Modern Mobility

Mobile compliance brings more IT complexity

chris - Fotolia

IT in the gutter with mobile compliance

A lot of organizations don't understand what it takes to maintain compliance on mobile. It starts with keeping track of devices and apps.

The emergence of enterprise mobility has made it a lot more complicated for organizations to maintain compliance with government and industry-specific regulations.

Regulatory compliance encompasses a slew of federal, state and local laws and policies that businesses must adhere to. When it comes to technology, that means obeying laws that help ensure secure data storage and processing. If a company fails to comply, it could face repercussions such as fines and even criminal charges.

But the consumerization trend put another wrinkle in the way enterprises deal with compliance. Now, companies have to worry about mobile compliance and securing their data on employees' personal smartphones and tablets -- not just on corporate-provided devices. That's tougher to secure, because IT typically has less insight into users' own devices and apps. With company-issued laptops and desktops, IT admins could keep closer tabs on PCs in and even outside the physical office environment. But with their personal mobile devices, employees can access corporate data from any unsecured network, further complicating monitoring and security measures.

"The data is literally leaving their network," said Nat Kausik, CEO of Bitglass, a cloud access security broker startup. "When [organizations] had conventional desktops, they controlled it -- installed the software, locked it down, and you couldn't alter it in any way. With mobile, all of that is essentially obsolete."

Plus, mobile data is often accessed from or stored in the cloud. That complicates mobile device compliance because the organization is still liable for any data that a cloud provider delivers, manages or stores for IT.

"Cloud definitely poses a wrinkle for teams like security and legal," said Jeff Jenkins, director of cybersecurity at Travelport, an Atlanta-based travel commerce platform provider. "It's about contractual agreements. It requires you to do a lot more due diligence in negotiation when working with the cloud provider."

What makes things even trickier is the fact that national regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which governs the processing of patient health information, don't offer specific language that addresses mobility and remote access. These kinds of laws were designed to be general and all-encompassing so that they're less likely to become outdated as technology advances, said Ramy Fayed, a partner and U.S. practice leader of legacy health care at global law firm Dentons.

Still, HIPAA requires that any transmission of electronic health information is protected, which would include data stored or processed from mobile devices -- and it's up to IT departments to figure out how.

"You're not going to find a magic list that the government said, ‘OK, do these ten things and you can rest at night,'" Fayed said. "If you're applying security rules to your hospital computers, [those] are going to need to be carried out with your mobile procedures… At the end of the day it's all about, how do I implement a process that best safeguards privacy, confidentiality and all the protected health information?"

HIPAA does have some hard and fast rules, such as mandated security risk assessments. But other rules are simply what are called "addressable standards," meaning they're not required by law but IT departments must assess whether they're appropriate to implement for their organization. The use of encryption is one example of the latter, Fayed said.

"Despite it being 'addressable,' it would be hard to come up with a justification as to why you didn't implement encryption," he said.

Plus, HIPAA in 2014 implemented increased fines if companies violate certain parts of its regulations. That has made more healthcare organizations formalize their policies around mobile compliance, Kausik said.

What Counts as PII?

  • Name and aliases
  • Social Security, passport, driver's license and taxpayer or patient identification numbers
  • Financial account and credit card numbers
  • Street, email and IP addresses
  • Telephone numbers
  • Characteristics gleaned from photographs, X-rays, fingerprints and other biometric sources
  • Vehicle registration numbers and home title information
  • Information about date and place of birth, race, religion, weight, activities, geographical indicators, plus employment, medical, education and financial history

Source: National Institute of Standards and Technology special publication 800-122 "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)," U.S. Department of Commerce

"You can't secure what you don't acknowledge"

One of the compliance requirements most affected by mobility is the protection of personally identifiable information (PII) -- data such as an individual's name, address, Social Security and driver's license numbers and even physical characteristics -- because smartphone and tablet apps now access and process so much of this data. Any company that handles PII is mandated to follow federal and state privacy laws that serve to safeguard a person's identity.

Travelport employees handle travelers' PII, for instance, and the company must also comply with international information transfer laws and payment card industry (PCI) requirements, which compel organizations to process and store credit card information securely. Travelport offers corporate-provided mobile devices, so IT uses mobile device management (MDM) software to gather reports on user behavior and ensure that employees are properly processing sensitive customer data, Jenkins said.

"It gives us an idea of the trends and behaviors, whether someone is doing something bad on their endpoint that would create a security hole," he said. "That's huge from a compliance standpoint."

But what if an organization doesn't even know credit card information is being stored on or processed from mobile devices? That's the biggest issue when it comes to mobile compliance: Many companies are dealing with unknowns, said Kevin Beaver, an independent security consultant at Principle Logic.

Some IT shops don't know what devices they have on the network and whether they're personal or corporate-owned, and therefore they don't know what apps people are using and what corporate data they may be accessing. This problem occurs when companies don't have a standard for what devices they provide, or they don't have a strong BYOD policy, Beaver said.

"You can't secure what you don't acknowledge," he said.

This lack of visibility can lead to compliance violations because IT may not put the proper security measures in place on devices or data it doesn't monitor. The biggest breaches experts see around mobile device compliance are when companies don't encrypt mobile data, enforce user passwords or have secure storage and networking. For instance, PCI Security Standards Council strongly recommends that organizations segment their networks to keep credit cardholder information separate from the rest of their stored data. But many companies don't realize that or implement segmentation for mobile data, Beaver said.

In some ways, mobile compliance is similar to compliance for PCs. Admins need to require passwords and make sure they keep patches up to date, for example. IT also can't assume that mobile devices -- even iPhones and iPads, which tend to fall victim to less malware than others -- don't need antimalware, Beaver said. Bad links, such as those from banned sites or paid services, can carry viruses. But they're harder to identify on mobile devices because touchscreens prevent users from viewing the full URLs of the links they may click, Beaver said.

"That's a good reason alone to have antimalware on these systems," he added.

The pushback problem

The reason some breaches happen is because no one wants to take responsibility for maintaining security and compliance, Beaver said. Executive decision-makers may not want to put in the effort or budget it takes to follow mobile compliance regulations. And because of the complexity and sheer number of users, especially in larger organizations, some IT admins are simply hands off when it comes to handling smartphone and tablet compliance.

"I still see a big gap with management, but this is an IT-born issue," Beaver said. "That's the missing link, and that's how businesses get into trouble … [IT administrators] are trying to do their jobs, but often they don't have the backing of upper management, so they just let it be."

An even bigger problem is a lack of communication between IT and other key groups, such as compliance officers and internal auditors, Beaver said.

"Everyone is doing their own thing and assuming all is well in everyone's respective corners," he added.

When it comes to maintaining compliance on personally owned devices, organizations see a lot of user pushback, too. Users are often responsible for meeting security requirements such as using passwords or limiting content sharing in specific apps, but they don't always follow the rules.

"That's a big burden for users," Beaver said. "I don't think users should be fully responsible for all aspects of security."

Saying that you don't want to manage a personal or BYOD device, doesn't mean you escape any liability.
Jeff Jenkinsdirector of cybersecurity, Travelport

In particular, giving users too much freedom for accessing and sharing corporate data on mobile devices is a recipe for disaster, Jenkins said. Instead, IT needs to educate users on compliance rules.

"A lot of the compliance efforts focus more and more on user awareness and education," he said. "It's that new collaborative environment, especially newer, younger companies that take [collaboration] a little too far, that they put themselves at risk." 

Plus, even if organizations don't have official BYOD programs where they manage users' devices, an employee that sends an unencrypted email from their personal smartphone, for instance, still leaves their company liable. If a security breach occurs, law enforcement has the right to look at any information on the device.

"Saying that you don't want to manage a personal or BYOD device, doesn't mean you escape any liability," Jenkins said. 

Your mobile compliance toolbox

Fortunately, organizations are starting to see that compliance is a real issue, Jenkins said. There are plenty of tools available to help IT admins get better insight into their environments and implement the proper security measures.

MDM software is a big one, Jenkins said, in addition to containerization and dual-persona technologies that separate corporate and personal apps and data on mobile devices.

"That's what got … legal more comfortable in a lot of organizations," he said.

But not all organizations want to install management software locally on users' devices, especially because end users often don't want IT monitoring their personal information, Bitglass' Kausik said.

As an alternative, cloud access security brokers can act as a gateway, routing data through the cloud and encrypting it before it gets to the user's device. This emerging market today includes companies such as Adallom, Bitglass, CloudLock, Elastica, Netskope, Skyfence and Skyhigh. Some vendors also offer a remote wipe feature so IT can still protect data on lost or stolen devices.

Monitoring and reporting tools are also a big help when it comes to tracking user behavior and ensuring that employees meet security requirements. In-app analytics can also increase visibility, allowing IT to see how users are accessing and interacting with apps to make sure they're following network and password rules.

To keep things extra secure, Jenkins said his company uses virtual desktop infrastructure. Travelport delivers virtual apps to employees that require certain sensitive data; since the apps live in the data center, IT can control their delivery and ensure nothing is stored locally on the user's device.

"You can control whether they print [information] out, whether they download it, whether they can do a screen capture," Jenkins said.

As privacy laws evolve and the increase in devices presents even more management challenges, mobile compliance is sure to see a lot of changes in the coming years. But for now, IT has plenty of ways to keep in compliance -- as long as everyone in the company gets on board.

This article originally appeared in the January issue of the Modern Mobility e-zine.

Article 1 of 7

Next Steps

Keep mobile devices regulation ready

Make compliance part of your MDM strategy

FAQ: How to keep mobile data secure

Dig Deeper on Enterprise mobile security