Secure Enterprise Mobility Management White Paper: Cloud-Based Enterprise Mobility Management soti.net
Background Facing a business environment of constant change and increasing complexity, enterprises and institutions now more than ever need to build agility and flexibility into their IT infrastructure in order to adapt to changing shifts in the marketplace. Key challenges include consolidation of systems, standardization of business processes, shared services, and corporate compliance to name a few, and utilizing cloud services is becoming an increasingly popular strategy for enterprises to increase operational efficiency while maintaining or reducing costs. Cloud Security Policy SECURITY An important detail to evaluate when evaluating EMM cloud solutions is a clear security policy for the cloud solution. The policy should be transparent and openly available to customers. The vendor should have a clear description of how the security policy is managed and enforced. The policy should cover the mechanisms used to protect data in-transit between endpoints and at rest in storage, outline the protocols and encryption or tokenization strategy, and detail the traversal routes and endpoints within the cloud. A cloud security policy must assure customers that data will be kept private over a public infrastructure. Access to data in the cloud is a key consideration. Important questions to ask include: Who has access to my enterprise data, and for what reason? How is my enterprise data accessed, and is the mechanism by which it s accessed secure? How frequently is my enterprise data accessed? page 1
Privacy An important question to ask when considering an EMM solution in the cloud is How is data kept private across a shared public infrastructure? EMM vendors and CSPs need to show transparency with the cloud architecture, endpoints, and how data traverses the cloud and ultimately rests at any number of endpoints. At each of these stages, privacy of enterprise data is critical. There are currently a number of methods used to keep data private in a public cloud. At a minimum, the cloud solution should address the following questions: Are there appropriate access controls at both the infrastructure and application levels to keep enterprise data private? Does the CSP privacy policy, and in turn, the EMM vendor s privacy policy align with your enterprise s expectations of data privacy? What type of encryption method is used to keep data private? Is this method acceptable for the nature of the data being stored in the cloud? How is privacy incorporated into the overall infrastructure architecture? What checks and balances are implemented to ensure that data is kept private, and how are intrusions logged and communicated to the customer? What policies are in place to regularly review logs? Segregation DATA LEAK PROTECTION STRATEGY Data segregation is an important consideration for the security and privacy of enterprise data in the cloud. Segregation keeps your data residing separately from other enterprises within a shared public cloud infrastructure. Assurance of data segregation should be made through a close examination of the vendor s public cloud architecture to minimize the risk of intermingled data within the cloud architecture. Vendors should also include a data leak protection (DLP) strategy as a part of their cloud security policy. Compliance and Audit Certifications Cloud Security Alliance - CCSK (most prestigious certification) page 2
Data Residency and Geospatial Risk Data residency is governed by a complex set of legislative rules and policies that are dependent on the jurisdiction or region in which your cloud solution is deployed. The Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) are two of the most important legislative policies that dictate data residency in the cloud. In Europe, data residency policies prohibit any personally identifiable information from leaving the European Union. Adding to this, there are concerns that residency laws in different regions could permit governments or law enforcement officials to gain access to enterprise data without the vendor s knowledge. To ensure compliance, an enterprise cloud solution must consider data residency and the rules of the road in each region that data is stored. Cloud service providers have a responsibility to outline their encryption and tokenization policies as they apply to data residency to ensure that SaaS customer data is protected and complies with regional data residency laws. HOW YOUR DATA IS PROTECTED Continuity/Disaster Recovery Continuity and disaster recovery (DR) are critical functions that ensure your enterprise data remains on demand in the event of an infrastructure failure or disaster. The CSP DR policy should clearly detail the control mechanisms in place to mitigate this risk from an architecture, infrastructure, and resource perspective. At a minimum, the cloud DR policy should answer the following questions: How is my enterprise data backed up? What security measures are used to protect data during failover? How is the failover initiated and how is my enterprise notified? What is the failover service level agreement (SLA)? How is service restored after the failover occurs? Is the failover route compliant with data residency laws in each region? page 3
Data Lifecycle Data lifecycle management (DLM) is a key consideration for managing the flow of enterprise data in a cloud solution. The Sarbanes-Oxley Act (SOX) has clear rules about data storage, retrieval, and archival. At a minimum, cloud security policies should clearly enumerate how data is created, stored, versioned, obsoleted, and deleted. Each stage of the data lifecycle should have clear delineation from other stages and the policy should describe the entrance and exit criteria for data moving through each stage. Cloud DLM policies should also describe the criteria that determines the type of storage infrastructure used. Is it frequency of access, age, or other criteria? It is a generally accepted practice to store more frequently accessed data on faster and higher performance storage infrastructure, while less frequently accessed data could be stored on a commodity infrastructure. DLM also needs to consider data migration into or out of a cloud infrastructure. As security concerns around cloud solutions continue to diminish, enterprises are looking for ways to migrate their data to the cloud without disrupting business critical operations. It is critical that cloud policy takes into account that migration must not disrupt the day to day operation of the business, or at the least mitigates downtime risk during the process. Data Mining/Harvesting The rise of analytics and Big Data presents tremendous opportunities for businesses to gain insight into customer behavior. Analytics can reduce large datasets into actionable information faster than ever before, providing enterprises with unprecedented visibility into the day to day lives of their customers. With all of the benefits of Big Data in the cloud, one question still resonates with CIOs and IT security administrators what would happen if my cloud data was harvested or mined by a third-party? In the hands of a competitor, access to your enterprise data could be a windfall of competitive intelligence that could be used against you. EMM vendors and underlying CSPs have a responsibility to be clear about how cloud data is mined or analyzed, and the reasons for doing so. Data mining and analysis is not in itself a threat or security risk. Your EMM vendor may gather non-identifiable usage or diagnostic data, with your permission, to understand how the product is used in a variety of real world scenarios. This data is most often used to improve the product or provide technical support to a customer. Whenever data is analyzed or mined in the cloud, the terms of engagement must be clearly stated in the CSP and EMM vendor policies. page 4
IT Governance The goal of IT governance is to provide a procedural framework to ensure the best use of IT resources in an enterprise, with the goal of positioning IT as an enabler that helps the enterprise reach its business goals. Like traditional IT, cloud governance is focused on providing the processes, tools, and resources necessary to ensure organizations get the most out of their cloud investment. HOW YOUR CLOUD DEMAND SCALES Demand Management As your business grows, so too do the demands on your cloud infrastructure to keep pace with customer expectations of your service. Like traditional IT demand management, cloud demand management focuses on planning and forecasting to ensure that the cloud solution can scale to meet future customer demand. When selecting a cloud based EMM solution, it is important to determine how the vendor works with their CSP to manage demand, and the demarcation of responsibilities between the two. For example, suppose your enterprise was working with an existing EMM vendor and was looking to provide 50,000 new corporate-liable devices to employees in branch offices across Asia. Your EMM vendor would expand the footprint of their cloud service, which in turn expands the demand put upon the CSP. How fast can the CSP provide the new capacity? What is the SLA between the EMM vendor and the CSP, and how is this turned around to meet a customer s demands? As a part of a sound demand management model, the CSP has to anticipate demands such as these in aggregate across existing and future customers and plan to scale their infrastructure in a manner that supports the expansion of their customers business. Data Security Management Effective governance of data security practices in the cloud ensures the integrity of enterprise data and keeps it safe from unauthorized third parties. From a governance perspective, data security management is about managing risk and implementing processes to mitigate security risk by staying ahead of threats to the privacy and integrity of an enterprise s most valuable asset. The creation and maintenance of an effective governance model for cloud data security management is critical to protecting data from evolving threats. It is critical for CSPs to have a data governance model that is robust enough to deal with day to day threats but flexible enough to be able to deal with future threats that are not well known yet. Evaluations of EMM vendor cloud solutions should always take into account the CSP s approach to data security, since the onus is on the CSP to protect the data in transit and at rest within the cloud infrastructure. From the EMM vendor perspective, it s critical that their governance model includes the same data security management procedures employed by the CSP for the EMM application running in the cloud. page 5
Application Lifecycle Management Understanding the lifecycle of a cloud application is imperative to developing a sound governance model to deal with the introduction, maintenance, and eventual decommissioning of a SaaS solution. Application Lifecycle Management (ALM) governance runs in parallel to the development and operation of the service. Much like a human life, the life of an application contains a beginning, a series of significant events, and an end. At each milestone, ALM governance is used to successfully complete the transition to the next major event. From a SaaS perspective, an EMM vendor s governance process should clearly define the significant events and the process in place to navigate from one event to the next. For example, migration to a new application version across the cloud environment has to be managed in a manner that will not adversely affect a customer s data or business operations. Service Level Agreement A Service Level Agreement sets out the service contract between all parties in a cloud solution the customer, the EMM vendor, and the cloud service provider. At the cloud infrastructure level, an SLA provides assurances of security, uptime, disaster recovery, bandwidth, and other operational details. At the application level, the SLA provides similar assurances, in addition to application based functionality that is tied directly to an enterprise s critical business processes. This duality of SLAs can cause confusion and misinterpretation. It is crucial that the governance model takes into account that multiple SLAs can be involved in an overall cloud solution. The EMM vendor has to take into account the limitations of the underlying cloud infrastructure when creating an SLA for a cloud solution. Conclusion The ability of EMM cloud services to efficiently and cost-effectively enhance an enterprise s agility and flexibility brings great promise, but it is not without its challenges. Cloud related security concerns such as loss of control and visibility of data can be addressed in ways aforementioned in this report. SOTI s enterprise mobility management solution can help enterprises take full advantages of all the cloud has to offer while mitigating many of the associated risks, and can help ensure that standards for privacy, security and compliance are not only met, but ultimately improved. page 6
About SOTI SOTI is the world s most trusted provider of Enterprise Mobility Management (EMM) solutions, with over 10,000 enterprise customers and millions of devices managed worldwide. SOTI makes mobility work by developing industry-leading solutions for EMM, allowing organizations to support corporate-liable and Bring Your Own Device (BYOD) policies. SOTI MobiControl solves the unique challenges involved in managing, securing, supporting, and tracking mobile and desktop computing devices across all platforms. For more information For more information about SOTI MobiControl visit us at www.soti.net or email SOTI Inc. at sales@soti.net. facebook.com/soti.net @SOTI_Inc linkedin.com/company/soti-inc youtube.com/sotiinc SOTI Inc. 5770 Hurontario St. Suite 1100, Mississauga, Ontario Canada, L5R 3G5 Phone: + 1 905 624 9828 Fax: + 1 905 624 3242 SOTI Europe Pinewood Business Park, Building TS2, Coleshill Road, Solihull, Birmingham B37 7HG, UK Phone: +44121 368 0675 SOTI Australia 270 Ferntree Gully Rd, Suite 4, Building 9, Notting Hill, Victoria, Australia Phone: + 61 3 90015554