What’s next for mobile security?

Mobile security starts with defining good policies and education, but implementing the right software, encryption, hardware and services is just as important.

Whenever government officials talk about mobility, sooner or later, their talk will turn to security.

That was the case in January 2012, when the Obama administration began an across-the-board push to make mobile technology ubiquitous in the federal government. The push began in January 2012, when federal CIO Steve VanRoekel took the stage at the Consumer Electronics Show in Las Vegas to announce the federal government’s six-pronged mobile strategy.  

In discussing the strategy, VanRoekel emphasized the importance of addressing security concerns, perhaps by building on the FedRAMP model that is being used to ensure the security of cloud-based systems.

The Digital Government Strategy, announced in May 2012 by the Office of Management and Budget, offers a similar formulation, first identifying mobility as a key technology for federal agencies, then reiterating the need to address security concerns.

In fact, security is the number one issue for many agencies that are looking to implement mobile and bring-your-own-device specifically, says Alex Rossino, principal research analyst at Deltek. “There are risk considerations,” he says. “It comes down to having the right pieces to make sure you can manage data security and access.”

Blocking and tackling
There’s good reason for widespread concern. According to a J. Gold Associates research study conducted earlier this year in the private sector, 42 percent of enterprise CIOs interviewed thought their organizations never had a mobile security breach; 22 percent of respondents said they didn’t know if their organizations were breached.

Meanwhile, about a third of mobile phone users have reported losing their device, according to a September 2012 Pew Internet Project study, while the Cloud Security Alliance Mobile Working Group in October 2012 reported data loss from “lost, stolen, or decommissioned devices” was the top concern cited by CIOs.

The take away: CIOs don’t really know how many devices have been lost or what effect those losses have on their organizations. Add in threats from insecure apps and unsecured transmissions and you see why agencies may face an upward battle.

That said, agencies are coming around to implementing solutions to plug potential security holes, says Rossino. One such solution is mobile device management. MDM, which lets the IT department track and manage mobile devices centrally, also provides a way to enforce numerous mobile security policies.

“MDM contracts seem to be the way people are going,” Rossino says.

That is the case at the Defense Department. In June, the Defense Information Systems Agency awarded a $16 million contract for MDM and mobile application store solutions. To facilitate similar efforts on the civilian side, the General Services Administration has launched the Managed Mobility Program, which identifies for potential sources that could help agencies meet a basic set of MDM and mobile application management requirements.

The problem right now, Rossino says, is that many of the commercially available MDM solutions – and there are hundreds on the market – are not compatible with agency security protocols. Still, some agencies like the National Nuclear Security Administration (NNSA) have been using MDM to control user access to data and apps based on user rights and roles.

Agencies are also requiring mobile content to be encrypted in flight, an issue when using a mobile device on a public or unsecured Wi-Fi hotspot. The federal mobility strategy calls for agencies to focus on managing data – both in terms of access and security – rather than just managing the infrastructure.

Another approach is managing the ability of users to develop and download apps. For instance, the Homeland Security Department is piloting a tool to review mobile applications before releasing them to employees and other users. That tool was scheduled to be made available to other agencies as of October, according to Keith Trippie, executive director of the enterprise system development office at DHS.

Meanwhile, the National Institute of Standards and Technology (NIST) continues to do its part to help agencies address their mobile security concerns. In June, NIST released revised guidelines for managing the security of mobile devices.

All of this is good news for agencies looking to roll out mobility initiatives, but there is more work to be done to build these various technology solutions into sound security strategy. In the end, it will be a multi-pronged approach to security and governance that will help agencies find success in the mobile world, says Rossino.

“Even more than the cloud, mobile revolves around security data and secure access to the network,” he says. “Strategy is the most important thing they can do but it’s also the hardest thing to manage.”