Compliance is following the terms of an agreement, whether they be contractual, legislative, or regulatory. VMI can become an integral part of compliance for companies for security, privacy, and data compliance management purposes. This can be applied to in-house employees who work remotely, to full-time remote workers, and for transmitting knowledge to other locations, such as out-of-state facilities. The term “compliance” is often used in conjunction with security of data, whether that be protecting data from destruction by malicious code or preventing its theft. VMI can help in both of these regards.
Let’s look at how VMI fulfills compliance requirements for privacy and confidentiality, which closely ties in with legal obligations and security. Then we can look at how VMI centralizes and streamlines data compliance management across devices, even at large organizations.
Privacy and Confidentiality
As we move into the Information Age, data is becoming ever more valuable. This is especially true for personal data and corporate secrets, where value makes them prime targets of computer crimes and theft.
For personal data, legislation like HIPAA for health data and more recently GDPR and CCPA (California Consumer Privacy Act) have been passed into law. Depending on the type of data and the jurisdiction, moving data around can be risky, even if the movement is only to an in-house employee that is currently working remotely. The usual security risks, like lost or compromised devices, can be mitigated if VMI is used to share the data.
These risks are mitigated in two ways with VMI: through non-transmission of the data itself and through barriers erected via containerization. Because image data, not the protected data itself, is transmitted over the wire, any stolen or compromised device will be unable to simply lift the confidential file from the device, thereby capturing all the confidential data at once. Only snippets can be captured and leaked.
On the other hand, if a device is compromised with malicious code attempting to break into the central data repository, the corporate-side container associated with the compromised device can be shut down before any write operations are committed to the repository, pre-empting any harmful effects. This prevents data corruption and the injection of code that might instruct the database to transmit data to an uncontrolled server not under control of the company. Moreover, images of data essential to any specific employee can be copied to the container before working with it, siloing only that data and keeping the rest of the company’s data warehouses protected from the compromised device.
Security & Data Compliance
Complying with internally-mandated or contractual security should be a top concern for every company, as security breaches can be disastrous for customers and companies alike. Some contracts, such as military and Department of Defense contracts, often contain language stipulating additional data protection than what is required in civilian ventures. Other contracts, such as R&D contracts between companies or between companies and employees, might also have extra language demanding higher levels of data protection.
Again, VMI offers higher security standards through its image-only transmission and containerization. Not actually moving the data, but images thereof, may be sufficient for some contractual obligations. Of course, one should always obtain written agreement with the other party, since VMI is a relatively new approach to data handling and some organizations may be less-than-accepting.
A good example of data handling across distances could occur between R&D labs. A researcher visiting another lab may need to reference some data entries in their home lab for some reason, but the labs are not connected to public networks for security. The visiting researcher can still use a mobile device, with the security benefits of VMI, to reference information in the home lab without exposing the entire dataset to an attacker on their device.
Naturally any air-gap requirements cannot be replaced with VMI, since the nature of the technology necessarily incorporates networks and the public internet – unless one is working on a private internet. At that level of security, though, in-house software may be preferred anyway.
Management Made Easier
Because VMI centralizes data management and brings the virtual machines (containers) server-side, data management becomes significantly easier. A security team, either human or automated, can monitor activity and immediately shut down access to the main data repository if suspicious activity is detected. This prevents leakage of data and makes audit reporting simpler.
Furthermore, security-critical changes can easily be rolled out: every accessing device must necessarily be connected to the central network and accept commands from the central system to retrieve any information at all. Every accessing device makes the request to its associated container, and any active containers can either accept changes or be restarted and accept changes upon spin up. For devices requesting access after the security change, a new container can be started, and all new containers will already have the changes incorporated. No accessing device can continue to run old, security-problematic versions, because all accessing machines are actually represented by virtual machines on internal corporate servers.
This immediate roll-out ability contrasts with other mobile work schemes, like company-issued second devices or MDM, as in these schemes the accessing software lives on the employee’s local device, potentially unreachable by the central security team until the employee device connects to the network. This not-always-connected issue may allow old, vulnerable software to access the network and potentially permit an attack. Furthermore, if an update requires a lot of time or IT personnel assistance to implement, remote workers may not be able to access necessary data when and where they need it, instead struggling to update their devices while clients or coworkers wait. Because VMI is, at its core, simply remote image viewing, there is no need to update anything on the local device.
VMI’s structure allows this compliance management to scale well to any size organization. Whether there are 5 remote workers or 5,000, there is no need to worry about backwards compatibility with old devices or if a device has been offline for three months. As soon as any device that is capable of running the VMI software talks to the network, the backend system will be current to security standards. Thus, managers need not worry about updating remote devices for compliance.
VMI can be a powerful tool for adhering to compliance issues in security, privacy, contractual, and legal obligations. It makes security easier, thereby usually meaning data compliance (with security measures) is easier, and it centralizes management so all devices are compliant with any policy updates instantly.