Compliance In An Age Of Mobility

Regulated companies put compliance efforts in jeapordy unless they address mobility
While device management is certainly a big issue from a compliance standpoint, what may be the even bigger issue at play is how data flows in and out of mobile devices and the cloud storage infrastructure that invariably supports them. At a basic design level, Weber says the first compliance wrinkle gets thrown into the mix due to the fact that smartphones and tablets are designed with a single-user architecture.

"Accordingly, auditing and logging of activity on these devices is virtually nonexistent. All regulations require some kind of monitoring of user activity to identify unauthorized access attempts and security anomalies," Weber says. "The only way to provide consistent monitoring is to treat a mobile device as a completely untrusted endpoint. Implementing a secure, authenticated connection to corporate resources, perhaps by SSL VPN, can allow you to monitor the activity at a single choke-point and -- pending appropriate controls over local data storage -- ignore activity on the end user device."

It isn't just what corporate data resources the user is bringing onto the device -- it's also a matter of tracking the data off the device, as well. This is a huge problem given the way many mobile players have addressed data management with that single-user architecture.

"Apple is solving the problem of data management on the mobile device with the iCloud service, and the others are following with similar offerings. While this is incredibly convenient for the user, it may unwittingly introduce a new 'business partner' into your company simply by using a device the way it is intended," Weber says. "If your staff are using personal iPads and leveraging the iCloud service, you may be ultimately relying on this third party to secure your confidential data -- a third party with whom your company has no relationship." According to Wong, in order to maintain the integrity and trackability of regulated data, organizations need to think of better ways to offer back-end infrastructure alternatives for mobile users to still utilize their devices as intended without failing an audit in the process.

"Given the fact that these mobile devices rarely connect hardwired to a network, IT needs to start thinking about provisioning wireless or cloud-based storage that still meets the requirements of HIPPA and high tech and any of the other requirements that are required of them," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.