Compliance In An Age Of Mobility

Mobility may be rewriting some of the rules of business today, but some sets of rules it hasn't budged are the ones written by IT regulators. As organizations get their grips on the operational and endpoint security ramifications of persistent and pervasive mobility, they also need to think about how it is changing the way users interact with and store data, and what that means for ongoing compliance efforts.

"Compliance and regulatory rules still apply," says Wayne Wong, managing consultant for Kroll Ontrack's electronically stored information consulting group. "One of the truisms of compliance is that the principles remain the same regardless of the technology. All it is is a tweaking of the technical details of how you do it, but the obligations are the same. I think people think that it's a brand-new way of looking at compliance with mobility, but it really isn't. It's exactly the same."

According to some, this is going to require IT departments solidly fixed in an operations-focused mentality to shift paradigms.

"Due to cloud services and the consumerization of IT, corporate data is being housed both inside and outside the enterprise as well as in mobile user devices," says Eric Chiu, president and founder of HyTrust, a cloud compliance company. "With this trend, IT will need to move from being operational in function to being more control and governance-focused."

Getting a handle on governance of mobility practices requires businesses stop the wait-and-see game that has kept many from developing mobile policies until things seemingly settled down. As Mike Weber, managing director of Coalfire Labs, puts it, if your organization is "wishy-washy" about its mobile device policies, then now is the time to take a stand.

"The most frequent problem we have seen is a lack of solid company standing on any issue. Without guidance and a documented 'company line' on mobile device usage, a company has no assurance that their staff understands the risks these devices bring, and further has no recourse in the event staff fail to report loss, theft, or suspicious activity," he says. "In the event of a data breach that goes unreported, a company may be faced with substantial fines and penalties depending on the state, industry, and regulation violated. If your organization is 'wishy-washy' on mobile device usage, it's time to pick a position and stick with it."

And, no: Your company position is not that it is using a mobile device management (MDM) technology. That technology only supports the policies, but it's not what drives them.

"What we generally see is that when a company is faced with new technology coming in, they seem to always gravitate to find some product that can provide everything for them without doing the basic framework of making sure policies are updated, making sure that those policies then turn into actual procedures and -- once you know what you want to do -- and then looking for a product that either enforces that, monitors it, or helps you with the workflow," Wong says. "A lot of organizations kind of do it backward."

Next Page: The Cloud Problem While device management is certainly a big issue from a compliance standpoint, what may be the even bigger issue at play is how data flows in and out of mobile devices and the cloud storage infrastructure that invariably supports them. At a basic design level, Weber says the first compliance wrinkle gets thrown into the mix due to the fact that smartphones and tablets are designed with a single-user architecture.

"Accordingly, auditing and logging of activity on these devices is virtually nonexistent. All regulations require some kind of monitoring of user activity to identify unauthorized access attempts and security anomalies," Weber says. "The only way to provide consistent monitoring is to treat a mobile device as a completely untrusted endpoint. Implementing a secure, authenticated connection to corporate resources, perhaps by SSL VPN, can allow you to monitor the activity at a single choke-point and -- pending appropriate controls over local data storage -- ignore activity on the end user device."

It isn't just what corporate data resources the user is bringing onto the device -- it's also a matter of tracking the data off the device, as well. This is a huge problem given the way many mobile players have addressed data management with that single-user architecture.

"Apple is solving the problem of data management on the mobile device with the iCloud service, and the others are following with similar offerings. While this is incredibly convenient for the user, it may unwittingly introduce a new 'business partner' into your company simply by using a device the way it is intended," Weber says. "If your staff are using personal iPads and leveraging the iCloud service, you may be ultimately relying on this third party to secure your confidential data -- a third party with whom your company has no relationship." According to Wong, in order to maintain the integrity and trackability of regulated data, organizations need to think of better ways to offer back-end infrastructure alternatives for mobile users to still utilize their devices as intended without failing an audit in the process.

"Given the fact that these mobile devices rarely connect hardwired to a network, IT needs to start thinking about provisioning wireless or cloud-based storage that still meets the requirements of HIPPA and high tech and any of the other requirements that are required of them," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.