Extending Compliance to the Mobile Workforce.

Transcription

1 Extending Compliance to the Mobile Workforce 1

2 Copyright 2014 Fiberlink Communications Corporation. All rights reserved. This document contains proprietary and confidential information of Fiberlink, an IBM company. No part of this document may be used, disclosed, distributed, transmitted, stored in any retrieval system, copied or reproduced in any way or form, including but not limited to photocopy, photographic, magnetic, electronic or other record, without the prior written permission of Fiberlink. This document is provided for informational purposes only and the information herein is subject to change without notice. Please report any errors to Fiberlink. Fiberlink will not provide any warranties covering this information and specifically disclaims any liability in connection with this document. Fiberlink, MaaS360, associated logos, and the names of the products and services of Fiberlink are trademarks or service marks of Fiberlink and may be registered in certain jurisdictions. All other names, marks, brands, logos, and symbols may be trademarks or registered trademarks or service marks of their respective owners. Use of any or all of the above is subject to the specific terms and conditions of the Agreement. Copyright 2014 Fiberlink, 1787 Sentry Parkway West, Building Eighteen, Suite 200, Blue Bell, PA All rights reserved. 2

3 Extending Compliance to the Mobile Workforce Table of Contents Overview...4 New Types of Exposure...4 Risks and Best Practices...4 Risks Associated with Mobile Computing...5 Employee Error and Malfeasance...6 Best Practices for Securing Mobile Systems and Data...7 Protecting Against Hackers and Network Threats...7 Protecting from Data Theft and Loss...7 Protecting Wireless Communications Protecting Access to the Network Critical Control 12: Malware Defenses...7 Monitoring and Controlling Employee Actions...8 Fiberlink Services to Manage Best Practices Security Technologies...8 Managing Security Applications on Mobile Devices...8 Hackers and Network Threats...9 Data Theft and Loss...9 Wireless Communications...9 Controlling and Logging Employee Actions...10 Summary...11 Appendix A:...12 Issues for Achieving SOX Compliance...12 Issues for Achieving GLBA Compliance...13 Issues for Achieving HIPAA Compliance

4 Organizations are facing a new challenge: how to extend compliance and security best practices to laptops and other mobile devices. Overview Regulatory compliance is not an option it is a cold, hard necessity. Security breaches can bring serious consequences. Failing audits can cause career setbacks. In the past, enterprises could think about security strictly in terms of centralized desktops and mainframes safely within robust corporate firewalls. But the same sensitive data that is protected by firewalls and intrusion protection systems in the corporate data center is increasingly showing up on unprotected mobile and remote computers. Security policies and best practices that are rigorously enforced in offices are ignored for remote and mobile workers. Now, organizations are facing a new challenge: how to extend compliance and security best practices to laptops and other mobile devices. New Types of Exposure Mobile devices create new types of exposure and risk. They are not protected by central firewalls and intrusion protection systems. They communicate over insecure networks often including access points in public locations like hotels, airports and coffee shops and are subject to physical loss and theft. Relying on old security measures for new mobile technologies is like locking the bank vault and leaving the cash on the sidewalk. This white paper examines some of the unique risks associated with laptops and other mobile devices, and discusses security best practices that can be used to manage these risks. It also discusses how software and services from Fiberlink, an IBM company can help organizations implement those best practices and extend their security policies to the rough-and-tumble world of mobile computing. Risks and Best Practices Regulatory compliance is a complex, dynamic and multifaceted subject with requirements that can differ greatly, depending on the particular industry. However, those enterprises that have addressed compliance regimens quickly and adeptly typically follow three basic principles: They embrace and understand the specific requirements described in regulations They frequently perform risk assessments, based on the organization s specific circumstances They continuously reevaluate their security best practices, as defined by the experts, and adjust their business practices and procedures accordingly The unfortunate truth is that few of the regulatory statutes clearly state the specific security policies or procedures, or specify technology tools. 4

5 However, the regulations are very clear that enterprises must assess likely risks. For example, the Gramm-Leach- Bliley Act (GLBA) requires that organizations conduct a risk assessment to identify reasonably foreseeable internal or external threats. The Health Insurance Portability and Accountability Act (HIPAA) states that organizations must protect against any reasonably anticipated threats or hazards to the security and integrity of such [protected health] information. And enterprises have found that they can satisfy auditors and regulators by implementing compliance and security best practices that have been recognized in their industry. This white paper discusses specific security risks associated with laptops and mobile devices, and the emerging body of best practices for dealing with those risks. An appendix highlights some of the requirements relevant to laptops and other mobile devices found in three major U.S. regulations, Sarbanes-Oxley (SOX), GLBA and HIPAA. Risks Associated with Mobile Computing A mobile device, such as a laptop, is not simply a convenience; it is a critical tool for increasing productivity. A study conducted by MIT s Sloan School of Management indicated that mobile and wireless computers are primary assets in companies that lead the list in productivity. Each individual is not just a mobile worker; he or she is a mobile office that can conduct all phases of business on the fly. However, with increased capabilities come increased vulnerabilities. In fact, many of the most dramatic stories of data theft and loss are related to laptops and other mobile devices. 5

6 Because mobile devices are beyond the direct control of managers and IT personnel, they are particularly vulnerable to employee mistakes and employee wrongdoing. Gone in 53 Seconds... Two recent high profile incidents of laptop thefts emphasize the importance of implementing security measures as soon as possible. A laptop stolen from the home of a Veterans Affairs employee resulted in the loss of personal records of over 26.5 million U.S. veterans. The other case involved the theft of a Department of Transportation (DOT) laptop from a parked car that contained records of over 133,000 drivers and pilots. The statistics are alarming: A laptop is stolen every 53 seconds (LoJack) 81% of companies have had laptops lost or stolen (Ponemon Institute LLC and Vontu Inc.) Laptops are the most stolen article of property in San Francisco (San Francisco Police Department burglary detail) 10,000 laptops are left in the backs of London taxis each year (CNET News.com) 600,000 laptops are stolen every year (Safeware Insurance, computer underwriters) Employee Error and Malfeasance Because mobile devices are beyond the direct control of managers and IT personnel, they are particularly vulnerable to employee mistakes and employee wrongdoing. Incidents related to employee error and malfeasance can be far more common than generally realized. It is estimated that 60% to 80% of all HIPAA compliance failures are due to employees accessing confidential data. In most cases, this is not done with malicious intent, but merely for the convenience of the employee. However, a policy violation is a policy violation. Many of the most serious security breaches on record occurred when employees copied confidential data to a laptop or a removable storage device for their convenience, and then lost the laptop or device. There is also evidence that malicious acts by insiders are more common than successful attacks by outsiders like hackers. In 2004, a state of Michigan study of over 1,000 identity theft cases found that 70% of the sensitive data collected was stolen by employees from inside the company. 6

7 Best Practices for Securing Mobile Systems and Data Protecting Against Hackers and Network Threats The best practices for protecting against hackers, viruses, spyware and other network threats are essentially the same best practices used to defend the perimeter of large offices. The difference is that many types of security measures must be applied on each individual mobile and remote device, instead of once at the gateway to the network. The more commonly used defenses include: Security patch management products Personal firewalls Anti-virus and anti-spyware tools Other technologies that are emerging as supplements to these defenses include local intrusion protection and day zero protection. Protecting from Data Theft and Loss Data encryption is becoming an increasingly critical technology for protecting financial institutions, government agencies, and other similar industries where confidential data is routinely stored on laptops. Data encryption products encode data stored to disk and other storage media, so that even if a laptop or storage device is lost or stolen, thecontents cannot be deciphered. Protecting Wireless Communications To protect against sniffing and eavesdropping on insecure networks, enterprises need to equip mobile systems with Virtual Private Network (VPN) technologies that work over wireless as well as conventional network connections. It is also important to enforce the use of the VPN technology on all wireless connections, since many employees will ignore or disable the VPN client if given an option. Protecting Access to the Network Critical Control 12: Malware Defenses If mobile systems are compromised, hackers have an opportunity to use those systems to penetrate the central corporate network. For this reason, compliance checking and Network Access Control (NAC) are seen as essential technologies to protect enterprise information assets. These technologies monitor mobile systems to see if they remain in compliance with corporate policies, and block access to the corporate network if they do not. 7

8 More sophisticated products are also becoming available that can monitor and log the transfer of sensitive files to storage devices and to other computers via , file transfer or instant messaging, or alternately can block all such transfers completely. Strong authentication is another best practice to help ensure safe mobile computing. Mobile employees must log onto the network using a security token, smart card or other authentication device in addition to a user ID and password. This makes it harder for an outsider to gain access merely by discovering a password or stealing a laptop. Monitoring and Controlling Employee Actions New technologies are becoming available to monitor and restrict certain types of employee actions on mobile systems. Some of these products prevent employees from copying data to memory keys, USB drives and other external storage devices, or force all data copied to such devices to be encrypted. This inhibits employees from copying databases of employee or customer records to portable devices that can be lost or that can easily be concealed when leaving a high-security area. More sophisticated products are also becoming available that can monitor and log the transfer of sensitive files to storage devices and to other computers via , file transfer or instant messaging, or alternately can block all such transfers completely. Fiberlink Services to Manage Best Practices Security Technologies Managing Security Applications on Mobile Devices This white paper has thus far examined foreseeable risks associated with mobile computing, and some of the best practices technology that can be employed to mitigate those risks. But how can this technology be put into effect quickly and economically? Deploying a list of point security solutions from different vendors to hundreds or thousands of mobile systems is a daunting task, and the cost of the ongoing management of multiple software packages on distributed devices can be prohibitive. Fiberlink s secure mobility solutions solve this growing challenge for today s enterprises with: The MaaS360 Platform, the unified platform for managing security and connectivity applications on mobile devices. Fiberlink Mobile, Control and Visibility Services, the industry s most complete set of services to deploy and manage endpoint security, data protection, and endpoint control applications on mobile devices. These are part of the family of Fiberlink software and services. 8

9 Fiberlink s software and services allow organizations to: Protect laptops from hackers and viruses, and sensitive data from loss or theft. Control software, hardware, data and connectivity options on remote devices through centrally-managed policies. Connect employees with the Internet and enterprise networks, from any location, in a way that is simple for employees and cost-effective for the enterprise. Hackers and Network Threats The MaaS360 Platform allows enterprises to install, monitor and update a wide range of endpoint security applications and services across their entire mobile workforce, easily and economically. The applications that it can deploy and manage include: Security patch management Personal firewalls Anti-virus and data encryption tools Intrusion protection By allowing administrators to deploy and manage a comprehensive set of endpoint security applications with a single tool, the MaaS360 Platform greatly reduces administration and support costs, while ensuring that all mobile systems have the right defenses against anticipated security risks. Data Theft and Loss The Fiberlink Data Encryption service can encrypt sensitive data on mobile devices so confidential information is protected from prying eyes, even when laptops are lost or stolen. With so many laptops lost every year, Fiberlink also offers an automated Data Backup and Recovery service. Files are backed up automatically and stored at a remote location. If a laptop is lost or stolen, they can be restored to a new PC over the Internet, so that employees can resume work with no loss of productivity. Automated data backup for remote devices also ensures that copies of protected information are available for auditing and analysis at a later time. Wireless Communications The MaaS360 Platform can protect against sniffing and eavesdropping on insecure wireless networks by enforcing the use of SSL and IPSec Virtual Private Networks (VPNs). This technology ensures that all communications across the network are encrypted. Employees cannot turn off or circumvent the VPN connection. 9

10 Control, protection and compliance are not possible if hostile mobile systems can access enterprise networks through vulnerable network communications. The MaaS360 Platform provides compliance checking and a form of Network Access Control (NAC). The MaaS360 Mobile and Control Services continually check to see if laptops are in compliance with the organization s corporate policies. The software can determine if Windows patch levels are up to date; if firewall, anti-virus, anti-spyware, intrusion protection and other security applications are installed and running; and if virus and other threat signatures are up-to-date. If any of these conditions are not met, network connectivity can be terminated and the network protected. Fiberlink also offers a Managed Strong Authentication service. This service supports two-factor authentication for mobile workers on a server running the RSA SecurID system. In addition to passwords, the system can incorporate tokens, smart cards, digital certificates and biometrics to prevent unauthorized access. To authenticate against the most recent user information, this service can be integrated with the rest of the organization s identity management infrastructure, including enterprise directories and user databases. Finally, the MaaS360 Platform can enforce the use of appropriate VPN clients on all mobile systems. Controlling and Logging Employee Actions The MaaS360 Platform and Fiberlink Security Services can help organizations demonstrate that appropriate security measures have been implemented and are operational. One aspect of this is the Fiberlink Inventory Management service, which can collect information on the software, hardware and security applications located on mobile computers. This information can be viewed in reports, or exported to.csv files and then imported into spreadsheets, databases and other reporting and analysis tools. This information can be used to show, for example, that a group of laptops all had a personal firewall and anti-virus software, and that the anti-virus DAT files were updated at a certain time. Through a compliance checking capability, the MaaS360 Platform can be used to show that all laptops connected to the enterprise network were in compliance with corporate security policies at the time that they were connected. Fiberlink Device Control service regulates the use of USB memory sticks, CD-ROM drives and other external storage devices, as well as controlling the use of Firewire, Wi-Fi, Bluetooth, and other wireless links. Data transfers to these devices can be blocked completely, or assigned quotas by time period. The service can also create audit trails of device usage, and ensure that information copied to removable media is encrypted. 10

11 Fiberlink s Information Protection service provides comprehensive control of information in motion. Administrators designate disks and directories as containing sensitive information. All movements of these files from mobile devices is monitored and logged, so there is a record if sensitive files are: Distributed as attachments Transferred with instant messaging or file transfer packages Uploaded on Web forms Printed Saved to a disk drive or to an external storage device Alternately, any of these activities can be blocked so sensitive files can be downloaded and viewed, but not distributed in any form. The ability to audit and block the distribution of sensitive files from mobile laptops is an extremely powerful tool for safeguarding protected customer, financial and health information from inadvertent and intentional misuse by employees. Summary Today, many organizations are seeking to extend regulatory compliance beyond large central offices to mobile and remote devices. These devices now hold large amounts of sensitive information, yet they are harder to protect than computers behind the enterprise firewall. Several high-profile incidents have highlighted the vulnerability of laptops and the data that resides on them. To prove they are in compliance with regulations, organizations must guard against security risks associated with laptops and other mobile devices. These threats include vulnerability to hackers and network-based threats, the risk of the loss or theft of the device and the data on it, intercepting communications at public access points, and employees who move sensitive data in insecure ways for convenience or for malicious purposes. While companies can demonstrate their compliance with regulatory requirements by implementing best practice security solutions and services, there are many components that go into a truly compliant mobile workforce. To maintain endpoint security, the use of best-in-class tools, like personal firewalls, anti-virus, intrusion prevention, is an effective way to combat the threats presented by hackers, viruses and malware. Another key facet is to secure data, both in the event of theft or loss, and from unauthorized copying and distributing of files with confidential information which is often done by employees. Finally, it is important to control endpoints and their access to the corporate network through the use of policy-based software agents, and connectivity safeguards like virtual private networks and network access control that provide comprehensive coverage. 11

12 Deploying and managing these security technologies individually can be difficult or even prohibitively expensive. Fortunately, the MaaS360 Platform and Fiberlink Security Services provide a way to deploy, manage and update a wide range of endpoint security applications efficiently and economically. Fiberlink s software and services can help enterprises extend compliance to mobile devices simply and with minimal effort, improving underlying security while helping organizations demonstrate compliance with regulations such as SOX, GLBA and HIPAA. Appendix A: Issues for Achieving SOX Compliance The following chart lists two key regulations from Sarbanes-Oxley (SOX) and methods that can be employed to ensure compliance for mobile computing. Regulation Section 302 of the Act requires that signing officers must certify that they are responsible for establishing and maintaining internal controls. Section 404 of the Act, requires internal control report, and states that it is the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Methods to Ensure Compliance IT Administrators must centralize control and monitor all aspects of security policies. Enforce end-to-end accountability as part of every security policy. Be able to review and generate reports from security data 12

13 Issues for Achieving GLBA Compliance The following chart highlights examples of Gramm-Leach-Bliley Act (GLBA) regulations and methods that can be employed to ensure compliance for laptop computing. (Note: in addition to federal laws, some states have enacted even stricter GLBA regulations.) Regulation Information security program. A licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. (PA 146c.3) Assess risk. Conduct a risk assessment to identify reasonably foreseeable internal or external threats. Manage and control risk. (1) Implement procedure to correct risks. (3) Regularly tests or otherwise monitors the keycontrols, systems and procedures. Adjust the program. The licensee monitors, evaluates and adjuststhe program in light of any relevant changes. (PA 146c.7, PA 146c.9.) Methods to Ensure Compliance Identify security risks. Monitor applications. Notify authorities in the event of an incident. Provide adequate reporting via log files and other reports. Enforce and document compliance from end to end. Deploy the following: Patch management Anti-virus Data encryption Real-time remediation Data backup Policy enforcement Issues For Achieving HIPAA Compliance Providence Home Services, a division of Seattle-based Providence Health System, announced that one employee was fired and three others resigned after a confidential and thorough internal review process of the data storage procedures that led to the theft. The theft in question involved backup disks and tapes stolen from a parked car on December 31, 2005, that contained personal records on 365,000 patients. It is estimated that the average cost per security breach incident is $5 million just to inform people that their personal records have been exposed and this is over and above an average breach. In addition, both U.S. and Canadian surveys indicate that 20% to 30% of customers will stop doing business with a company that has compromised personal information. 13

14 The price for noncompliance is high, and the following table highlights specific Health Insurance Portability and Accountability Act (HIPAA) regulations and methods that can be employed to ensure compliance for laptop computing. Regulation (1) Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Methods to Ensure Compliance 1. Assess all internal and external sources of threats. 2. Identify which data is sensitive. 3. Establish policies on connectivity and levels of access. 4. Create written security policies and track all procedures, updates, etc., in order to demonstrate compliance. Deploy the following: Anti-virus Anti-spyware Strong two-point authentication Personal firewalls Patch management Real-time remediation Intrusion detection All brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such. For More Information To learn more about our technology and services visit Sentry Parkway West, Building 18, Suite 200 Blue Bell, PA Phone Fax WP_201110_