Mobile security requires an action plan

Security is one of the biggest management challenges that agencies face with mobile wireless devices

Security is one of the biggest management challenges that agencies face with mobile wireless devices. Chief among managers’ worries is the risks associated with employees using their own smart phones and personal digital assistants for official work.

“If you don’t own the device, you can’t secure it,” said Michael King, a research director at Gartner.

By provisioning devices for employees rather than allowing them to connect to agency networks using personal gear, managers can ensure that the right security software is running on each device and that hardware is up-to-date with software patches and other upgrades, said Ira Winkler, author of “Zen and the Art of Information Security,” a book that examines digital security threats. 

Organizations that provision wireless devices also have better control of sensitive information if an employee leaves the agency, said Doug Landoll, general manager of En Pointe Technologies, a systems integrator. “If it’s my PDA, and I leave the organization, how do you know that I’ve deleted the data?”

Retaining the phone number is also important. “When someone has been representing your agency, that number is a kind of advertising,” Landoll said.

He recommends that agencies include representatives from organizations outside the information technology department when writing wireless management policies.

“There are questions for the legal department, and having the device returned when someone is terminated is a [human resources] issue,” Landoll said. “When you’re writing policies, you need to integrate all those various departments.”

Security policies should clearly spell out who receives reports of lost or stolen devices. Policies should also include procedures for decommissioning a missing unit to prevent someone from downloading or sending sensitive information, Landoll said.

The Commerce Department uses a combination of strong passwords and encryption to keep unauthorized users from accessing data and wireless services.

“If someone gets access to my [e-mail account], he can send messages as though they came from me,” said John McManus, Commerce’s deputy chief information officer and chief technology officer. “Things like phishing become easy to do when you’ve got access to a legitimate user’s account.”

Commerce uses the standard security tools for the Research in Motion BlackBerry to protect devices and scramble data when its traveling through the wireless network, McManus said.

Platform security
The BlackBerry platform gets high marks from technology analysts for its security capabilities. Its closed-loop architecture connects agency e-mail servers to a BlackBerry Enterprise Server, which communicates via a secure channel to a network operations center and to BlackBerry devices.

“It’s one of the few wireless end-to-end systems that the [Defense Department] has said is okay,” King said. “But because it’s a closed loop, it’s hard to expand that functionality beyond just e-mail. What you gain in security and manageability you sacrifice in flexibility and extensibility.”

Platforms based on the Microsoft, Palm or Symbian mobile operating systems are easier to customize, King said, but they require more upfront work and third-party security tools, such as Sybase’s Afaria mobile security suite and encryption software from Bluefire Security Technologies, Certicom and VeriSign.

“I’m not suggesting that you can’t secure mobile devices on those platforms. I’m just saying security is not as built-in as on the BlackBerry side,” he said.

Standard configurations
To ensure that mobile wireless devices are secure, agencies also must take steps to securely configure the devices. Commerce technicians disable any default features on mobile devices that employees don’t require to do their jobs. That includes a sync feature that allows devices using Bluetooth technology to discover other compatible wireless hardware in the area.

“The default configuration would allow someone to come into the room with a Bluetooth device that says, ‘Tell me all the other Bluetooth devices in here.’ And your device would actually say, ‘Hi, I’m here, and here’s my status,’” McManus said. “You can also turn off things like file transfer, because you don’t usually expect people to be doing a file transfer from their BlackBerry to another BlackBerry. If I’m a consumer, I may not care if anybody can use the Bluetooth capabilities. But if I’m a senior executive in the federal government, [that’s] a whole new threat.”

Agencies also need to control the amount and type of data their employees download onto their wireless hardware. “They are going to put more data that you would never think of on the devices,” Winkler said, “which means there’s going to be more data than you ever thought possible at risk.”

Joch is a business and technology writer based in New England. He can be reached at ajoch@worldpath.com.


A new meaning for ‘bugged phone’Agency information technology managers who follow security trends are on the alert for viruses that attack mobile wireless devices such as cell phones and personal digital assistants. So far, the threat of wireless malware has overshadowed actual incidents, but the number of attacks most likely will increase, managers and consultants say.

“Viruses are a concern especially for the public sector, which is often one of the first targets,” said Doug Landoll, general manager of En Pointe Technologies, a systems integrator. “To make sure that you are not susceptible means keeping up with technology and making sure that your employees are educated. People should remain suspicious of e-mail from people they don’t know and suspicious of Web links that could be phishing and pharming attacks.”

— Alan Joch

About the Author

Alan Joch is a freelance writer based in New Hampshire.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group