How to Get Your Mobile Strategy in Line with the GDPRMay 11, 2018
The bring-your-own-device trend is here to stay. Per a Gartner survey, only 23% of employees these days get a phone from their employer. Instead, more than 50% of them use their own personal device to access their company’s data and apps. And they’re connecting on the go, from home, from airports, and from coffee shops.
All of this makes it harder for organizations to keep their data safe. It’s all too easy for employees to access data on unsecure devices or networks. Not to mention the higher chance of mobile devices getting lost or stolen.
But under the GDPR, you’re responsible for keeping all personal data safe—no matter where it is. So as you gear up for the new privacy law, one of the key areas you should also consider is how well you’re protecting data beyond on-premises. Here are some ways to do it.
Protect data anywhere it goes
It’s no longer enough to merely protect data within your company walls. You need to be thinking about what happens when your data travels out to places you can’t control. This could be anywhere from social media to your employee’s personal phones and tablets to an unsecured network at a coffee shop.
The goal is to protect data in all these places and beyond, pretty much anywhere your employees might roam. And you need to protect data regardless of where it’s stored, who it’s shared with, and what device it’s on (whether that’s iOS, Android, or Windows). This means you need to build security into the file itself.
Some ways to do this:
- Classify data based on sensitivity and add labels, both manually and automatically
- Encrypt your sensitive data and define usage rights or add visual markings when needed
- Use detailed tracking and reporting to see what’s happening with your shared data and maintain control over it
This is an area in which the right technology is key. For example, Microsoft Azure Information Protection lets you classify and label your data right when it’s created or modified. It can even detect sensitive information (like credit card numbers) and prompt users to label the file as confidential, like so:
Example classifications and prompts for labels. Source: Microsoft
Grant and restrict access to data
The GDPR really raises the bar for how organizations should grant access to data. It requires you to take appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure. This might mean, for example, that you should take a second look at which users have high-level admin access they might not really need.
This is where Azure Active Directory comes in handy. It lets you manage user identities and associated access privileges. You can use it to secure and restrict who can access your data in these ways:
- Use conditional access by device state, application sensitivity, location, and more
- Calculate user and sign-in risk
- Set up multi-factor authentication, including with biometrics
- Manage privileged access to data (such as for high-level admins)
Here’s an example of how your conditional access might work. You can set up a series of if/then rules that govern when a user can see data.
Examples of conditional if/then rules. Source: Microsoft
Protect data in mobile devices and applications
Here, you should let your employees access your applications, data, and resources from virtually anywhere, on any device—all while keeping your data secure.
First, you need to make sure that only the right people have eyes on your data. Next, you need to keep the data safe even after it’s accessed. This also includes protecting an employee’s personal data from yourself, as you wouldn’t want to accidentally wipe something like their family photos when they leave the organization.
Some ways to do this:
- Make sure devices that try to access your data meet certain standards first (such as having the latest operating system)
- Limit devices from using certain apps and URLs
- Keep your data secure even when it’s copied, cut, pasted, or saved as
- Selectively remove corporate data from user devices and apps—while leaving personal data intact
- Take remote action like passcode reset, device lock, and remote wipe
These are the types of things that Microsoft Intune helps you do. It’s a great way to manage all of your devices from a single place in the cloud. While still letting employees work on the devices and from the places they choose.
See and control data in cloud apps
If you are a data controller as defined by the GDPR, you’re responsible to figure out the purposes, conditions, and means of processing personal data. This also includes any data processors you work with, like your vendors or partners.
The kicker is, you might not even be aware of all the vendors your employees are working with. A 2013 report from Frost & Sullivan about shadow IT said that more than 80% of employees admitted to using non-approved cloud apps. But you as their employer are still responsible for any personal data that’s created, processed, managed, or stored in any apps—including any apps that employees might have chosen on their own.
That’s where Microsoft Cloud App Security comes in. It helps you find and keep an eye on more than 13,000 cloud apps in your network, across all devices. It also protects user privacy by anonymizing username data.
A roll-up of cloud apps on the Cloud Discovery dashboard. Source: Microsoft
Detect data breaches before they cause damage
The GDPR lays out the timeline and conditions for when you should notify a controller and data subjects when there’s been a breach. This likely means you need better processes in place to detect and report on breaches. It’s no longer enough to rely on traditional ways of sifting through huge log reports with many false positives.
Some ways to beef up your cybersecurity:
- Analyze your traffic and data-related activities across your network, in real time
- Automatically learn the common behaviors for users and resources on the network, which lets you build a pattern of expected behavior
- Detect abnormal behavior that deviates from the expected pattern
- Intelligently use the learned context to prevent false positives, prioritize alerts, fix problems automatically, and present attack timelines
With the GDPR looming, it’s a great time to partner with a Microsoft security expert like Binary Tree to tighten up data security beyond your physical perimeter.
Through our Enterprise Mobility + Security services, we guide you through the steps to design and implement a complete, intelligent protection strategy. All so you can meet today’s advanced cybersecurity challenges head on and also follow regulatory and compliance standards like the GDPR, ISO, and NIST.
Specifically, we can help you:
- Integrate data across cloud and on-premises
- Keep your mobile users productive and secure on any device they choose
- Classify data based on how sensitive it is
- Apply persistent data protection to your most critical assets
- Enable safe sharing of data, both inside and outside your organization
To find out more about how we can help, get in touch.
Source: Microsoft, Supporting Your EU GDPR Compliance Journey with Enterprise Mobility + Security, May 2017.