Denys Rudyi - Fotolia

Key challenges of mobile compliance

Vigitrust CEO Mathieu Gorge surveys the key challenges of mobile device compliance and how mobile devices need to fit with regulations such as the Data Protection Act and PCI-DSS

The proliferation of mobile devices is a fact of life in the contemporary enterprise. Most people worry about device loss, but the fact is that important corporate data can reside or pass through mobile devices so it is imperative to ensure they are in compliance with the laws and regulations that apply to your business.

So, what are the key challenges to mobile compliance in 2015?


In this podcast, Computer Weekly storage editor Antony Adshead talks with Vigitrust CEO Mathieu Gorge about data at rest and in transit on mobile devices, the types of attacks mobile devices are subject to, the laws and regulations that mobile can be affected by, plus the systems and guidance that can help secure mobile device fleets.

Antony Adshead: What are the compliance risks of mobile devices?

Mathieu Gorge: Firstly, it's important to understand that we're dealing with a very fragmented network at the moment, so we need to understand where mobile fits in.

In the past, we would have had traditional networks protected by firewalls, and maybe VPNs with access into the firewall. We then moved onto the cloud and virtual machines and so on.

And finally, the advance of mobile devices is here. When we look at what can happen to a mobile device – it can be lost or stolen, or someone may access it without knowing it has happened – most people worry about losing the device itself and getting back up and running as soon as they can with the same datasets, which is an important consideration.

The reality is that the data on the device should be the priority. And so, if you look at the data that goes through your mobile devices, whether an old-style PDA, a smartphone, a tablet or a standard mobile phone with some data on it, we need to make sure the data on the device – ie, at rest – is protected appropriately through encryption and through access to the data.

Read more about compliance and storage and backup

[We also need to ensure that] data in transit on public networks is protected, as well as looking at data in use. For instance, do you have technology that allows you to encrypt the data between your virtual keyboard on your mobile device and the kernel of the device itself, such that if you are ever infected by a key-logger that the data is not at risk?

This is fairly new technology. It's actually quite good. It works well, but it's not the type of attack that is always caught at source for mobiles.

From a security and compliance perspective, if you look at the Data Protection Act in the UK, if you look at PCI-DSS and so on, you often need to look at security in mobile devices, so you need to map where you have sensitive data that's going onto mobile devices.

What's also important to consider is the idea of unstructured data on your mobile device. You're going to have data on applications within the device. You're going to have data in memory on the device and you're going to have data coming in and flowing out of the device.

So, the key considerations here would be, is the data secure, and is it backed up in such a way that if you lose the device you can get access to the same dataset present at the time the device was lost? And if you are backing it up, is the backup secure and is it done the right way?

So, the key question is whether the organisation can be sure all mission-critical data and all confidential data that might be transiting through the device or stored on it is available at any given time.

And the reason for that is because of e-discovery mandates that are being applied more and more in Europe and the US, but also for compliance perspectives.

Finally, there's the issue of bring your own device [BYOD]. So, if the organisation allows personal devices to be used for business purposes, then business data ends up on personal devices. How is that data stored? Is it stored in a separate virtual environment on the mobile device? These are necessary considerations.

Adshead: How can organisations ensure compliance of mobile devices?

Mathieu Gorge: The first thing to do is to map out the mobile fleet you have, and that goes back to having an asset inventory that shows all the mobile devices and users that have access to a mobility platform.

Once you've done that you can map the data that you allow on those devices or to transit from the protected network into the mobile network.

So, you might decide that access to a database or to the VPN is allowed from a mobile device, from an iPad or whatever, but you may decide that taking credit card payments over a mobile is not acceptable because it doesn't match your policies.

We use our mobile devices a lot more than we use traditional desktops, so mobile devices are part of the DNA of the enterprise today and data from mobiles needs to be fully and securely backed up
Mathieu Gorge, Vigitrust

Once you've done that, it's important to put in place some mobile device management [MDM] systems that allow you to look at the security systems on all your mobile devices, but also look at potentially having the ability to remote wipe the devices and also doing automatic backups.

Bear in mind that today we use our mobile devices a lot more than we use traditional desktops, so mobile devices are part of the DNA of the enterprise today and data from mobiles needs to be fully and securely backed up.

So, encryption of stored data on the device and extraction of the data on an ongoing basis in a secure manner is something that needs to be part of the security strategy and storage strategy of the enterprise.

So, there are some new solutions out there that allow you to do that. Strikeforce Technologies is one of them. There are also some very good documents that provide you with guidance on how to manage mobile devices, including some new publications from the European Union Agency for Network and Information Security (Enisa).

In addition to that, if you look at standards like Cobit you find that there's some good technical guidance about how to implement a good storage policy and backup policy for mobile devices.

At the end of the day you go back to data mapping and device mapping, making sure that you only allow people to use mobile devices for mission-critical operations or systems if you need to. If you don't need to, don't do it, because you're definitely increasing your attack surface, you’re making it harder to store data and you're creating a lot more unstructured data that may or may not be backed up or stored the right way.

Read more on Data protection, backup and archiving