Adhering to the mobility requirements of NIST 800-171 does not have to keep you awake at night
The majority of companies in the United States and Europe are required to comply with at least one IT security regulation – often times more. This forces companies to exert strong control over how data is transferred, accessed and maintained throughout its lifecycle.
One particularly toothy regulation is referred to as NIST SP 800-171, and it requires that all non-federal organizations that want to continue working with U.S. government agencies need to be compliant with this regulation by including secure file sharing and information exchange governance.
What makes compliance difficult is that NIST SP 800-171 includes more than 100 information security requirements and failure to meet all requirements can result in termination of an existing contract, the filing of criminal charges, or a breach of contract lawsuit.
When it comes to NIST SP 800-171 and BYOD, organizations need to take into account how they would enforce multi-factor authentication and other means of security to ensure their data is protected in transit and at rest. In the past, the easiest way to adhere to the mobility requirements of 800-171 was to simply not permit employees to use their personal devices to access Controlled Unclassified Information (CUI), or any work-related data. This quickly proved to be a non-starter, and the same proved to be true for older approaches to mobile security.
As these regulations evolve, the traditional application of Mobile Device Management (MDM) policies can no longer provide the security that organizations require due to the fact that MDM and Enterprise Mobility Management (EMM) solutions focus on the device itself, rather than the data. This leaves the data vulnerable to malware, man in the middle attacks, and puts too much of the onus on the device owner, creating a level of distrust between the employees and the company.
In this day and age, most employees do not want to be forced to carry one device for work and a separate device for personal use. Additionally, the financial burden for organizations to purchase devices for each of their employees is extremely costly.
According to a recent J.D. Power report, the average monthly cell phone bill is $73 and the average cost for a mobile device is $965. For a large organization this sum of money will add up quickly. These costs to acquire and enable devices, plus the resource costs on time spent distributing, maintaining and recouping corporate owned devices could always be better spent elsewhere. Then, do you standardize on iOS or Android? Either way, a significant percentage of an organization’s user base is inconvenienced, allowing Bring Your Own Device (BYOD) to suddenly seem like an appealing approach.
Though BYOD is appealing, there are still the issues of securing corporate data and ensuring personal privacy on an employee owned device. To solve this problem, many companies have turned to a less complicated and more secure approach, which is to use a containerized workspace. A containerized workspace creates a seamless and highly secure partition that completely separates business data and applications from personal use information – enabling employees, contractors, 1099 employees, and other third-party workers to securely access CUI data from any device.
It is also important to remember that not all containerized workspaces are alike. The key to finding an applicable solution that satisfies the mobility requirements of NIST SP 800-171 is to ensure that the solution leverages multi-factor authentication, biometric and other password management solutions, and combines it with 256-bit encryption to secure and protect the data – no matter what device it’s on. With these types of solutions available, BYOD is now a more viable option, and is more secure than the MDM/EMM solutions that most companies and organizations are currently using.
Some of the top tier solutions will also add in a suite of office applications such as email, calendar, contacts, office editor, file share, location services, and messaging. These applications are easily combined with custom built applications specific to the organization’s business. The end goal is to provide all applications and information an organization’s mobile workers require, but at the same time ensure all of the data is encrypted and protected in all aspects of its utilization.
Another benefit to the containerized workspace is that when the time comes for the device or employee to no longer needs access to their work-related data, that data can easily and assuredly be removed from the device without impacting any of the personal data including pictures, texts, and contact lists on the device. This means that employees can feel secure knowing that their personal data and personal use of the device remains private and at the same time, the organization can feel secure that their corporate and sensitive data cannot be misused or mishandled – even if the device is lost, stolen or compromised.
New generations of employees have come to expect a dynamic mobility solution that enables them to use a single device for all aspects of their lives. Force fitting their user experience to adhere to limitations of mobile security solutions, while at the same time applying archaic IT & HR policies to further restrict and even threaten usage patterns no longer scales to meet today’s mobility expectations; nor regulatory and compliance mandates such as NIST SP 800-171. When it comes down to it, a containerized workspace is really the only viable option.