A recent announcement by IBM focuses attention on the area of Privacy Management and could have significant implications for the future of mobile security and EMM. EMM typically covers three areas: MDM (mobile device management, the original focus); MAM (mobile applications management); and MCM (mobile content management.)
IBM – Privacy & Security Services Capability Expansion
The latest announcement (9/14/16) includes a number of new infrastructure facilities and services that IBM will be providing, built around the concept of compliance with country- and region-wide privacy laws and regulations throughout the world.
While this announcement – including new data centers and new consulting-type services – involves major enhancement of IBM’s EMM offering, MaaS360, the company couched the announcement as an “expansion” of its “mobile security as a service” capability.
Key Points: In-Country Data & Consulting Services
We spoke with Tom Mulvehill, Program Director, Mobile Security about IBM’s expansion plans. He articulated a number of key points:
1. In-Country Data. The nub of the new initiative is that IBM is going to deploy MaaS360 in a growing number of countries, with the intention of helping customers comply with increasingly complex local regulations on data privacy. One of the triggers has been the European Commission’s General Data Protection Regulation (GDPR), discussed below.
IBM Cloud is available from 47 data centers in 26 countries. IBM states that IBM MaaS360 is “currently operating in North America, Germany and Singapore.” As part of this expanded program to address localized privacy regulations, IBM announced plans for 10 more centers, the first two in France and India.
In a webinar on 9/28, MaaS360 executives explained that while their service was currently available everywhere, the enhanced local presence, through added data centers, would make it easier for clients to comply with strict privacy rules. They also observed that security concerns are seriously holding back mobile management programs, and that enterprises are struggling with managing “massive amounts of apps,” “multiple OSs,” and, of course, BYOD.
2. Consulting. IBM announced that it will offer “Privacy Consulting Services around GDPR which are designed to evaluate all aspects of an organization’s data privacy environment against new regulatory requirements.” Mulvehill points out that IBM will provide a “readiness assessment” to clients, which is a key factor, since the GDPR introduces so many new obligations on firms that maintain or process individuals’ personal data.
Identity Management & Maturity Line Pricing
3. Identity Management. Mulvehill describes this as “integration with cloud identity management.” One year ago IBM announced its entry into the CASB (cloud access security broker) space with its Cloud Security Enforcer. CASBs are a response to problems arising from use of multiple cloud services by enterprises, and employees’ using their own choices of cloud apps, not necessarily approved by their companies. They are designed, for example, to detect “shadow IT” (think Hilary Clinton’s private server), among other problems.
The CASB is basically software that sits between the enterprise infrastructure and the cloud and allows the company to enforce their security rules on usage of cloud apps by employees. Mulvehill explains that by integrating Enforcer with MaaS360 the enterprise can account for flaws and security violations arising from mobile devices, which he states were a “blind spot” for Enforcer. We asked if there was a combined price for this integration capability and Mulvehill stated, not at this time; currently MaaS360 and Enforcer are separately priced.
4. Maturity Line Pricing. IBM announced that it was initiating “four new tiers” of pricing for MaaS360. These pricing schedules, Mulvehill states, are geared to align with the “maturity” level of the client’s mobile adoption program. When we asked how ”sticky” EMM offerings were proving to be in the marketplace, he responded, not that sticky, largely because, he believes, “most enterprises are not that mature in mobile adoption.”
IBM claims to manage about 5 million devices through MaaS360, for about 10,000 customers. Mulvehill told us that as of year-end 2015 about 65% of the customers were based in North America. Among leading competitors in EMM, VMware AirWatch claims 12,000 customers and MobileIron 6,000.
Europe’s GDPR – New Privacy Rules
The GDPR is an extremely complex set of regulations adopted by the European Parliament, designed to provide “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
These regulations, which will go into effect in the spring of 2018, offer new protections to EU individuals and can result in substantial fines to data “controllers” and “processors” who are found in non-compliance. Companies that are located outside the EU but target consumers in the EU are subject to the GDPR.
Companies may have to appoint Data Protection Officers. Consent is required from individuals for processing their sensitive data, and such consents must be easy for the individual to withdraw, while there are also added regs on the amount and nature of notices the individuals must be given to protect their rights. Individuals also have a right of “erasure” of their personal data. Organizations are subject to specific rules on reporting data breaches. Fines, for example on improper international transfer of data, even within a corporate family, can be very stiff, up to the higher of €20 million or 4% of annual worldwide turnover .
As the IAPP (International Association of Privacy Professionals) has written, “the GDPR requires companies handling EU citizens’ data to undertake major operational reform.”
Our Take
“Privacy” is largely a societal and political issue, not necessarily just a “security” issue. So there are rules in the GDPR and in privacy regulations in other jurisdictions that are attempts to reflect societies’ opinions as to what extent an individual’s personal data should be includable in businesses’ datasets that may be exposed to other people.
Privacy becomes involved with security because it is one of the most aggravating features of many data breaches.
IBM has seized on the relationship between privacy and security, emphasizing that, while security may be a more or less global concern, privacy is subject to more localized laws and regulations. Mulvehill told us that IBM believes that being first into a new level of privacy management services will provide the company with “clear competitive differentiation.”
Mulvehill cites as one of IBM’s key strengths in this area, its ability to integrate a number of security related capabilities it has developed, or acquired. He mentions several of these capabilities, such as: AppScan that scans web and mobile apps prior to deployment, identifying security vulnerabilities; Trusteer, which provides cybercrime and fraud prevention solutions, primarily aimed at the financial sector; and QRadar which assimilates information from networks, apps, devices and other endpoints and analyzes for security threats.
The GDPR appears to give them an excellent opening. It opens the door to ever-increasing levels of complexity and bureaucratic regulation. GDPR will certainly be successful in its primary goal – ensuring unending job opportunities for a growing cohort of bureaucrats.
IBM may be well suited to capitalizing on the needs of enterprises to cope in this area. An interesting, if somewhat ancient, parallel is Automatic Data Processing, now known as ADP, LLC. As the government piled more and more regulations, particularly tax rules, on companies, it became impossible for even very small businesses to administer their payrolls inhouse. Hence, a multi-billion-dollar company (and industry) arose, whose primary function was dealing with bureaucratically-created complexity.
Visit their website: www-03.ibm.com/security/mobile/maas360.html