must look at the whole picture when assessing the risks and acceptable use policies it needs to enforce regarding wearable technology.
Evaluate your existing security
The next step is to evaluate the network security infrastructure to determine what upgrades must be made to account for wearable devices. Advanced security solutions can analyze data flows and identify the type of device sending and receiving data across a network.
In the case of wearables, the solution could detect data communication out of the network that originated from the device and then alert an administrator of the transfer.
While some devices will blend in easily and go unnoticed--such as smartwatches--others are plainly visible (i.e. Google Glass). An organization may want to first determine the relevance of such an item in the workplace.
Some might feel that a smartwatch offers functional features such as hands-free calling; but struggle to justify its staff using Google Glass on the job. If security is a top priority, organizations can easily ban such gadgets on-site. As with any new technology, a business should consider whether its use will benefit employees and add value before spending resources to create policies around it.
The trend of wearable devices should be treated just like new technology trends before them in terms of security. Organizations must take a step back to determine its capabilities, risks and value-add to the company before banning it altogether or integrating them into the business' security plan.
About the author: Paul Martini is co-founder and Chief Executive Officer at iboss Network Security.