Pic: Lesley Booth
Thu 12/13/2018 3:58 PM
Mobile device security is particularly worrying for IT security teams. A fully compromised smartphone allows malicious parties to access its camera, calendar, emails, and applications, exposing corporate information. There is a multitude of security threats this poses and, in response, most businesses have implemented extensive mobile security policies. However, the technologies used to enforce these policies were designed in an era before the General Data Protection Regulation (GDPR) and before the vast privacy concerns that are prevalent in modern business environments. As a result, they are extremely invasive and effectively work against today’s regulatory demands that require employee privacy to be respected.
Mobile Device Management – Traditional device security now comes with a price
Mobile device management (MDM) has been the go-to mobile security solution for many years. This software installs an agent onto devices that allows for remote corporate control. From a security perspective, MDM provides IT teams with a multitude of benefits such as viewing incoming and outgoing data streams, forcing multi-factor authentication, and restricting unapproved connections to the Internet.
However, these benefits come at a price to employee privacy. Bitglass conducted an experiment called ‘MDMayhem’ to see how much MDM could be used to monitor and control users’ devices. The MDM software gathered a range of information about employees’ interests, activities, identities, and relationships. Some worrying capabilities the software exhibited included:
This raises some serious questions. Is it reasonable for IT teams to store personal information from the personal devices of their colleagues? How would this look under a compliance audit? Lastly, should businesses now question MDM’s capabilities as an espionage tool?
MDM and GDPR
On corporate-owned, managed devices, MDM allows businesses to ensure that their assets are being used for business purposes only – they have every right to take this approach on their devices. However, problems arise when companies implement MDM on employees’ personal devices, because GDPR does not allow for excessive data collection and emphasises the importance of data minimisation. As such, businesses need to be forthright about the information they are collecting and why it is needed – any personal data that isn’t truly required should not be stored.
This is why MDM can cause security and compliance teams massive headaches. To further complicate matters, many businesses outsource security and, in these cases, lose control over who is accessing the data stored by their MDM solutions. Such organisations need to ensure that their employees’ sensitive data is kept safe, in accordance with GDPR, and is not excessively collected.
Curing the headache
Security technology should help organisations stay compliant, not make it harder to do so. For businesses, removing mobile security is not an option – nor is collecting the invasive data hoarded by MDM technology. Both of these strategies put companies at risk of failing GDPR compliance.
Even an MDM compromise – where businesses limit the amount of control they have over devices housing agents – is not a suitable answer. MDM is supposed to relieve employees of certain data security responsibilities. However, a device with restrained MDM may require that employees choose to make critical security updates and download only certain applications. Naturally, this can create security gaps and can hamper employee productivity.
Instead of MDM, organizations should turn to agentless cloud access security brokers (CASBs), the ideal tools for achieving visibility and control over data without invading employee privacy or violating regulations like GDPR. Agentless CASBs take a data-centric approach to security rather than the device-centric approach exhibited by agent-based solutions. This means they only monitor, protect, and control corporate data. Because they do not rely upon agents, they respect user privacy and can secure data on any device – no draconian software installations are required.
CASBs validate the sentiment that security can help make compliance easier. On mobile devices, where security is particularly challenging to achieve, businesses need technologies like agentless CASBs. These solutions ensure compliance with GDPR and enable audits of business data. Because such CASBs are data-centric in nature, they protect company information while granting employees the freedom to access corporate data from any device, anywhere.
END