Like dust devils threatening to turn into tornadoes, a series of state and federal skirmishes over telecommunications regulation could alter the climate of mobile enterprises in years to come. Regulations to beef up security and restrict employee access to information, to audit corporate IT records and messaging, to protect patient-identifiable medical information, to promote concepts such as network neutrality and to promote a wireless consumer bill of rights: All of these issues are on lawmakers’ plates.
The flurry of directives and bills frequently pits requirements for data integrity and auditing against the confidentiality and privacy rights of individuals. In some cases, legislation advocates for consumer or entrepreneurs’ rights at the expense of carrier profit, and in others, legislation paves the way for just the opposite effect.
Internally, enterprises are re-thinking their mobile IT assets as the industry rushes to incorporate government security and accountability mandates into new product and service cycles. Externally, government and private organizations—including state government, the FCC, the U.S. Senate and wireless trade associations such as the Cellular Telecommunications Industry Association (CTIA), among others—are attempting to negotiate a climate of regulation that addresses a heightened level of security without stifling wireless business.
“The root problem we have now is that enterprises put together a security policy before mobility trends started hitting; so policies have to be revisited now that equipment is moving beyond
[corporate] buildings to telecommuters and teleworkers,” said Bob Egner, a VP of product management and global marketing at Pointsec Mobile Technologies, a software company specializing in encryption software for desktops and mobile systems.
Mobile data theft has been prevalent, prompting private corporations to upend security policies to avoid what Egner calls “a CNN moment”—public disclosure of unauthorized data thefts. According to the Privacy Rights Clearing House, a non-profit consumer advocacy group, 95 million data records of U.S. residents have been exposed or stolen in security breaches since February 2005.
The combination of public embarrassment and financial liability for data loss is forcing both government and enterprises to pursue aggressive security and authentication policies regardless of which regulations are in place. On the federal level, the Sarbanes-Oxley Act (SOX) established a Public Company Account Oversight Board requiring commercial enterprises to maintain accurate internal audit controls. These keep tabs on financial transactions and company communications and messaging with an eye on preventing accounting fraud. SOX auditing controls are virtually ubiquitous across wireless private enterprise today, extending to audit trails for emails, SMS and other communication. Many large, wireless solutions providers, such as Research In Motion and Sybase iAnywhere, have transformed their software platforms to accommodate SOX auditing and internal enterprise policy requirements.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions specifically to safeguard the personal and private information of customers, although the extent of GLBA also mandates that institutions such as universities establish technical and physical safeguards for financial records. (Additionally, the GLBA codifies protections against “pre-texting,” the practice of obtaining personal information through false pretenses.)
The well-known Health Insurance Portability and Accountability Act (HIPAA), enacted by Congress in 1996, establishes strict standards for protecting electronic healthcare transactions. These involve standards for maintaining the privacy of patient healthcare data regardless of computing platform, mobile, wireless or wired.
The government has also enacted tougher encryption and authentication standards in recent years. Among the newest measures is the Homeland Security Presidential Directive 12 (HSPD-12), which mandates a common identification standard for federal employees and contractors. Another landmark bill, known as the Senate Communications Act of 2006, still in Congress, will weigh in on a national framework of telecommunication regulations to manage next-generation Internet functionality, competitive video, network neutrality (ensuring that Internet companies cannot block others’ Web sites or email), digital TV, Universal Service (a mandate to promote quality services at reasonable rates) and wireless broadband, among other issues.
“There’s a huge alphabet soup [of regulation] that governs our customers and in turn flows into our product development cycles,” affirms Scott Totzke, director of the Research In Motion (RIM) Global Security Group. “For example, one of our large strategic customer verticals is the Department of Defense, which has many policy requirements, including the National Information Assurance Acquisition Policy and the Federal Information Processing System for encryption certification. We can’t even implement a wireless solution unless it conforms to [these] requirements.”
In the enterprise space, the government demands audit trails through Sarbanes-Oxley. “This means we’ve got a BlackBerry and emails and copies of [mobile] messages on servers and handhelds, and all of this needs to be audited and managed. So we evolve our solutions to accommodate.”
Regulation Means Innovation?
Many of the new technologies are in direct response to government security requirements. “What’s emerged from the HSPD-12 is a smartcard-based standard,” Totzke continued. “For example, RIM invented a BlackBerry Smart Card Reader and authentication device that comes in a small badge holder with a Bluetooth connection. You just wear it around your neck, and the badge enables a short-range wireless authentication to a terminal on the network—the user still must key in a pin number,” he said. “When the user walks away from the computer or terminal, the badge automatically locks down the computer so no one else can get access.” The product, released in June 2006, will be widely deployed in the DOD over the next 12 months (see page 52 for a closer look).
In wireless enterprises, especially in the banking and financial industries, higher levels of encryption, two-factor (or, two levels of) authentication and secured remote control are becoming commonplace. For example, NetMotion Wireless, a mobile VPN company, has implemented secure audit controls to enable customers to see who is accessing an enterprise network and from where. “We can determine … a user’s location with a logical address,” said John Knopf, NetMotion’s director of product management. “For example, the mobile VPN ‘knows’ if users are accessing a corporate network from a Cingular network or a WiFi hotspot. We can track information down to that level and know which devices are being used and how the user is authenticated into the system,” he said.
Another option comes from NetworkStreaming, which provides audit trails and internal data security through a remote control software system implemented through firewalls. The software, in effect, enables tech support organizations to commandeer remote mobile or desktop computers in order to fix them. While the potential for abuse or unauthorized PC control
seems apparent, says Nathan McNeill, NetworkStreaming’s VP of product management, NetworkStreaming’s solution is fail-safe. “The remote control session is [exclusively] user initiated. Users go to a Web site [to request a remote control session] and download an applet in 10 seconds.” All data in the session are routed and tracked internally to ensure accountability for what happens.
The essence of government regulation is that it may never keep pace with changing requirements in the mobile marketplace, observes PointSec Mobile’s Egner. “The smaller mobile devices get and the more storage capacity, the higher the risk for [theft] among enterprises and government organizations,” he says. Although a number of existing laws (e.g., SOX, HIPAA) address the risk to an extent, “the only way to protect or close up all security vulnerabilities on a mobile ‘endpoint’ [computing device] is to encrypt everything top to bottom.”
Government most likely will never mandate a ubiquitous mobile encryption requirement, Egner continues. But corporations are heading in this direction because of fear. “What started out as regulatory issue has become an emotional issue because companies don’t want their names in the paper,” he says. “Although the trend is toward personal privacy laws that have caught the industry’s attention, actions haven’t been taken because of regulation. They’re taken because of the high visibility of public [data] breaches” and the resignations and lawsuits that have resulted. //
Arielle Emmett is a lecturer in journalism at Temple University.