McAfee EMEA CTO: Protect the data first, then the device

News by Steve Gold

McAfee CTO Raj Samani advises companies to secure the business data before the device being used to access the information.

McAfee CTO Raj Samani advises companies to secure the business data before the device being used to access the information. 

Samani, McAfee's chief technology officer of EMEA operations, says that the changing threat landscape – allied with the arrival of the bring-your-own-device (BYOD) trend and cloud technology – means that organisations must first secure the data they hold before locking down the device being used to access the data.

Speaking with SCMagazineUK on the publication of McAfee's sponsored global study from Frost & Sullivan's Statecast operation looking at the issue of Shadow IT – defined as the downloading of unapproved apps in the workplace – he said that previous challenges of cloud security have significantly changed.

“The [cloud computing] horse has well and truly bolted,” he said, adding that the rising take-up of BYOD technology in the workplace means that businesses must now look first at the security of the data.

The F&S Statecast report on Shadow IT took in responses from 600 IT and line of business decision-makers or influencers in the US, the UK, Australia and New Zealand, and revealed that 37 percent thought the IT approval process for new software is too slow or too cumbersome.

Some 23 percent, meanwhile, said that the non-approved software they use better meets their needs than the IT approved equivalent and – when asked about security, access or liability risks associated with app usage, 37 percent worried their corporate reputation would suffer sue to security or access issues.

Samani says that the big game-changer for businesses when it comes to the unauthorised use of apps is the ease with which cloud computing resources can be tapped into.

“Where previously setting up quite complex platforms took a lot of time and resources, the ease of the cloud means that, with a few clicks you are able to get an app-driven resource up and running. It really is that simple,” he said.

This is why, he added, he now recommends that IT security departments need to ask the fundamental question as to whether the user concerned has the right to access a given piece of company data, before beginning to verify whether the device being used is a secure one.

You are, he explained, almost fighting a losing battle when it comes to shadow IT as, whether the IT security department allows something to happen, the reality is that the staff concerned will go ahead and do something in the cloud - and then worry about its consequences later.

“Businesses are going to what businesses want – regardless of the concerns of the security department,” he said.

Nigel Stanley, analyst and CEO with Incoming Thought Limited, the business and research analysis house, told SCMagazineUK that the availability of cloud computing resources means that it is a lot easier to set up a corporate app store than it used to be – and so control which apps the employee has access to.

“The key question I would ask, however, is what happens to the company's data when it is on the personal device of the employee,” he said, adding that there is strong argument to sandbox the device.

He says that this can be achieved by either “white-listing” a selection of apps for use on company and personal mobile devices, or simply issuing the member of staff with a corporate device.

“With this latter approach, you are saying that we, as a business, do not `do' BYOD and this is why we are giving you a corporate device which is under the security control of the company,” he said.

Where that device is a smartphone, Samani said that it is important to realise that calls can easily be transferred between the personal and the company mobile, allowing the company smartphone to be used for business purposes whilst still allowing personal calls to be received.

“My approach is always to do a risk assessment before allowing the use of mobile devices in the workplace. You then look at the risk to the company's data and move forward from there.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews