When Mobile Security and Compliance Clash – The MDM crisis

Pic: Lesley Booth

Thu 12/13/2018 3:58 PM

 Mobile device security is particularly worrying for IT security teams. A fully compromised smartphone allows malicious parties to access its camera, calendar, emails, and applications, exposing corporate information. There is a multitude of security threats this poses and, in response, most businesses have implemented extensive mobile security policies. However, the technologies used to enforce these policies were designed in an era before the General Data Protection Regulation (GDPR) and before the vast privacy concerns that are prevalent in modern business environments. As a result, they are extremely invasive and effectively work against today’s regulatory demands that require employee privacy to be respected.

Mobile Device Management – Traditional device security now comes with a price

Mobile device management (MDM) has been the go-to mobile security solution for many years. This software installs an agent onto devices that allows for remote corporate control. From a security perspective, MDM provides IT teams with a multitude of benefits such as viewing incoming and outgoing data streams, forcing multi-factor authentication, and restricting unapproved connections to the Internet.

However, these benefits come at a price to employee privacy. Bitglass conducted an experiment called ‘MDMayhem’ to see how much MDM could be used to monitor and control users’ devices. The MDM software gathered a range of information about employees’ interests, activities, identities, and relationships. Some worrying capabilities the software exhibited included:

• Monitoring personal internet browsing habits. Employers had access to employees’ favourite places to eat, Amazon shopping lists, sporting interests, and more.
• Tracking employees via GPS against their will. People often turn off the GPS on their device to save battery. MDM takes control of this decision away from the employee. Businesses can decide to track employees, even while on holiday, if they wish.
• Monitoring personal messaging platforms. MDM grants security teams visibility into third-party apps, such as Facebook Messenger and Gmail. Employees with MDM on their devices can’t have private conversations on such platforms.
• Restricting core functions and wiping personal data. Control of devices extends to blocking access to the device’s camera, stopping the copy/paste function and even deleting the personal contacts and cloud storage data associated with the device. Even backup services can be withheld from the employee.

This raises some serious questions. Is it reasonable for IT teams to store personal information from the personal devices of their colleagues? How would this look under a compliance audit? Lastly, should businesses now question MDM’s capabilities as an espionage tool?

MDM and GDPR

On corporate-owned, managed devices, MDM allows businesses to ensure that their assets are being used for business purposes only – they have every right to take this approach on their devices. However, problems arise when companies implement MDM on employees’ personal devices, because GDPR does not allow for excessive data collection and emphasises the importance of data minimisation. As such, businesses need to be forthright about the information they are collecting and why it is needed – any personal data that isn’t truly required should not be stored.

This is why MDM can cause security and compliance teams massive headaches. To further complicate matters, many businesses outsource security and, in these cases, lose control over who is accessing the data stored by their MDM solutions. Such organisations need to ensure that their employees’ sensitive data is kept safe, in accordance with GDPR, and is not excessively collected.

Curing the headache

Security technology should help organisations stay compliant, not make it harder to do so. For businesses, removing mobile security is not an option – nor is collecting the invasive data hoarded by MDM technology. Both of these strategies put companies at risk of failing GDPR compliance.

Even an MDM compromise – where businesses limit the amount of control they have over devices housing agents – is not a suitable answer. MDM is supposed to relieve employees of certain data security responsibilities. However, a device with restrained MDM may require that employees choose to make critical security updates and download only certain applications. Naturally, this can create security gaps and can hamper employee productivity.

Instead of MDM, organizations should turn to agentless cloud access security brokers (CASBs), the ideal tools for achieving visibility and control over data without invading employee privacy or violating regulations like GDPR. Agentless CASBs take a data-centric approach to security rather than the device-centric approach exhibited by agent-based solutions. This means they only monitor, protect, and control corporate data. Because they do not rely upon agents, they respect user privacy and can secure data on any device – no draconian software installations are required.

CASBs validate the sentiment that security can help make compliance easier. On mobile devices, where security is particularly challenging to achieve, businesses need technologies like agentless CASBs. These solutions ensure compliance with GDPR and enable audits of business data. Because such CASBs are data-centric in nature, they protect company information while granting employees the freedom to access corporate data from any device, anywhere.

END