STEPS FORWARD: How the Middle East led the U.S. to adopt ‘CMMC’ cybersecurity regs

By Byron V. Acohido

We’ve come to rely on our smartphones to live out our digital lives, both professionally and personally.

When it comes to securing mobile computing devices, the big challenge businesses have long grappled with is how to protect company assets while at the same time respecting an individual’s privacy.

Reacting to the BYOD craze, mobile security frameworks have veered from one partially effective approach to the next over the past decade. However, I recently learned about how federal regulators in several nations are rallying around a reinvigorated approach to mobile security: containerization. Containerizing data is a methodology that could anchor mobile security, in a very robust way, for the long haul.

Interestingly, leadership for this push came from federal regulators in, of all places, the Middle East.  In May 2017, the Saudi Arabian Monetary Authority (SAMA) implemented its Cyber Security Framework mandating prescriptive measures, including a requirement to containerize data in all computing formats. A few months later the United Arab Emirates stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Earlier this year, US regulators essentially followed the Middle East’s lead by rolling out sweeping new rules — referred to as Cybersecurity Maturity Model Certification (CMMC)  — which require use of data containerization along much the same lines as Saudi Arabia and the UAE mandated some three years ago. The implementation of CMMC represents a big change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary.

I learned about these pivotal developments in a meeting at RSA 2020 with Jonas Gyllensvaan and Brian Egenrieder, Chief Executive Officer and Chief Revenue Officer, respectively, of mobile security vendor SyncDog. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Middle East motivation

Somewhat quietly since about 2012 or so, nation states of the Middle East, led by Saudi Arabia and the UAE, commenced a quiet surge to the forefront of implementing comprehensive cybersecurity regulations. It took a wake up call: wave after wave of deep, egregious breaches of their industrial infrastructure, especially oil refineries and power plants.

The Shamoon “wiper” virus, for instance,  devastated Saudi oil company Aramaco, destroying the hard drives of more than 30,000 Aramaco computers and forcing a weeklong shutdown of the company’s internal network. That was enough of an impetus for the Saudis to seriously ramp up the work of its National Cyber Security Center, as well as SAMA, while the UAE launched NESA and kicked it into high gear.

This fast-tracking of Middle East cybersecurity regulations unfolded as the European Union was putting the finishing touches on its tough new data privacy and data handling rules, with enforcement teeth, set forth in its General Data Protection Regulation (GPDR,) which took effect in May 2018. One consensus tenant that emerged from this whirlwind of rule-making in the ME and EU was the requirement to “containerize” business data, that is keep data encrypted at all times, including when accessed by and stored on mobile devices.


“It’s a way to isolate corporate data from the device itself, so that even if the device gets hacked or becomes corrupt, the corporate data is still highly protected,” Gyllensvaan says. “So the hacker might be able to see pictures of the victim’s pets or kids, but he’s not going to get into the corporate data.”

BYOD tensions

Some historical context is needed here. BYOD threw a monkey wrench into IT operations starting in 2010 or so. That’s when people first rushed out to acquire the latest smartphone model and didn’t think through the implications of using their favorite devices for personal as well as workplace tasks.

Companies reacted by attempting to insist on the use of company-issued devices and turning to intrusive MDM (mobile device management) profiles to handle the inventorying and provisioning of these new endpoints as well as offering oversight into the usage of personal devices. Furthermore, blunt policies got implemented that authorized the wiping of personal and company data from company-controlled devices.

From that foundation, security approaches along much the same lines followed: EMM (enterprise mobility management,) MAM (mobile application management) and UEM (unified endpoint management.) And yet because corporate processes move so slowly – and digital advances unfold so rapidly — BYOD tensions never have been fully ameliorated. And the accompanying security vulnerabilities remain in play.

Egenrieder points out shortcomings in MAM solutions, for instance. “A MAM type of solution puts a secure wrapper around individual applications. That means you’re logging into one app, then logging out, then logging into the next one,” he says. “A big issue is that you’re unable to securely share data from one app to the other one, copy/paste and similar activity are completely exposed.”

Benefits of containerization

By contrast, the new data containerization rules embody a more fundamental security approach, particularly with respect to mobile devices – one that happens to align with general best security practices painstakingly vetted by both public and private standard-setting bodies, globally, over the past two decades.

In principle, the new regulations coming out of the ME, EU and US should foster data encryption best practices on mobile devices in a way that lends itself to respecting individual privacy, Egenrieder told me.

“All over the world, regulators are now requiring companies to ensure that data that is supposed to be safe, is truly safe, and not just get away with  putting a password on the phone and saying, ‘OK it’s safe,” Egenrieder observes. “You now actually have to prove the data is encrypted, both at rest and in transit. And in the same breath you should also be able to separate that person’s personal credentials from the data itself.”

Egenrieder and Gyllensvaan believe containerization supports the way personal and company data should be kept separate and isolated – in a way that acknowledges how users bounce from one mobile device to another, whether personally owned or company supplied, while respecting users’ privacy when it makes good sense to do so. SyncDog, it should be noted, supplies such mobile device containerization technology.


“We’re just going to have to accept the fact that there is so much capability on these smart devices that people are always going to be doing a combination of things on them,” Egenrieder says. “This is driving us toward an environment of isolating the personal side of things from the corporate side of things, in a way that allows the corporation to ultimately protect their data.”

Consider that it has become a common practice for companies to reserve the right to remotely wipe an employee’s phone clean of both personal and work data, in the event it gets stolen or misplaced. As data containerization, as now mandated in the ME, EU and US, inevitably gains wider traction, that kind of onerous policy will no longer be necessary. At long last, BYOD will become a non-issue. It’s coming. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone