One way or another, most organizations have to deal with user and IT strategy changes stemming from mobile applications...
and data. These efforts may range from simple development and support of mobile applications to developing detailed bring your own device (BYOD) programs that allow employees to choose their own end-user computing devices.
As data becomes increasingly mobile and exceeds the boundaries of the traditional corporate network, maintaining compliance and security can be challenging. In the past four or five years, I have been involved in numerous IT leadership discussions about making data and applications more mobile and accessible. In many of those cases, however, I was surprised to find that IT leaders didn't actually have a well-defined goal or concept to adapt to the mobility trend. Without these goals, privacy, security and compliance all potentially suffer.
As with any technology decision, being able to maintain security or privacy compliance is highly dependent on knowing the type and scope of the information involved. Key questions to ask your business leaders should include the following:
- What type of information are we trying to make mobile?
- What technology changes will be required to make this data or application mobile?
- Who is going to be accessing this mobile data or application?
- How critical is this data or application to our organization, especially if it were to become unavailable, corrupted or hacked as a result of being mobile?
Additional questions are likely useful as well, but these four queries are a good place to begin identifying what needs to be protected, how the organization and third parties expect to protect it, and what the consequences might be if it is not adequately protected. Clarifying this information also makes it much easier to decide which types of security technologies or procedures will be necessary. Possibilities include the following:
- When creating a new mobile application, companies may consider additional application code scanning products or possibly extra penetration testing.
- For a BYOD initiative where personally owned devices are allowed access to corporate systems and data, companies may need a mobile device management (MDM) product, a network access control solution and possibly even DLP technology.
- Moving applications or data to the cloud may also result in personally owned devices having access to your organization's data, so businesses should consider whether potential cloud providers provide the security options listed above.
Vet your vendors
In some cases, mobilizing data involves moving it to a cloud provider -- whether that means simply using a third party to host your network and servers or employing a provider that manages everything from hardware to the application or data itself. To maintain compliance, it is important to have a strategy for vetting any outside parties that you might use as part of your mobile data strategy.
The Cloud Security Alliance (CSA) provides valuable resources for companies that are vetting cloud vendors and providers. The CSA is a not-for-profit group that has developed guidelines and assessment document templates so that organizations can vet cloud providers using a standardized set of questions mapped to common security standards such as PCI DSS, ISO 27001, and the Federal Risk and Authorization Program.
For scenarios where your organization may simply be mobilizing data via an internally managed application or technology, the company should conduct some extra research on the vendors to see if they have had any security or privacy issues. In addition to using some of the more popular product research firms such as Gartner and Forrester, utilize peer networks to hear their experience with vendors and their products. LinkedIn and other common business forums can be used to inquire about any specific negative experiences that your peers might have experienced. It is also sometimes useful to ask penetration-testing firms about a particular product or provider, because if a vendor has a data protection weakness, a good penetration-testing firm has likely already discovered it.
Lastly, companies should develop a strategy to continuously monitor the security of its mobile data or environments. If your company implements some of the technologies, such as DLP or MDM, you may want to also consider a good security incident and event management, or SIEM, tool to make sense of the various alerts and notifications. At a higher level, it might also make sense to look at possibly engaging a threat intelligence service to gain insight into any underground networks that may be targeting your systems, or even those of your third-party providers.
The increased demand for mobile data and systems is an inevitable part of IT and security these days. The most successful security and compliance programs will be those that proactively set the stage for mobile data enablement. The key to creating those favorable conditions is clearly defining the intended scope of the mobile data strategy, then implementing the appropriate controls according to that scope. Your company should also pay close attention to vetting providers and vendors and keep a close eye on the compliance and security of your data once it's actually mobilized. After all, the benefits of mobility will become null if it only makes data more vulnerable to security and compliance concerns.
About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeff served in security executive/leadership roles for a number of private and public sector organizations including Cbeyond, Equifax, The First American Corporation, S1, the state of Georgia's Department of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.
Keep mobile devices regulatory compliance-ready
The data governance challenges of wearable tech
Mobile risk assessment: The 10 questions you need to answer