Post on 23-Jan-2017
MaaS360 Goes Global to Keep Data Local Expand your mobile device strategy while complying with local data privacy regulations
Jonathan Dale, MaaS360 Portfolio Manager, IBM Security
Adam Nelson, Global Privacy Lead, IBM Security
2 IBM Security
Housekeeping items
Duration – 60 minutes
Submit your questions to the Q&A box located on
the left-hand side of your screen
Recording and slides will be emailed to you
3 IBM Security
Let’s talk about…
IBM CONFIDENTIAL until Sept. 13, 2016
• Reflection of our mobile progress
• What is holding us back
• MaaS360 goes global
• Data Privacy
• GDPR Readiness
Merging mobile and security strategies
4 IBM Security
iOS dominates the enterprise
with Android gaining momentum
XX% of employees use personal
devices for work purposes
By next year, X of employers
will require bring your own device
More than XX% of organizations
support corporate applications on personal devices
We have matured past the basics
5 IBM Security
Now we are managing massive amounts of apps
Apps managed by IBM MaaS360
472 apps managed by highly mobile organizations
10 apps managed by SMB and large organizations
Most Popular Apps
31% Business
16%
Productivity
17%
Education
10% Utilities, games, travel
6 IBM Security
We are scaling mobile – everywhere
Sales
Operations
Sales
Marketing
Finance/HR
Engineering
Operations
Services
Sales
R&D
Marketing
Execs
7 IBM Security
Improving care
We’re going places where mobile can make a deep impact
Saving lives Busting lines Making safe landings
Learning in class Heading home
8 IBM Security
Security
A large U.S. children’s
hospital protects
3,000+ mobile devices
ensuring HIPAA compliance;
installed and integrated
with existing servers in just
90 minutes
Compliance and Regulations
Productivity
A leading gaming and
entertainment company
reduces customer wait time by
80% with tablets
using a single
managed app to speed
the time to deliver food
and drinks to customers
Improving Customer Experience
We have real examples, and real results
10 IBM Security
Top mobile challenges frequently slowing progress
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
CEO CIO CISO CRO CCO CLO
• Impediments in using international
datacenters when adopting SaaS
• Complexities of regulatory compliance
and other local and regional privacy laws
• Intrusion of user privacy and data
privacy
• Uncertainty around access and
authorization
• Difficulty deploying products and
services with limited staff and expertise
• Risks associated with data loss, app
vulnerabilities and mobile malware
11 IBM Security
What we recently announced
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
• IBM MaaS360 to support in-country data requirements with local presence
• Mobile deployment services
• IBM Privacy Consulting Services, GDPR Readiness
IBM MaaS360 global expansion, services and security integrations
12 IBM Security
Start with a solid foundation for global SaaS and security adoption
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
IBM Cloud 47 datacenter locations
26 countries
13 IBM Security
Start with a solid foundation for global SaaS and security adoption
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
IBM Cloud 47 datacenter locations
26 countries
IBM MaaS360 • 4 existing centers
• 2 under way in India and France
• 8 additional centers to open in 2017-2018
14 IBM Security
IBM MaaS360 enterprise mobility management
Productivity Suite Trusted Workplace
Content Suite Secure Collaboration
Threat
Management Malware Protection
Gateway Suite Enterprise Access
Management Suite Visibility & Control
A flexible, integrated platform that
meets diverse mobile use cases
Devices Apps Container
Threats Content Networks
15 IBM Security
IBM MaaS360
Cloud Access and Workload Protection
Mobile Threat Management
Mobile Identity Management
Integrated Application Security
Risk and Event Detection
Unified Endpoint Management
Application Vulnerability and Reputation
End-to-end mobile security integration capabilities
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
16 IBM Security
Accelerate mobile success with new IBM MaaS360 services
IBM CONFIDENTIAL UNTIL SEPT. 13, 2016
Quick Start
Guidance
Time-to-Value
Guidance
Enterprise Mobility
Implementation Services
Enterprise Mobility
Health Check Services
Mobility Training Workshop
MaaS360 Mobility
and Productivity Workshop
18 IBM Security
Purpose of the new Regulation
• To create a unified data protection law
Unlike the prior 1995 EU Data Protection, the Regulation does
not require any further enabling legislation to be passed by
specific country governments. It will be “automatic” law in 28
EU Member States and those countries following EU law
voluntarily.
It will also simplify the regulatory environment for
international business
• To enhance the level of data protection for EU
data subjects
EU data subjects will have more control over their personal data
• To modernize the law in line with existing and
emerging technologies
Helps encourage innovation and the use of big data/analytics
GDPR will fundamentally change the way
organizations must manage their people,
policies, processes and technologies.
19 IBM Security
Key aspects of the GDPR
• The Regulation has been formally adopted and will take effect as of May, 2018
still a “work in progress” as formal guidance surrounding implementation of the Regulation has yet to be finalized
• It has international reach, applying to controllers and processors, both inside and outside the EU,
whose processing activities relate to the offering of goods or services to EU data subjects.
• Data Protection Authorities have the power to impose significant fines on organizations for non-
compliance with the rules, scalable to €20 million or 4% of the organization’s global annual
turnover per incident, whichever is greater.
The majority of companies are not ready for
the new requirements of the GDPR and
should start to address the necessary steps
for compliance NOW.
20 IBM Security
Enhanced rights for EU data subjects
• Key definition of “Personal Data” now explicitly includes “online identifiers” (e.g. IP addresses,
cookies etc.) and “location data”, and new terms such as “biometric data”, “genetic data” and
“pseudonymous data” have been introduced
• Higher standards for privacy notices and for obtaining consent – e.g. from implied consent to
consent given by “a clear affirmative act”
• Easier access to data by a data subject – expands the set of information to be provided to
individuals and removes the right for controllers to charge a fee for access requests
• Enhanced right to request the erasure of data – the circumstances under which data subjects have
the right to request that any of their personal data held by controllers and processors be erased have
been expanded
• Right to transfer data to another organization (portability) – controllers must enable the transfer of
structured and/or raw data to another organisation through a “commonly used electronic format” if
requested by the data subject
• Right not to be profiled – Right to object to processing now explicitly includes right to object to
profiling
21 IBM Security
Enhanced obligations on controllers and processors
• Increased obligations for data processors: e.g. implementation of technical and organizational
security measures appropriate to the risks of processing
• Building a Data Protection by Design and Default process enabling the review of the entire lifecycle
management of personal data with particular focus on procedural safeguards regarding the accuracy,
confidentiality, integrity, physical security and deletion of data
• Controllers will be responsible for carrying out a Data Protection Impact Assessment (DPIA) and a
risk analysis of the potential impact any intended processing could have on the rights or freedoms of
data subjects
• Implementation by controllers and processors of appropriate technical and organizational security
measures appropriate to the risks presented by the processing
• Breach notification requirements in the event of a data incident
• Extended options for the transfer of personal data outside the EEA or to international organizations,
including possible prior approval from the supervisory authority
• Appointment of a Data Protection Officer: Public Sector; Companies that process sensitive
personal data on a large scale; Companies that monitor data subjects on a large scale
23 IBM Security
GDPR Readiness – What you should be doing to prepare
• Understand your obligations - Become familiar with the proposed GDPR requirements and monitor
the development of implementation guidance
• Know what data you have and where it is located - Conduct a data inventory and mapping initiative
to assist in understanding and evaluating the operational and technological changes required for
compliance
• Appoint a Data Protection Officer - Create a structured privacy office and appoint, as required, a
data protection officer (DPO) who has expert knowledge on data protection law
• Review all privacy notices - Confirm all privacy notices are presented in clear and plain language,
are transparent, and are easily accessible to data subjects.
• Review customer consent and choice mechanisms - Ensure that the appropriate consent and
choice mechanisms are in place and/or are updated to meet the new consent requirements and to
easily facilitate customer choice
• Review processes addressing data subjects’ access, correction and erasure requests
• Review data retention schedules
24 IBM Security
GDPR Readiness – What you should be doing to prepare (con’t)
• Review all cross border transfers of personal data - Confirm that you have a legitimate basis for
transferring data to jurisdictions outside the EU that do not have “adequate” data protection regimes
• Implement a Data Protection By Design approach to new systems and services - Create a Data
Protection By Design framework to ensure that privacy requirements are embedded, by default and design, from the
very outset of the development of new products, systems and services.
• Document your privacy compliance activities - Adequately document all processing operations involving
personal data through the use of Data Protection Impact Assessments (DPIAs)
• Implement and document appropriate security measures - Provide technical, physical and administrative
security measures 'appropriate' to the processing risks
• Create breach response and notification protocols - Implement data breach investigation, containment
and response processes and procedures, and be sure to be able to test their effectiveness
• Develop audit capabilities and processes - Establish a robust audit plan and process to monitor ongoing
compliance and to mitigate risk
• Train your employees – Ensure your employees are educated, at least annually, on the requirements and their
obligations with respect to data protection
Secure appropriate executive support and budgets to support the changes!
25 IBM Security
GDPR Readiness Assessment
• IBM’s Data Privacy Consulting services can help your organization identify areas of their business
which will be impacted by their requirements and obligations under the GDPR.
• Through our customized end-to-end GDPR Readiness Assessment, IBM is able to evaluate your
organization’s current practices against the new requirements with a focus on process development,
best practices and organizational need.
Possible focus areas can include:
• Consent – How to implement?
• Controller/Processor – How to Audit?
• Data Mapping – Necessary for Data Portability, Right of Access, Right of Erasure
• Privacy Impact Assessments – How to complete?
• Information Security – What is an “appropriate” level of security? How to implement?
• IBM will also provide your organization with a maturity model and gap/remediation plan to assist
your organization in developing and implementing their roadmap towards compliance.
• The Readiness Assessment also pairs IBM products and services to the GDPR requirements,
enabling a one-stop-shop for necessary software and/or services to implement GDPR compliance.
This should not be considered Legal advice – it is process advice only.
Reach out to the appropriate Legal Counsel for guidance as necessary
27 IBM Security
Build a robust, auditable, privacy
program to manage GDPR compliance
and to reduce organizational risk
28 IBM Security
A brief overview of our services
04/13/201
6
SECURITY METHODS COMMNICATION SERIES 28
Offering
Overview
Privacy Program Design helps clients more rapidly create and
deploy comprehensive privacy policies, standards, guidelines and
operating procedures that are designed to align with best practices
and help better manage regulatory compliance requirements.
Protect brand image and
reputation
Gain and maintain customer trust
Ensure local, national and global
regulations are addressed
Gain competitive advantage in the
industry
Provide a strategic foundation and
guidance for other investments in
data governance, threat mitigation,
data security
Holistic approach with our Total
Privacy Management (TPM)
Framework designed to build a
bridge between business lines,
Legal, IT, and management
structures
Enabling a more efficient privacy
program to help better manage
local and global regulatory
compliance
Leveraging of our expertise across
security services and products as
part of a holistic privacy program
GDPR Readiness Assessment
Privacy Risk assessments
Privacy Impact assessments
Data Mapping/Data Flow charts
Gap Remediation plan
Privacy Strategy
Privacy standards and guidelines
Privacy by Design/Internet of
Things
Audit preparedness and support
Capabilities
IBM Security
Strategy, Risk and
Compliance Services
Objectives Features
IBM does not provide Legal advice. IBM recommends
that your clients consult with the appropriate Legal
Counsel as necessary
29 IBM Security
IBM Data Privacy Services helps provide sustainable solutions using four key components
The IBM Data Privacy Environment
04/13/201
6
SECURITY METHODS COMMNICATION SERIES 29
IBM's Total Privacy
Management (TPM)
Framework
IBM's Privacy Patents IBM's Research
IBM's Data
Privacy Services
IBM has more than 3,000
scientists and engineers at
12 research labs, in
6 continents
IBM's Privacy and Security
experience allows us to implement
more holistic solutions for our clients
IBM has been working on data
privacy issues since 2001 and
has been granted numerous
Data Privacy related patents
IBM's TPM Framework helps
provide robust Data Security
and Privacy for our clients
IBM's Privacy and
Security experience
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
33 IBM Security
What about Brexit?
• When Brexit moves forward, UK entities probably will need to comply with the
requirements of GDPR
• UK’s Information Commissioner’s Office (ICO) has said it intends to ask the
Government to reform UK data protection law in order to achieve equivalent
standards to the EU’s
• The ICO has stated that it views the GDPR as a good business practice
• Until that has been completed, UK will need to gain an “adequacy” ruling from
the EU. This is similar to many other countries such as Israel, Switzerland,
Canada, Argentina and others
• Bottom Line - GDPR will still apply to any entity doing business with the
greater EU marketplace
34 IBM Security
EU-US data transfers
• In an October 2015 European Court of Justice ruling, the Safe
Harbor certification method by which organizations legitimized
the transfer of protected data on EU data subjects to the United
States, was invalidated. This decision was not related to the
GDPR, but is often mentioned in the same discussion.
• Companies must now re-evaluate their cross border data
protection framework with the US and consider transitioning to
other mechanisms such as consent, Binding Corporate Rules
or EU Model Contracts/Clauses.
• On July 12 2016, the EU Commission adopted the EU-US
Privacy Shield framework. It replaces the invalidated Safe
Harbor framework and immediately enters into force. US
Companies are able to certify with the U.S. Department of
Commerce starting August 1, 2016.