Navigating GDPR in the mobile enterprise
Securing data and protecting privacy in a connected world is already a major challenge for any enterprise, and mobility only magnifies this challenge. Mobile devices are treasure troves of personally identifiable information (PII), making them a rich target for hackers and cyber attacks.
This is why mobile enterprises are grappling with the potential impact of GDPR (General Data Protection Regulation), a pan-European data protection law set to take effect in May 2018 that will have material consequences for every enterprise with a global footprint.
Google’s recent $2.7 billion European Union fine reminds us that while doing business in Europe represents significant business opportunities, it also creates unique risks and pitfalls that every global company needs to navigate. GDPR adds another layer of complexity for companies relying on mobility to run their businesses, as well as those trying to strategically mobilize their EU operations.
GDPR applies to EU residents and organizations anywhere that collect or process personal data. Under this law, mobile enterprises must show what data they are collecting, where they’re storing it, how it’s safeguarded, and when they’ll notify an individual and authorities if data is compromised. Individuals will have the right to access, modify, erase, or transfer their data at any time. Non-compliance could result in fines up to 4 percent of annual global turnover, or €20 million.
GDPR requires enterprises to secure personal data on a mobile device, data in transit from one mobile device to another, to a desktop device or to an application, and data being processed. As we learned, apps are particularly vulnerable, and their security and privacy compliance often has gaps. By one estimate, 84 percent of cyber attacks happen at the application layer.
Today’s enterprises must address three major issues:
- How to effectively protect employee privacy with the use of mobile devices and apps on those devices
- How to provide security that protects customer PII when employees must interact with customer PII
- How to ensure that the security measures protecting customer PII are cost-effective and don’t interfere with employees doing their jobs.
Below are some key approaches to help mobile enterprises navigate the GDPR labyrinth.
Four layers of security
To cover their entire threat surface, many enterprises adopt a layered approach to security, also known as defense-in-depth. To protect the vulnerable app, these enterprises implement four layers of mobile security: the operating system, e.g., Android or iOS, the device, the human element (internal and external users), and the app itself may be containerized or “sandboxed.” In a perfect world, all four layers of this app-centric security architecture would be rock solid. But in reality, each has its own unique vulnerabilities.
A priorities-based approach
A priorities-based approach is one that addresses the riskiest areas first. The most risky devices and access points are those that the enterprise doesn’t actively manage — where there is no visibility or control. As a result, IT doesn’t know if these devices are infected with malware or if they’re accessing PII.
Having the right human processes and procedures in place to address this is critical. This approach can include preventing unauthorized access to systems, limiting the number of accounts with administrative rights, requiring both multi-factor authentication for the device and the app, and strong passwords that are never shared.
A persona-based approach
Another effective approach is a persona-based technique that starts with understanding the basics: where’s my data, who has access to it, how are they accessing it, and what are they doing with it? The requisite security solutions are then based uniquely on these personae and use cases. For example, for employees with company-owned devices, you may want to manage the whole device. For contractors who use their own devices to interact with customer information, you can opt for an app-centric solution.
An app-centric approach
A fast-emerging approach to securing data access via next-generation endpoints like mobile and IoT is to build security directly into the app and make the app the first point of control. This approach incorporates the requisite security controls directly into the app; the code then encrypts any data written to the local device and any data transmitted over the network. These controls also enforce additional organizational policies related to strong authentication, data sharing, device posture and others.
This approach has proven to be highly effective in numerous use cases, as an addition to, or a substitute for traditional methods that place multiple burdens on the data, service provider and the end user. For example, furnishing secure, pre-loaded mobile devices slows implementation and increases expenses for the provider. If personal devices are permitted, IT must draw up specifications and test containerization for business and personal use. Meanwhile, end users relinquish some of their right to privacy, as the provider has administrative access to personal information at the device level.
Make no mistake: GDPR has major global impact, and today enterprises are increasingly dependent on global reach to accelerate growth. The implications of the security obligations emerging from GDPR compliance are real, and especially challenging when security controls are exclusively device-centric.
Some of the limitations include issuing corporate-owned devices and installing special software on devices, potentially eroding trust and degrading the user experience. However, with a new app-centric paradigm taking hold — one that secures access to mobile data without having to manage devices and boosts mobile adoption by eliminating usability, privacy and other constraints — mobile enterprises are now primed for a new level of data protection and privacy. GDPR no longer needs to spell gloom and doom.