By SWM Staff
Mobile devices represent an essential component in nearly every industry. While the benefits of mobility in the workforce and to the consumer are obvious, the security concerns are, too. To address these issues, mobile compliance software solutions are implemented to protect businesses from mobile security issues including unsecure and malicious applications, jailbroken devices, data loss, and unprotected networks that enable attacks over open WiFi connections.
A series of mandates—including HIPPA, PCI, and the recently approved European Union’s General Data Protection Regulation (GDPR)—force organizations in industries affected by the regulations to step up and prove compliance.
According to a new report by Allied Market Research titled, Global Mobile Security Market-Solution, Types, OS, Trends, Opportunities, Growth and Forecast, 2013 – 2020, the global mobile security market will reach $34.8 billion by 2020, registering a compound annual growth rate of 40.8 percent during 2014 to 2020.
Within the spectrum of mobile device management (MDM), compliance solutions exist to ensure organizations provide a secure mobile experience for both employees and consumers. This article looks at affected industries, the evolution of the demand for compliance among mobile workforces, and highlights mobile compliance software solutions, which often exist as part of an overall MDM strategy.
While many businesses increasingly rely on mobile solutions, the retail and healthcare industries in particular regularly deal with sensitive customer and patient information, and therefore need to ensure security is under control.
“We’re seeing an increase in mobile device usage in healthcare and retail,” says Steward Fife, product manager, Cisco Meraki. Each have their own concerns. He says in healthcare, employees access and collect patient health information on mobile devices such as tablets and are required to adhere to HIPPA. Compliance software, such as Cisco’s Meraki Systems Manager, helps the industry’s mobility management teams keep track of changes in device location and settings; notify, lock, and remove data from devices; and enforce on the use of certain applications and only use by specific users.
For the retail industry, Fife says its customers are governed by PCI as they rollout more point of sale devices to process customer payments. The Meraki system helps enforce device posture and location—ensuring the AVV is running, the device is not jailbroken, only approved applications are installed, and the device remains in the store. The solution is also used in kiosks to remotely upgrade applications and subsequently locking devices into single application mode.
Alan Phillips, product manager, Sophos endpoint security, Sophos Ltd., feels that the industries with the most pressing needs for compliance solutions are healthcare and retail. This is due to the fact that they need to handle the strict requirements of regulation frameworks like HIPPA and PCI.
“In today’s environment, it’s difficult to imagine any business or industry in the U.S. that doesn’t require compliance solutions for mobile devices. You start with the state breach notifications laws that began in CA that went into effect in 2003, and now have spread to 47 U.S. states. Although these rules and their applicability vary from state to state, still many of them require business endeavors to report a breach of personal information data to some state agency,” explains Stephen Treglia, Esq., HCISPP, Absolute Software.
Treglia adds that with today’s business especially being conducted digitally, it’s difficult to believe any provider of goods and/or services doesn’t come into contact with the breach notification laws of several states. “Over the years, other forms of federal privacy regulations have added on breach notification requirements, including HIPPA and Gramm/Leach/Biley.
Additionally, Phillips points out that the European Union’s newly reformed GDPR will inevitably extend compliance and data protection requirements to most industries.
Treglia comments that even those that do not currently have such requirements are either in the process of considering adding them, citing the GDPR, which goes into effect in 2018. “Any entity doing business with European Union citizens will have to comply with the GDPR’s guidelines as well. And then, there are demands being imposed by various U.S. agencies such as the Federal Trade Commission, the Federal Communications Commission, and the Securities Exchange Commission to have enhanced authority in the growing world of sensitive data regulation,” he explains.
Over the past few years, consumers have become more reliant on mobile devices and applications. To benefit from the trend, businesses now offer new ways to interact with customers.
“The requirements for mobile compliance from three years ago were a lot more undefined, with most companies ignoring compliance needs for mobiles that contained company data and instead focused on productivity requirements,” recalls Phillips.
Phillips says that today, companies are regarding mobile devices as another endpoint, presenting them with the same risks and challenges as any desktop or laptop computer. Current common compliance needs include ensuring that mobile devices are encrypted to the same levels as full disk encryption on desktops, configuring appropriate password rules, controlling lifecycle for devices—full device- or enterprise-wipe in case of loss or in the event an employee is leaving the company, controlling the flow of corporate data with built-in containerization or corporate container applications, and validating device security, for example, by detecting devices that are either jailbroken/rooted, or compromised by malware.
Treglia points out that mobile compliance needs have evolved exponentially in the past few years—both in terms of technology and regulatory issues. “The explosion and continuing expansion of mobile devices being used to conduct commerce has put the volume of at-risk data far beyond what anyone could have imagined just a few years ago. And we’re not even discussing yet how many times more that will expand once the Internet of Things becomes more of an everyday reality of the common person. Regulators legitimately fret that this will get the security of personal data hopelessly out of hand and are trying to craft the rules and person power to stem the overwhelming tide, but continue to fall further behind. One must also wonder if there is a less noble purpose behind the rush to greater regulatory involvement, such as the ability to impose substantial monetary penalties.”
Company compliance is assured with the help of compliance software products within MDM solutions. The following offerings help ensure compliance for employees and consumers.
Absolute Software takes a unique approach with several aspects that differentiate its solution from the competition, according to Treglia. First, he explains, its patented Persistence technology is a feature only Absolute has the patent to possess and use. “Absolute has partnered with the world’s leading OEMs to embed Absolute technology in the firmware of over one billion devices globally. This means Absolute technology is on the device at the time of purchase and can be activated at any time. It also means that if your business runs a multi-system mobile operation, Absolute will maintain a persistent connection to all of your devices. Typically when someone gains access to a mobile device with the intent to use it for an unauthorized purpose, one of the things they do is attempt to disable tracking software installed by the rightful owner of the device. Persistence technology allows our software to survive such attempts. Replace the hard drive, wipe the hard drive clean of all data, re-install the operating system, flash the BIOS, do a number of methods to remove surveillance software, and Absolute’s technology will still be there and can be reactivated,” says Treglia.
He shares that the company’s technology can be used to do typical remote management services such as monitoring GPS location, data delete, device freezing, etc., but once reported stolen, “Absolute has another unique differentiator, a worldwide investigative staff of ex-law enforcement officers with more than 1,000 years of combined law enforcement experience and over 300 years of cybercrime experience. For the last 20 years, the Investigations Team has recovered over 39,000 stolen mobile devices by working with over 7,500 agencies and 36,000 officers worldwide via law enforcement-managed investigations.”
The Absolute Software staff has also actively acquired the specialized training and certifications necessary to specialize in protecting personal data transmitted through the various industry verticals, such as CISSP, HCISPP, and CPP. Absolute is also ISO 9001 and 27001 certified. Hense, Treglia says the company’s employees have the education, background, and experience to understand how to use its solutions to best maintain compliance in the various regulatory endeavors throughout all industry verticals.
The Cisco Meraki Systems Manager helps customers keep track of devices, enforce policies on devices, manage users and applications of devices, and control content used on or shared between devices and services.
Within its MDM Mobile Security Solutions suite, MobileIron offers a compliance solution. According to the company, compliance drives many mobile security deployments and it participates in security councils including PCI. MobileIron brings together solutions for PCI, HIPAA, and CJIS. Additional foundations of its customer solutions include SOC 2 Type II and FIPS validation.
Simple But Needed (SBN) offers mobile regulatory compliance software and applications with its mobile business solution products. The company admits that managing regulatory compliance is challenging, citing that OSHA alone has numerous inspection requirements with varying frequencies. Additionally, SBN points out that the Environmental Protection Agency, state, and local municipalities have additional regulatory requirements and it has developed software to help organizations comply with the volume of regulatory requirements.
SBN’s regulatory compliance solutions are by its mobile regulatory software compliance tools that allow staff to electronically document inspection activities from the field, which offers numerous advantages over traditional pen and paper methods.
With the company’s mobile compliance applications, users create custom inspection checklists designed to demonstrate compliance with OSHA and other governmental requirements. Users can set inspection frequencies, schedule inspection activities, and monitor the progress of inspections. Inspectors themselves can pull up any inspection checklist from the field, document the inspection activity, incorporate and edit photos, and create exception reports to document safety deficiencies.
The Sophos Mobile Control solution is an enterprise mobile management solution for mid-market businesses. Phillips says the solution is ideal for organizations that find managing all aspects of their mobile infrastructure challenging. He says features from easy-to-use MDM to powerful data protection enables Sophos Mobile Control to empower productivity and allow the use of mobile devices for work while keeping corporate data safe and the business compliant.
Sophos Mobile Control lets administrators configure, manage, and maintain their mobile devices remotely, regardless of whether the devices are corporate or user owned. Features that enable this include remotely wiping the device or all corporate data on it, configuring the password or storage encryption options, configuring the device’s containers or enabling the Sophos container on the device, and constantly monitoring device health and compliance state against a set of policies matching specific regulation or company needs and automatically trigger migration actions in case of any violation or breach.
Within the security umbrella, compliance issues remain a real concern for mobile-savvy organizations. Solutions exists to help businesses in a variety of industries feel confident that information transmitted across their devices is secure, and remains compliant amid a series of new rules and regulations. SW
Jul2016, Software Magazine