Striking a balance with mobile device security
Agencies face a delicate balancing act when it comes to providing mobile security.
On the one hand, IT departments seek to extend endpoint security to a growing population of mobile devices. It's easy to see why: Smartphones can go missing along with agency data, and mobile devices in general can introduce malware to enterprise networks. On the other hand, employees want the ease of use of consumer technology, and agency managers covet the potential productivity boost.
Those impulses, however, can tip the scales in undesirable directions. A too-stringent mobile security policy will discourage smartphone and tablet use, especially in bring-your-own-device programs, and thereby eliminate the productivity benefit. But a policy that goes too light on security could invite trouble in the form of lost data and business disruption.
Federal information security specialists are tackling the dilemma in various ways. For example, in September, the National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NCCoE) published a revised draft of a mobile security guide that addresses the security versus usability challenge.
Bill Fisher, an information security engineer at NCCoE, said mobile security measures can have the unintended consequence of prompting users to evade protective measures rather than comply with them.
"We recognize that a suite of mobile security controls that inhibits an employee's ability to work or goes against their expectations of functionality often encourages users to find a workaround for the control," he said.
Why it matters
NIST's concern is reinforced by recent research from the Ponemon Institute. The company surveyed IT managers, including public-sector technology leaders, and identified employee resistance (56 percent) and the ability to implement and enforce a mobile device policy (40 percent) as the two biggest barriers on the path to an effective mobile security strategy.
Users might not set out to flout mobile security standards but can end up taking liberties for the sake of productivity.
"They just underestimate the potential risk they can bring into the workplace by using insecure devices or not following an acceptable-use policy," said Larry Ponemon, the institute's chairman and founder.
He described employee resistance as a pervasive problem. But it's not only users who chafe at what they view as overly restrictive security controls. Business unit leaders who advocate BYOD policies might feel that setting the bar for security too high could impair workplace efficiency, he added.
Ponemon summarized managers' position as: "We want to have security, but we don't want to do that at the expense of diminishing the productivity of employees."
The institute's mobile security report, commissioned by Raytheon, says productivity wins out in quite a few cases. Slightly more than half of survey respondents said security practices on mobile devices "have been frequently...sacrificed in order to improve employee productivity."
The reduced security comes at a difficult time. In its malware report for the first half of 2014, Alcatel-Lucent's Kindsight Security Labs found that infection levels for mobile devices increased 17 percent in the January-to-June period and estimated that about 15 million mobile devices are infected worldwide.
The task of setting a mobile security policy -- and winning over users -- starts with an exploration of the agency's business.
Tim Ruland, chief information security officer at the Census Bureau, said the agency works closely with the user community to understand mission requirements then moves on to developing a security policy in coordination with its parent agency, the Commerce Department, to make sure the bureau complies with Commerce's policies as much as possible.
When the Census Bureau's mission dictates a departure from those policies, the agency makes sure the differences are documented and the parties agree that they make sense, Ruland said.
Next, the Census Bureau deploys the technical solutions needed to comply with the policies. Because policy and technology flow from the early focus on mission requirements, users are fully aware of the security controls and why they are necessary, Ruland added.
"Our users, so far, seem to understand the real need to balance the mission requirements with security, even with new technology," he said. "The real issue becomes balancing the security needed with the basic functionality of the device."
For a security regimen to click, a mobile device's essential features -- making calls, managing address books and maintaining calendars -- must meet the users' expectations.
"If the controls we implement make it so the device no longer seems to provide the easy use that people expect...we lose the support," Ruland said.
"When you implement something, it can't be so draconian that the users can't use it," said David Shepherd, senior consultant for systems engineering at LMI.
He added that organizations should recognize that users are being encouraged "to pay the freight" when conducting business on their own smartphones and tablets. In BYOD scenarios, agencies are essentially borrowing their employees' mobile gear to get work done beyond the confines of the office.
NIST's NCCoE recognizes the need to keep users on board with mobile security. Its "Mobile Device Security for Enterprises" guide, which it describes as a building block, lists a number of security capabilities that promote usability. They include making remediation procedures, the establishment of protected connections and authentication methods as unobtrusive as possible.
An unobtrusive remediation procedure, for instance, would let an organization perform remediation in the event of a security incident "with little to no loss of personal functionality on the device," the document states.
A protected connection feature would give users the ability to quickly and easily establish a secure link between their devices and enterprise resources. And unobtrusive authentication methods have two characteristics: Authentication to applications and services is accomplished in the background with no need for user interaction, and complex password requirements are not necessary to unlock a device.
"Within our document, we enumerated functional characteristics that are intended to promote secure behavior while minimizing the impact on a user's daily workflow," said Joshua Franklin, an IT security specialist at NIST who has been working on the mobile device security building block.
The building block is designed to apply to any public- or private-sector entity seeking guidance on securing mobile devices, but officials also plan to offer a flexible design that can suit different types of organizations and users. Fisher said that's because NIST recognizes that user expectations vary from organization to organization.
"Users operating a mobile device within a classified environment understand that security takes precedence, and the expectations for functionality are tempered," he said. "However, users working for a small tech startup with a BYOD policy will likely want to leverage mobile devices for a wide range of functionality."
Accordingly, NCCoE's mobile security effort will attempt to create a reference design that lets organizations "dial security and functionality up or down based upon the expectations of their user base and the risk tolerance of the organization," Franklin said.
Even with security methods that promote usability, agencies still need to convince users of their role in keeping devices and enterprise data safe.
Paul Christman, vice president of the public sector at Dell Software, said users ultimately have the biggest responsibility for making security happen, and they should meet IT managers halfway when it comes to instituting user-friendly security measures.
"We have to make it easier, but the user has to accept their part of the bargain," Christman said. "We have to have users participate. There is just no way around it."
Another obstacle is devising a security policy and supporting technologies that are sufficiently innovative to thwart increasingly sophisticated attackers. Ponemon said it isn't enough to develop a security strategy that adheres to a particular framework or set of guidelines. He noted that Target was compliant with the Payment Card Industry security standards at the time of its massive 2013 data breach.
He said following a guideline to the letter will "get you pretty high up on the food chain" for a security grade in the B to C range, but getting to the A level of security requires a "secret sauce." He added that cyber criminals read the security frameworks and guidelines, too, and therefore have a good idea of what they are up against. He said some organizations are investing in "security intelligence" technology (see "Next steps") to provide an additional layer of protection.
Finally, the pace of mobile technology development presents challenges. The landscape is constantly shifting in response to new devices, operating system upgrades and the ever-growing population of apps.
"The thing to remember is that mobile technology is evolving quickly, and we have to have the ability to remain agile enough to take advantage of those changes where they make sense and control them efficiently where they do not," Ruland said.
John Moore is a freelance writer based in Syracuse, N.Y.