Data Security Compliance in the Age of “Work from Anywhere, on Any Device”

Customer protection and data security regulations vary significantly across industries and compliance requirements vary with them. Rigorously controlling sensitive data and safeguarding it against misuse, exposure and exfiltration, however, is a baseline requirement for virtually all industries – healthcare, financial services, education, utilities and many more.

Compliance has never been simple but today it is more complex than ever before. The pace at which regulations are issued and updated has vastly accelerated, spurred by well-publicised cyber breaches and data leaks. In this work-from-home era, the increase in outsourcing and remote work, spurred by financial savings and simplified staffing, have made compliance even more complex. Numerous breaches have been traced to remote employees and 3rd party workers, who often access organisation resources and apps via their unmanaged personal devices.

Faced with the risks, IT and security professionals strongly prefer to lock everything down. Ideally, to bring users back to the office. Failing that, they’d opt for access to be limited to managed devices. The business side of most organisations, however, is adamantly in favour of maintaining the flexibility and cost savings associated with remote access and allowing access from all users from anywhere, so that the business can continue without these barriers.

These conflicting positions and trends put compliance professionals in a tough spot. Regulations are being strengthened, business practices are growing more inherently risky, and the fragmentation of the application environment, combined with the shortage of cybersecurity professionals and acceleration of update/patch cycles, makes compliance ever more difficult to achieve and maintain.

The unmanaged device conundrum

With organisations increasingly moving to cloud operations, the ease with which corporate apps can be used from anywhere, on any device, has increased exponentially and along with it, the pressure on compliance teams. Whether the unmanaged endpoints are BYOD devices used by employees or laptops used by 3rd party or gig workers, without device-based controls, it’s a significant challenge to enforce essential elements of compliance:

• Providing secure user access to corporate apps
• Controlling and managing endpoint risk posture without installing client software
• Preventing users from downloading sensitive data onto untrusted devices
• Protecting corporate apps from exposure to device-mediated risks
• Preventing threat actors from accessing corporate apps via untrusted devices

Without controls on a user’s device, sensitive data from apps – even those requiring strong authentication – may be downloaded and stored on the device, in clear violation of regulations governing industries such as healthcare and financial services. Unmanaged devices may be infected with malware that enables a threat actor to exfiltrate data from enterprise or SaaS apps. Or malware on an unmanaged user device may be uploaded to an app when the user connects. In a recently exposed example, an Office 365 flaw could allow a logged-in user’s web session to be hijacked, enabling threat actors to change SharePoint settings and encrypt files in a ransomware attack.

While in-app controls may address some of these issues, procedures for promptly updating policies and patching apps are notoriously lacking or weak in most organisations. Moreover, the web application firewalls (WAFs) that organisations depend on to keep their apps safe have proven to be insufficient for the task. Recent studies by organisations like Ponemon Institute have found that organisations are frustrated with their WAFs, citing the large numbers of false positives they generate while failing to issue alerts for the many actual attacks.

Compliance for app access from unmanaged devices

To adequately address the operational, financial, security and compliance needs of modern distributed organisations, compliance professionals and the security staff that support them need to:

• Enable users – employees and 3rd parties – to access applications from unmanaged devices in compliance with industry regulations (contractors, partners accessing from unknown or internally unmanaged devices)
• Enforce compliance without requiring users or IT staff to install software, agents or plugins on BYOD devices
• Ensure that device posture requirements are met – AV versions, software that is running – or alternatively, mitigating risks resulting from requirements not being met
• Provide a simple, seamless user-application experience, without degradation due to security measures
• Manage and enforce security policies centrally, to ensure that they are applied regardless of who the user is, what device they are on, and from where they connect
• Document compliance with detailed audit trails and reports of attempted breaches, including attempts to download sensitive information that were blocked (who, where, when, etc)

Because unmanaged devices cannot be trusted, a Zero Trust approach is essential when considering a secure way to enable access to apps and internal resources. That means that rather than trying to ascertain whether an unmanaged device is safe enough to allow its user to access sensitive information, access modalities should ensure that data and apps are protected despite the assumption that the device is NOT safe.

The Zero Trust solution for untrusted device access

Ericom Web Application Isolation (WAI) works on that precise principle. It airgaps untrusted devices from corporate applications, including private web apps and public SaaS apps like Office 365 and Salesforce. Users view and interact with applications through application isolation, delivered via the ZTEdge Global Cloud. Granular, policy-based controls protect sensitive data by restricting uploads, downloads, copying and pasting, printing and other functions, while affording each user the access they need to accomplish their tasks. Additionally, applications are effectively turned “dark” to anybody who is not accessing them through the ZTEdge platform. This dramatically reduces the application’s attack surface, securing them from data-loss vulnerabilities like those included in the OWASP Top 10.

With WAI, organisations can allow trusted users to connect via untrusted devices yet maintain critical control of corporate apps and sensitive data, with audit trails to verify data security compliance. Discover how ZTEdge isolation-based solutions addresses the complex compliance challenges of today’s distributed business environments. Contact us for a demo today.

---

Share this on:

---

About Peter Fell

Peter Fell, Group CTO - EME, is a solutions architect and information security expert, specializing in data protection, cybersecurity, data privacy and compliance. He has 20+ years experience in Information Security, specializing in Data Protection, Cybersecurity, Data Privacy and Compliance, SaaS, Identity and Access Management.