The age of wearable technology is here. The tech-giants have made a big push in wearable items - from technologically advanced watches with integrated mobile phones, to smart glasses that have the ability to record what we see in day-to-day life. So what implications does this have for business security?
First we must look at the functionalities these technologies deliver with regard to their input and output. It's through a device's ability to interact with the outside world that security concerns come into place. For example, if Google Glass did not have the ability to record video, there would be no worry that sensitive data within an organisation could be recorded and lost. Similarly, if a smart watch did not have a microphone, there would be no worry that confidential information could be audio recorded and transferred outside of the network. Looking at these devices and their ability to interact with the analogue world around them, we can assess the challenges of applying appropriate security measures to protect valuable assets and information.
In addition to a device's ability to obtain data, we need to look at the mechanisms devices have to store and transfer data. For example, if we look at the original calculator and Samsung's Galaxy Gear smart watch we can spot key differences. Whereas the calculator watch had the ability to sum and multiply numbers, it didn't have the ability to transfer and, in most cases, store the information. The information keyed in was lost with the next calculation entered into it. In contrast, the Galaxy Gear watch sends and receives text messages, makes phone calls and stores voice recordings. Fundamentally, these watches have the ability to both store and transfer data. Although the data being stored may be harmless, it does not discriminate about the type of data being stored or transferred. This means that the data could be sensitive, violating one of many privacy laws such as HIPAA, or be the company's Intellectual Property.
So how does an organisation deal with these fundamental issues? It's a combination of:
· Understanding the capabilities of the wearable technology to create organisational rules
· Updating network security infrastructure so that it can detect, and in some cases control, the movement of data to and from these devices
Creating organisational rules regarding acceptable technology, wearable or not, is step one. It's important to understand how a device works with regard to its ability to store and transfer data. Taking the Galaxy Gear watch as an example, its connectivity is typically via Blue Tooth and it must connect to a mobile phone to transfer information. Without this, the watch has no ability to transfer data over the network. It can, however, store pictures and audio recordings within its onboard memory without a phone present. In this case an organisation needs to ask itself whether or not smartphones are allowed on the network. If they are, then the additional risks the watch may bring to the organisation are trivial. Most of the functions the watch can perform, for example taking pictures and recording audio, can also be done on the phone. However, if smartphones are not allowed within the workplace, due to the risks a camera, audio and storage bring with them, then a smart watch should not be allowed either.
There is a condition where allowing a smartphone might be acceptable, but something like a smart watch would not. If the organisation uses Mobile Device Management, (MDM) to manage what is enabled or disabled on the mobile phone, then a phone might be acceptable. For example, using a MDM solution, the camera on a phone could be locked so that no pictures could be taken while at the office. This would not prevent a watch from taking and storing pictures, however. An organisation has to look at the whole picture when thinking about the risks and acceptable use policy regarding wearable technology.
When looking at smart watches, oragnisations also need to think about how obvious the item is in the workplace. Watches blend in easily, while a device such as Google Glass is immediately noticeable. This challenge is compounded with the question of the relevance of such an item in the workplace. On one hand, it's understandable that a smart watch might have functional use such as hands-free calling; but what might the justifications of using Google Glass in the workplace be? Creating a restriction on a device's use within the workplace might be an easy decision. When there is a worry about recordings and other risks, a workplace could just ban such devices on-site. Wearable technology should only be considered acceptable in the organisation if it brings value to the company or makes an employee's life easier so he / she can perform better.
After creating acceptable use policies, an organisation should consider upgrading its network security infrastructure. This will help to detect, and in cases prevent, data loss through the use of wearable technology. Advanced security solutions analyse data flows and can identify the type of device sending and receiving data. In the case of wearable technology, the solution could detect data communication out of the network that originated from the device and then alert an administrator of the transfer. Even if the security solution is not able to block the communication generated from the wearable device, detecting it may be enough to alert an administrator that an unacceptable device is being used on the network.
Some wearable technology, such as the smart watch that relies on a mobile phone to communicate, may be able to communicate via cell towers directly. In this case, the network security system in place may not be able to block or detect the communication, as data would not cross the company's network. Instead, data is transferred directly via the air to the cell tower and finally to the server sitting in the cloud or outside the network. This is why acceptable use policies must be enforced in conjunction with network security upgrades. Even if the watch communicates via cell towers most of the time, a single communication over a company's network can trigger the network security solution to alert an administrator in order to enforce a policy.
The phenomenon with wearable devices may not be much different than that of USB drives, which when first introduced caused panic about threats to corporate security. Some companies banned them while others added block-out plates to the USB ports on company computers. Eventually some found this affected productivity and reversed the bans. When considering wearable technology within your organisation, remember to take a step back and determine what capabilities the technology has to determine its function in the workplace.
Contributed by Paul Martini, CEO, iboss Network Security