MobileIron Confidential

New Legal Requirements for Mobile Security

Ojas Rege Chief Strategy OfficerCarl Spataro Chief Privacy Officer

August 9, 2016

MobileIron ConfidentialMobileIron Confidential

MobileIron ConfidentialMobileIron Confidential

In the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. In 2012, there were 131 breaches, involving 2.6 million records of Californians;; in 2015, 178 breaches put over 24 million records at risk. This means that nearly three in five Californians were victims of a data breach in 2015 alone. “2016 California Data Breach Report, February 2016

MobileIron ConfidentialMobileIron Confidential

EMM is the recommended approach for implementing the foundational Critical Security Controls for mobile devices as required by California law

https://oag.ca.gov/breachreport2016

MobileIron ConfidentialMobileIron Confidential

Importance of planning: Citibank breach (2011) IT

Compliance Privacy

MobileIron ConfidentialMobileIron Confidentialhttps://www.cisecurity.org/critical-­controls.cfm

20 Critical Security Controls from Center for Internet Security (CIS)

California’s information security statute (California Civil Code Sec. 1798.81.5) requires that businesses –headquartered anywhere in the world – that own, license or maintain personal information about California residents use “reasonable security procedures and practices appropriate to the nature of the information, to protect personal information from unauthorized access, destruction, use, modification or disclosure.”

Data Breach Report defines “minimum level of information security”

MobileIron ConfidentialMobileIron Confidential

If you are using ActiveSync for mobile security ….

… you will not be able to meet these requirements.

MobileIron ConfidentialMobileIron Confidential

Recommended role for MDMApplicability to mobile

“One must have knowledge of all devices used to access data and resources in the organization. Mobile devices aren’t perpetually attached to the network like other IT systems, so new methods need to be used to maintain the inventory.”

Inventory of authorized and unauthorized devices1

Critical Security Controls

“… Mobile Device Management (MDM) can support this by installing agents on the mobile devices to push down configuration and security profiles, monitor devices for configuration changes and provide access controls based on policy.”

Device inventory, config, policy, complianceMobileIron Sentry and Access

MobileIron ConfidentialMobileIron Confidential

Recommended role for MDMApplicability to mobile

“There are millions of mobile apps across dozens of different platforms. Mobile apps can bring risks and threats to data and credentials. Being able to know what is installed, control access to malicious apps and insecure versions of apps is important to protect the organization.”

Inventory of authorized and unauthorized software2

Critical Security Controls

“MDM tools can inventory apps, and set policies and whitelisting to promote use of secure versions of apps.”

App inventory, config, policy, whitelistingAppConnect for containerization

MobileIron ConfidentialMobileIron Confidential

Recommended role for MDMApplicability to mobile

“Like with PCs, secure configurations and monitoring of these configurations are critical to maintain trust with these devices.”

Secure configurations for hardware and software on mobile devices, laptops, workstations and servers3

Critical Security Controls

“MDMs can restrict access to cameras, white-­list Wi-­Fi networks, apply password policy enforcement, and inventory what apps are installed … and provide the necessary monitoring to be alerted when devices are out of compliance;; for instance, if someone installs an unauthorized application, turns off encryption, or jailbreaks or roots their device.”

Lockdown and security policyCompliance notification

MobileIron ConfidentialMobileIron Confidential

Recommended role for MDMApplicability to mobile

“Mobile vulnerabilities are usually linked to versions of the operating system or malicious apps. Since mobile devices aren’t attached to the network, you can’t identify and manage vulnerabilities like you do on PCs, servers or other networked devices.”

Continuous vulnerability assessment and remediation4

Critical Security Controls

“One can’t just run vulnerability scans on a network to scrutinize mobile devices. Therefore, mobile vulnerability assessments must incorporate threat modeling, and understanding the devices, data, users and their behaviors. MDMs can play a key role in gathering the information for the “what” and “who” for mobile management.”

Compliance monitoringMobile reporting

MobileIron ConfidentialMobileIron Confidential

Recommended role for MDMApplicability to mobile

“Many intrusions use valid credentials obtained either through social engineering, or captured by other means. One important risk in mobile is protecting credentials stored on the device because a user’s email account could also be a system or Domain Admin account.”

Controlled use of administrative privileges5

Critical Security Controls

“It’s dangerous to allow users to root or jailbreak mobile devices, because it opens up risks to vulnerabilities running at that lowest level.

MDM and mobile security tools can provide visibility by having agents on phones that send events and alerts to a central server.”

Jailbreak / root detectionRemediation actions and notifications

MobileIron ConfidentialMobileIron Confidential

From discretionary security to necessary compliance

MobileIron ConfidentialMobileIron Confidential

Helping compliance team achieve its goalsSpeaking the language

Brand trust

Minimum standards

Not disruptive to operations

Ease and speed of deployment

Compliance Privacy

IT

MobileIron ConfidentialMobileIron Confidential

“The unifying theme is that an enterprise cannot reasonably believe that it is providing adequate security for important data unless it can demonstrate that it has implemented appropriate enterprise mobility management controls and procedures to ensure that the device, application, and user are properly authorized and authenticated before providing access the data and making sure that the data, once on the device, is protected from unauthorized use or disclosure.

Carl Spataro, Chief Privacy Officer, MobileIron

MobileIron ConfidentialMobileIron Confidential

June 2016: Failure to Manage Mobile Device Results in Action under HIPAA

A recent $650,000 settlement agreement under Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes it clear that an effective enterprise mobility management (EMM) solution is a requirement for compliance with the privacy and security rules of HIPAA

MobileIron ConfidentialMobileIron Confidential

is the proactive approach to legal compliance

EMM is not optional

MobileIron ConfidentialMobileIron Confidential

Resources on www.mobileiron.comBlog

https://www.mobileiron.com/en/smartwork-­blog/emm-­and-­law

Resources / Blog

White paper

https://www.mobileiron.com/en/whitepaper/emm-­and-­law

Resources / White Papers

This webinar (on-­demand)

https://www.mobileiron.com/en/resources/webinars/new-­legal-­requirements-­mobile-­security-­emm-­not-­optional

Resources / Webinars

MobileIron Confidential