This document discusses new legal requirements for mobile security in California. It summarizes data from the California Attorney General showing a rise in data breaches affecting millions of California residents. The document recommends that enterprises implement an Enterprise Mobility Management (EMM) system to meet requirements of California law by securely managing mobile devices and applications. It outlines how EMM can help satisfy several of the 20 Critical Security Controls and argues that EMM has become necessary for legal compliance, as shown by a $650,000 HIPAA settlement resulting from a failure to manage mobile devices. Resources on MobileIron's website are provided.
1. MobileIron Confidential
New Legal Requirements
for Mobile Security
Ojas Rege Chief Strategy Officer
Carl Spataro Chief Privacy Officer
August 9, 2016
3. MobileIron ConfidentialMobileIron Confidential
In the past four years, the Attorney General has received reports
on 657 data breaches, affecting a total of over 49 million records
of Californians. In 2012, there were 131 breaches, involving 2.6
million records of Californians;; in 2015, 178 breaches put over 24
million records at risk. This means that nearly three in five
Californians were victims of a data breach in 2015 alone.
“2016 California Data Breach Report, February 2016
4. MobileIron ConfidentialMobileIron Confidential
EMM is the recommended approach for implementing the foundational
Critical Security Controls for mobile devices as required by California law
https://oag.ca.gov/breachreport2016
6. MobileIron ConfidentialMobileIron Confidential
https://www.cisecurity.org/critical-controls.cfm
20 Critical Security Controls from
Center for Internet Security (CIS)
California’s
information
security
statute
(California
Civil
Code
Sec.
1798.81.5)
requires
that
businesses
–
headquartered
anywhere
in
the
world
– that
own,
license
or
maintain personal
information
about
California
residents
use
“reasonable security
procedures
and
practices
appropriate
to
the
nature
of
the
information, to
protect
personal
information
from
unauthorized
access,
destruction,
use,
modification
or
disclosure.”
Data Breach Report defines “minimum level of information security”
8. MobileIron ConfidentialMobileIron Confidential
Recommended role for MDMApplicability to mobile
“One must have knowledge of all devices used
to access data and resources in the
organization. Mobile devices aren’t perpetually
attached to the network like other IT systems, so
new methods need to be used to maintain the
inventory.”
Inventory of authorized and unauthorized devices1
Critical Security Controls
“… Mobile Device Management (MDM) can
support this by installing agents on the mobile
devices to push down configuration and security
profiles, monitor devices for configuration
changes and provide access controls based on
policy.”
Device inventory, config, policy, compliance
MobileIron Sentry and Access
9. MobileIron ConfidentialMobileIron Confidential
Recommended role for MDMApplicability to mobile
“There are millions of mobile apps across
dozens of different platforms. Mobile apps can
bring risks and threats to data and credentials.
Being able to know what is installed, control
access to malicious apps and insecure versions
of apps is important to protect the organization.”
Inventory of authorized and unauthorized software2
Critical Security Controls
“MDM tools can inventory apps, and set policies
and whitelisting to promote use of secure
versions of apps.”
App inventory, config, policy, whitelisting
AppConnect for containerization
10. MobileIron ConfidentialMobileIron Confidential
Recommended role for MDMApplicability to mobile
“Like with PCs, secure configurations and
monitoring of these configurations are critical to
maintain trust with these devices.”
Secure configurations for hardware and software on mobile devices,
laptops, workstations and servers
3
Critical Security Controls
“MDMs can restrict access to cameras, white-list
Wi-Fi networks, apply password policy
enforcement, and inventory what apps are
installed … and provide the necessary
monitoring to be alerted when devices are out of
compliance;; for instance, if someone installs an
unauthorized application, turns off encryption, or
jailbreaks or roots their device.”
Lockdown and security policy
Compliance notification
11. MobileIron ConfidentialMobileIron Confidential
Recommended role for MDMApplicability to mobile
“Mobile vulnerabilities are usually linked to
versions of the operating system or malicious
apps. Since mobile devices aren’t attached to
the network, you can’t identify and manage
vulnerabilities like you do on PCs, servers or
other networked devices.”
Continuous vulnerability assessment and remediation4
Critical Security Controls
“One can’t just run vulnerability scans on a
network to scrutinize mobile devices. Therefore,
mobile vulnerability assessments must
incorporate threat modeling, and understanding
the devices, data, users and their behaviors.
MDMs can play a key role in gathering the
information for the “what” and “who” for mobile
management.”
Compliance monitoring
Mobile reporting
12. MobileIron ConfidentialMobileIron Confidential
Recommended role for MDMApplicability to mobile
“Many intrusions use valid credentials obtained
either through social engineering, or captured by
other means. One important risk in mobile is
protecting credentials stored on the device
because a user’s email account could also be a
system or Domain Admin account.”
Controlled use of administrative privileges5
Critical Security Controls
“It’s dangerous to allow users to root or jailbreak
mobile devices, because it opens up risks to
vulnerabilities running at that lowest level.
MDM and mobile security tools can provide
visibility by having agents on phones that send
events and alerts to a central server.”
Jailbreak / root detection
Remediation actions and notifications
14. MobileIron ConfidentialMobileIron Confidential
Helping compliance team achieve its goals
Speaking the language
Brand trust
Minimum standards
Not disruptive to operations
Ease and speed of deployment
Compliance Privacy
IT
15. MobileIron ConfidentialMobileIron Confidential
“The unifying theme is that an enterprise cannot reasonably believe
that it is providing adequate security for important data unless it can
demonstrate that it has implemented appropriate enterprise mobility
management controls and procedures to ensure that the device,
application, and user are properly authorized and authenticated
before providing access the data and making sure that the data, once
on the device, is protected from unauthorized use or disclosure.
Carl Spataro, Chief Privacy Officer, MobileIron
16. MobileIron ConfidentialMobileIron Confidential
June 2016: Failure to Manage Mobile Device Results
in Action under HIPAA
A recent $650,000 settlement agreement
under Health Insurance Portability and
Accountability Act of 1996 (HIPAA) makes it
clear that an effective enterprise mobility
management (EMM) solution is a
requirement for compliance with the privacy
and security rules of HIPAA
18. MobileIron ConfidentialMobileIron Confidential
Resources on www.mobileiron.com
Blog
https://www.mobileiron.com/en/
smartwork-blog/emm-and-law
Resources / Blog
White paper
https://www.mobileiron.com/en/
whitepaper/emm-and-law
Resources / White Papers
This webinar (on-demand)
https://www.mobileiron.com/en/resources/webinars/new
-legal-requirements-mobile-security-emm-not-optional
Resources / Webinars