In the second of this two-part series, Chris Hazelton of The 451 Group discusses the steps mobile enterprises need to take to prepare for stringent data legislation. In Part One, he provides details on a Massachusetts law that mandates encryption of customer data that travels outside a company's premises.
The Massachussetts regulation requires companies to develop a comprehensive security program. There are several requirements of this plan, including the need for at least one or more employees to be designated to maintain the security program and insure its compliance.
The program must identify and assess internal and external security risks through training and detection of failures. It should have policies that determine how customer data is stored and travels while outside a company's firewalls. Disciplinary measures for employees must be defined in the event of a security breach. To prevent terminated employees from accessing customer records, compliant companies must be able to "immediately" terminate physical and electronic access to customer records.
The real difficulty of this regulation is its focus on data at rest. Any customer records stored on a smartphone -- data at rest -- will need to be remotely wiped. Many companies do not actively manage smartphones within their enterprise. Companies looking to avoid the costs of deploying mobile infrastructure management tools and services often push costs on to the employee.
This strategy ranges from employees bearing all the costs -- paying for the device as well as the service -- to companies reimbursing for service while the employee still owns the device. In either scenario, the company cannot terminate access to data at rest if the employee is terminated. The organization must own and manage its devices so that customer data can be remotely wiped. Device management tools like RIM's BlackBerry Enterprise Server (BES), Microsoft's System Center Mobile Device Manager (SCMDM), Sybase's Afaria, HP's Enterprise Mobility Suite, and Trust Digital all offer remote device wipe capability.
Mandating password protection of smartphones is not enough. Companies will need to have encryption software running on their devices continuously. RIM's BlackBerry and devices running Windows Mobile 6.1 and higher provide native encryption of data at rest out of the box. Some Symbian devices, such as Nokia's Eseries, offer native device encryption -- but Nokia's more popular Nseries does not.
Third-party developers offer encryption software for data on a smartphone. Even one of the latest smartphone operating systems, Google Android, has third-party encryption software available. While use of iPhone in the enterprise is growing, lack of encryption is a major weakness. iPhone doesn't offer native on-device encryption. Since third-party apps can't run continuously in the background, developers can't provide device-wide encryption for iPhone.
Five Steps Enterprises Can Take To Comply With Regulations
- Identify and assess internal and external security risks through training and detection of failures.
- Have policies that determine how customer data is stored and travels while outside a company's firewalls.
- Own and manage your smartphone deployment, rather than pushing this off on individual employees.
- Have encryption software running on devices continuously.
- Be able to immediately terminate physical and electronic access to customer records.
Chris Hazelton is Research Director, Mobile & Wireless, with The 451 Group.