Data security used to be easier than this.
I don’t mean that it was ever easy, just easi-er. You had a network with clearly defined borders. Access, distribution, core. You had a Data Center where your servers lived, and if you had any sense they were behind a firewall with intrusion prevention. External vendors (outsourcers, typically) came in through a firewall and were limited in what they could access. Employees had desktop computers (with virus detection), and if they took work home with them it was on paper.
Data lived in the Data Center and employees accessed it through company-owned hardware. Not anymore.
If there is one thing that defines the path IT has taken the past several years, it’s that the network has grown harder to define. Cloud computing and SaaS has put your data somewhere other than your data center. BYOD is here to stay, whether you like it, hate it, or try to ignore it (and notice I said “try”). The entry points for access to your data have multiplied, and the network has assumed an amorphous, ambiguous nature.
How the hell do you secure that?
A blog post can’t cover the whole plan in detail, but you should start the way an infiltrator would; identifying the entry points and choosing the weakest one. If I want to gain access to your data, I’m not going to take the longest, most secure path. I’m going to take the path of least resistance, whether that’s your SaaS vendor’s website or your employee’s Android tablet that he left on a table at Starbucks.
It may take a while, but have your team compile a list of all the entry points to your data, not just entry points to the network. Cloud vendors, BYOD, VPN, DMZ, EIEIO. All of them. Then discuss how easy it would be to compromise company data from that point. If the effort required is disturbingly small, you’ve just found your weakest link.