In order to protect your enterprise data while it's in the hands of mobile workers, you must know the potential risks, and you need to be up to speed on the various government regulations. In this Mobile Insights by Craig Mathias you'll learn how government regulations affect your mobile security policy and how to avoid mobile security errors that could have devastating consequences for your enterprise.
The spate of high-profile data losses throughout all industries during the past few years should serve as a wake-up call to all executives and IT managers. Before enterprises can get serious about mobile security, their leaders must first understand the basic concepts of mobility and how mismanagement can potentially expose the organization to risk.
Government regulations and mobile security policies
Mobile security regulations
Preventing mobile security breaches
|Government regulations and mobile security policies|
We'll start this series with the major influence on an enterprise security policy -- governmental and industry-specific regulations. I want to provide a little additional motivation to create and maintain your security policy -- and regulation across all major industries most certainly serves that purpose. Major, widely publicized security breaches have in recent years provided significant incentive to both the regulatory community and major corporations to upgrade their security postures. Dealing with a failure in IT security can have costs far beyond the obvious need for security policy and technology improvements -- the loss in customer and shareholder confidence, legal expenses, erosion of goodwill and reputation, and just the sheer volume of time that management teams must devote to damage control are major drains on market stature, competitive position and, of course, the bottom line. All of this makes getting one's security policy (and implementation) right the first time of critical importance.
The regulatory environment has become much less tolerant of IT security failures over the past few years. Here are just three examples:
- Sarbanes-Oxley (SOX) -- SOX was passed during the era of the Enron and WorldCom scandals, primarily to address public-company accountability and openness. Interestingly, SOX does not address the issue of IT security directly, but various sections of the Act do contain wording that has been broadly interpreted to mean that organizations which do not take appropriate steps to protect sensitive information may face significant legal woes.
- PCI -- The Payment Card Industry has set up its own standard and a set of procedures (including a detailed self-assessment) for its members. Credit-card data has been the source of a good deal of trouble for retailers in recent years, with a number of notable thefts of cardholder information. Anyone involved in retail needs to be familiar with this set of standards and guidelines; more information can be found here: https://www.pcisecuritystandards.org/.
- HIPAA -- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to provide individuals with a high degree of privacy with respect to their healthcare records. IT security is of paramount importance here, and the penalties for compromised security can be severe.
But even if your business is not directly subject to these or similar security regulations, it's not a bad idea to conduct your business -- and set your security policy -- as if it were. The key, again, is deciding which information is sensitive, who should have access to it and under what circumstances, and what to do if this information is compromised for any reason -- the core elements of any good security policy.
And once the policy is in place, most functional security solutions will consist of establishing procedures and tools for authenticating users of devices, networks and applications; authorization to use specific services; accounting to keep track of access and what was done; establishing wireless (airlink) security and network (VPN) security; and the encryption of sensitive data wherever it is stored -- even on mobile devices. Strong authentication, ideally two-factor and mutual, is the best solution, and authentication deserves special attention regardless. And no matter which tools you select, be sure to review your security policy at least every six months. Unfortunately, constant awareness is essential in IT security -- this is one area of IT where no one is ever "done."
Finally, you'll note here that we focused in this series on the policies and, to some degree, the techniques of mobile information and network security, but I must confess we left out what might be the most important of all the pieces of the security puzzle: building a culture of security.
|Mobile security regulations|
When I first got out of college, I went to work for the Raytheon Company's Submarine Signal Division in beautiful Portsmouth, RI. The projects involved deliverables for the U.S. Department of Defense and required government security clearances. It was made very clear to me early on what would happen if I ever violated the local security policy, and it was a very unpleasant possibility indeed. So anyone working there quickly had a culture of security coursing through his veins. And this experience has had a powerful impact on my personal philosophy regarding security. I remain fundamentally paranoid to this day, and this is reflected in Farpoint Group's own security policy.
The government and other regulatory authorities can have a similarly powerful effect on just about any senior manager in any organization. Indeed, the regulatory climate has become much more involved in security matters in recent years, partly in response to security failures of the types I noted in Part 1 of this series. Some requirements are well specified, while others represent vague but still very meaningful threats to one's business, and even personal freedom, if the regulated elements of security are violated.
Here are a few (though by no means all) of the regulations that provide, at the very least -- um -- the "motivation" to get one's security act together:
- Sarbanes-Oxley -- While SOX does not explicitly address mobile security, it does require IT controls on information access and integrity. Severe penalties for non-compliance are included, however.
- PCI -- The Payment Card Industry Data Security Standard is designed to assure security in point-of-sale and related financial transactions. Wireless LANs are explicitly addressed here.
- Gramm-Leach-Bliley Act (GLBA) -- This law addresses security in the financial industry.
- SEC 17-4A -- This law governs security in the financial securities industry.
- HIPAA -- This law governs the security of healthcare-related information.
- ISO 17799 -- This international standard covers best practices in information security. (Note that while this and a few other items here are not laws, they can be cited in legal proceedings of the "they should have known better" variety.)
- FERPA Operational Best Practices -- This law covers the privacy of student educational records.
- NASD 3010 -- These rules deal with the integrity of information in financial industry operations.
- DoD 8100.2 -- This document covers the use of commercial wireless devices in Department of Defense applications and is recommended in civilian activities as well.
So the knowledge and incentives to build a security culture exist across a broad range of industries and applications. But no one is perfect -- even top government officials screw up from time to time:
Item: Former senior Bush administration official Karl Rove apparently lost a BlackBerry belonging to the Republican National Committee. While it doesn't seem likely any government secrets were involved (and it has been suggested that the device was intentionally misplaced specifically to protect its contents), such a loss is clearly embarrassing for someone with a very high security clearance indeed.
Item: An official of the Mexican Government was forced to resign after stealing BlackBerrys belonging to U.S. government personnel. Again, while sensitive government secrets were probably not at stake here, it can be assumed that some of what was on those devices was not for public consumption.
Item: "A high-level British Government employee" had his BlackBerry stolen by someone who was possibly an agent of the Chinese government. Who knows? This one is right out of James Bond -- except that valuable data might really have been compromised.
Don't let incidents like this happen to you. The financial cost, time involved, and damage to one's reputation are expenses no one needs. In the next section we'll look at some steps you can take to make sure that your mobile security culture is appropriate and working to keep you and your company safe.
|Preventing mobile security breaches|
I think that, at this point, the issues, risks and liabilities of errors in mobile IT security are well known, and I've provided in the previous two sections a few very highly visible examples of just what can go wrong. In this section, I have some suggestions on how to keep your organization from falling victim to preventable mobile security errors that can have lasting -- and even devastating -- consequences for you and your organization.
First -- and I realize that many reading this series are not IT professionals -- stop what you're doing and undertake a brief security self-audit. Ask yourself about your own attitude to IT security. If you view it as a pain or in a similar light -- well, that's not good, but it's also not uncommon. Too many security solutions are indeed cumbersome and always seem to get in the way of doing one's job. Simplicity is, in fact, a key to successful IT solutions of any form, including security. But if your attitude is one of simply not caring, well, that's more serious. That translates into behavior that can set the tone for the entire operation. "Hey, if the boss doesn't care about security, then why should anyone else?" It's thus critical to adopt the right attitude -- security will be established and preserved, and everyone will buy into a culture of security.
Next, review your security policy, and if you don't have one -- many (even very large) organizations do not -- then before you do anything else, get one in place. Security policies will vary by organization, but the basics are the same: These documents define what data is sensitive, how it gets to be defined as such, who has access to it (and there will usually be several levels of security defined, such as "secret" and "top secret") and, more importantly, what to do when information is compromised. A policy does not enumerate specific solutions, but it drives their selection.
And thus, at this point, you and your IT staff can sit down and review and audit just how the security mechanisms that are in place work, and make sure they are in concert with the security policy. By the way -- always keep the policy and any security mechanisms you use confidential. The press and analysts like me would love to interview you for a case study of what you're doing, and what works and doesn't in your case, but I'd be very disappointed if you agreed to such a request. There's no good reason for anyone outside the firm, save for auditors and similar personnel, to know anything about your specific solutions. Such knowledge can be like waving the proverbial red flag in front of a bull. There are hackers -- and worse -- out there just waiting to prove your solution isn't as good as you think it is, and to do so in a destructive and highly visible fashion.
And this brings me to a very important point: When it comes to security, unlike other elements of IT, you're never "done." There is no such thing as "finished" in IT security -- new threats appear on a regular basis, and old solutions may need updating or even replacement. Yes, there's potentially a big expense involved here, and that's often a justification for spending less than is required in terms of both time and financial resources. But think of IT security as an insurance policy; your CFO and legal staff would never let the firm operate without liability insurance, for example. Good mobile security solutions need not be expensive, and they can save the firm, and you, untold expense and grief that -- as this series of articles has illustrated -- have been visited upon others. And, by the way, it may be acceptable in some cases to outsource some elements of your security solution, but it is important -- and, I would argue, critical in organizations with about 1,000 employees (or more) -- to have on staff a "security person" who understands the entire solution.
The basics of a good security solution -- encrypting sensitive data wherever it is stored, making sure it appears in the clear only to authorized users, using a virtual private network (VPN) to secure all remote-access links, and strong (ideally, two-factor) authentication -- are not difficult to implement and can be made easy to use in operation. But, of course, it all boils down to attitude and culture. Corporate culture is largely the responsibility of senior management -- mobile security culture really does start at the top, and senior management today has a far greater stake than ever before in effective IT security.