Macs in the Enterprise: How to Secure Data in Motion
Data in motion, or data in transit, is data moving from one location to another, whether it’s between computers, virtual machines, from an endpoint to cloud services or through a private network and across untrusted internet connections. Once it arrives at its destination, data in motion becomes data at rest. Data is considered less secure while in motion as it leaves the security of company networks, ventures to potentially vulnerable destinations and can become a victim of Man-in-the-Middle (MITM) cyberattacks that target data as it travels.
Data in motion is an unavoidable reality in today’s enterprise work environments. Every employee transfers data on a daily basis whether it’s through emails, workstream collaboration platforms, virtual coworking spaces or messaging applications. In the best cases, these are all company approved solutions meant to facilitate collaboration between employees, whether they are in the same departments or not.
At worst, they can be shadow IT, unknown services used by employees to perform their duties without the approval or knowledge of their management. This can be particularly dangerous when it comes to the protection of data in motion as the security of these services is not verified by IT departments and may therefore not meet security standards enterprises are required to follow. This means that, regardless of whether a data breach occurs or not, enterprises are opening themselves up to noncompliance with data protection regulations and standards such as PCI DSS, GDPR or CCPA.
Macs and Data in Motion
In the last decade, Apple has invested heavily in macOS security features that address enterprise needs. From their 64-bit Apple File System (APFS) to FileVault and, more recently, their move to system extensions, Macs have proven themselves to be a viable alternative for PCs in the enterprise.
As companies moved towards policies that allow employees to choose their own devices in the workplace, Macs saw a sharp increase in adoption rates in the enterprise. A recent JAMF survey revealed that no less than 72% of employees chose Mac over PC when they were given the option.
When it comes to data in motion, Macs are just as vulnerable to breaches and attacks as PCs. This is due to the fact that data in motion leaves the system it is being stored on – in this case a Mac – and travels over the internet or a private network to a destination that may or may not be another Mac.
To protect data in motion, enterprises need to look further than their own computers and network, to the data itself and set up mechanisms to protect it. Let’s have a look at how this can be done.
Defining sensitive data
Protecting all data that is transferred in and out of a company network is an enormous task and can negatively impact both employees’ productivity and devices’ speed. For this reason, it is essential that, before putting together any data protection strategies, enterprises identify the categories of sensitive data that they collect, store and need to protect.
These are often personally identifiable information (PII) such as customers’ or employees’ addresses, credit card numbers, social security or passport numbers, but also health records and financial data, all of which are protected under various data protection legislation. Depending on their industry, enterprises can also include sensitive data particular to their own field, such as intellectual property, patents, blueprints or source code.
Defining what sensitive data means to them helps enterprises focus on the data that needs protection, without weighing down their systems with unnecessary protection mechanisms aimed at more general categories of data.
Building a data protection strategy
Data protection cannot be accomplished through any single solution. It requires a multitude of elements working together. For example, firewalls and antivirus software protect against malicious attacks while Data Loss Prevention (DLP) solutions help secure data from human error. Employee training also plays an important role in raising awareness about the risks of data breaches and their financial and reputational consequences for an enterprise. An informed and vigilant work force is critical for effective data protection. Legislation and standards like PCI DSS, GDPR or CCPA also include long lists of requirements that enterprises must address as part of their compliance efforts.
To address all these aspects of data protection, enterprises must build data protection strategies that evaluate their existing data protection policies and their legal obligations and propose a plan to mitigate vulnerabilities, strengthen the security of their systems and protect data, whether it is at rest or in transit.
Protecting data in motion
Once a data protection strategy has been adopted, enterprises must search for the right tools that will help them implement it. DLP solutions are the best solutions for protecting data in motion. Because their policies are applied directly to sensitive data, they represent a targeted approach to data protection. Many solutions come with predefined policies for the most common types of PIIs or specific data protection legislation such as PCI DSS or GDPR. In this way, once they know which categories of data they want to protect, companies can simply choose the right policies for them.
DLP solutions monitor and control how data can be transferred in an out of the company network. Through powerful content and context scanning tools, they search outgoing network traffic for sensitive data and block or limit its transfer. In this way, employees can be prevented from using unauthorized services to transfer sensitive data or, in case of stricter policies, it can be blocked from leaving the company network altogether.
Some solutions, like Endpoint Protector, offer a high degree of flexibility in the application of policies. They can be applied globally, but also based on groups, users, endpoints and even device types. This means that policies can be stricter or more relaxed based on an employee’s level of access to sensitive data.
Implementing solutions on Macs
When it comes to choosing solutions for Macs, companies must take extra care. Any tools they choose must use the new macOS system extensions as Apple has started deprecating kernel extensions with the release of macOS Big Sur. Zero-day support, that guarantees a solution will be tested for compatibility with a new macOS version prior to its public release, is also an essential requirement for all macOS solutions to ensure uninterrupted data protection.
As most enterprises run a multi-operating system network, they might be tempted to choose cross-platform solutions that protect data whether it is located on Macs or PCs. However, they must be careful when choosing them: many solutions do not offer the same level of protection for Macs as they do for Windows-running computers. Before purchasing a cross-platform solution, enterprises must therefore test it and ensure that it offers feature parity, providing the same tools for Macs as it does for other operating systems.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.