Overcome your mobile insecurity

Securing tablet PCs and smart phones calls for a mix of planning, policy and technology.

It was laptop PCs and BlackBerrys first, but now an expanded range of mobile technologies is poised to flood the government workplace.

The mass adoption of tablet PCs, along with Apple and Android smart phones, appears inevitable. Agencies are buying such devices to outfit an increasingly mobile workforce. The Veterans Affairs Department, for example, recently amended its Commodity Enterprise Contract to include tablet PCs.

But there’s also a bottom-up push from employees who want to use their personal devices at work. The so-called consumerization of IT — and the recognition that the bring-your-own-device approach can save procurement dollars — will likely add to the influx of devices.

“The younger workers who come in are more used to just dealing with one device. No one wants to carry four different devices,” said Patrick Howard, chief information security officer at the Nuclear Regulatory Commission. “Potentially, government can save some money by allowing people to use their own devices, as long as they can be appropriately secured.”

That, of course, is the big catch. There are numerous ways mobile devices can cause security trouble. Users run the risk of downloading malicious applications — or legitimate apps with security flaws — from online stores. Devices can also easily be lost or stolen, along with the data on them.

IT managers find themselves having to do a balancing act: They must support mobile technology for the flexibility it gives users while mitigating the risk of data loss and malware infestation. To that end, agencies have begun devising security strategies as an essential underpinning for allowing mobile devices in the enterprise.

Agency officials and security experts point to several must-have elements for any strategy to secure such devices.

1. Evaluate risk

Organizations need to know what they’re up against before they devise a security strategy. A key question to ask early on is: How do users intend to deploy mobile technology?

A basic first step is to understand the use cases for mobile devices in different lines of business, said Adeeb Parkar, information security analyst at the Census Bureau.

An agency might find that some uses are not appropriate for mobile technology — for example, accessing financial information.

Exploring various use cases helps an organization understand its tolerance for risk. Along those lines, agencies might opt to undergo a formal risk assessment. Jeremy Allen, a principal consultant at Intrepidus Group, a security consulting firm, said enterprises might start with a traditional, wide-ranging risk assessment — especially if they haven’t performed one in the past — and then narrow the scope to mobile technology. The assessment should identify high-risk areas, security gaps and how far an agency is willing to trust mobile technology.

“This helps us figure out where our risk threshold is and what data goes on devices and what doesn’t go on them,” Allen said.

Another approach is for agencies to classify their data according to its need for security and then pursue steps to protect it based on those classification levels, said Steve Vinsik, vice president of global security solutions at Unisys.

2. Assess the available technology

The latest crop of mobile devices is proving trickier to secure than laptop PCs. Allen cited severe market fragmentation as a complicating factor.

“On a laptop, you are almost certainly dealing with one of the few common” operating systems, he said. “It’s almost always going to be some variant of Windows or a pre-approved version of an OS at some pre-approved configuration. It’s very predictable.”

That’s not the case with mobile technology, where agencies must account for the idiosyncrasies of Apple’s iOS, Google’s Android, the BlackBerry OS and others.

“With mobile devices, we can have multiple-hour conversations about each platform,” Allen said.

“We really need to understand, with each device, what capabilities the device can provide in terms of user and security administration,” Parkar said. “Those types of capabilities need to be analyzed thoroughly and matched against whatever business operation could potentially use them.”

3. Establish policies and procedures

An understanding of use cases, risk tolerance and technology serves to inform an organization’s security guidelines.

“Before you can really start to deploy the consumerized devices into your environment, you have to have...policies and procedures in place,” Vinsik said. “If you don’t, you are just opening up more security holes into your organization.”

A couple of policy documents will likely come into play. A policy governing technical security controls would spell out the measures required to protect mobile devices and data. An acceptable-use policy, meanwhile, would outline the user’s responsibilities and include details such as requirements for password strength.

The General Services Administration is testing an approach that allows participants to use personal devices at work as long as they consent to the agency’s terms of service, said Casey Coleman, GSA’s CIO. That agreement includes a provision requiring that devices run GSA’s mobile security software.

A policy’s specifics would depend on context. “A smart phone that is used only for reading daily multimedia briefings may require different security controls than one accessing classified networks,” said Tom Karygiannis, a computer scientist at the National Institute of Standards and Technology’s Computer Security Division.

4. Encrypt and containerize

Device-level encryption provides a foundational component of mobile security. Encrypting the data on a device’s hard disk and removable media provides a key protection in the event of loss or theft. A given mobile platform might even have some level of encryption built in.

The pivotal question in the federal setting is whether encryption capabilities comply with NIST’s Federal Information Processing Standard 140-2, which provides accreditation for cryptography. BlackBerry’s cryptographic kernel for its PlayBook tablet has met the FIPS 140-2 standard, as has the module for BlackBerry smart phones. Apple’s iOS was under NIST review at press time.

William Keely, director of the Defense Information Systems Agency’s Field Security Operations Division, said the Defense Department’s baseline requirements call for mobile devices to use an encryption algorithm validated under FIPS 140-2 when storing and transmitting data.

In addition, DOD requires implementation of Secure/Multipurpose Internet Mail Extensions for e-mail services to enable digital signatures and encryption of messages, Keely said.

Containerization, meanwhile, offers a measure of security by segmenting a mobile device into enterprise and employee components. The idea is to limit a device’s function when it is connected to the enterprise, Vinsik said. The work side of a mobile phone, for example, could be restricted to e-mail and Internet.

Parkar said containerization also lets an organization isolate a particular business function in an encrypted zone that offers local rather than device-level encryption.

5. Enable local or remote data purges

The ability to purge data from a lost or stolen device is another mobile security must-have.

In the local approach, a wayward device erases its data after a set number of failed password attempts, said Keith Royster, a senior consultant at SystemExperts, a security consulting firm. In a remote wipe, a systems administrator initiates the wipe via Wi-Fi or cellular network when a user reports the loss or theft of a device, he added.

Parkar said remote wipe provides “added assurance that your data isn’t out there.”

Such data-erasing features might be coupled with online backups so a user’s data could be restored to a replacement device.

6. Set guidelines for authenticating users

Whether authenticating to a desktop or mobile device, the same rules apply: Organizations must set requirements for the minimum length and complexity of characters in passwords.

Application-specific security requirements might call for more than user name and password, however. Vinsik said a challenge/response feature could provide an additional layer of security. A face or voice biometric might also be required for access to certain types of information, but it involves hardware integration that is just now emerging.

“We see vendors coming out with those types of [biometric] solutions today, and that will really ramp up over the next year or two,” Vinsik said.

7. Evaluate security solutions

Fielding a mobile security solution will likely involve evaluating features native to devices, third-party products and perhaps infrastructure elements already in place.

NRC is in the process of reviewing vendor solutions, Howard said. Officials are also considering adapting the agency’s BlackBerry infrastructure to securely meet the business needs of other mobile devices such as tablet PCs.

The security choices available to agencies include mobile device management solutions. Vinsik said vendors are embracing security features as part of their MDM offerings. Products from Good Technology and Sybase, for example, include remote wipe, encryption and security policy enforcement.

“There are a lot of solutions out there now,” Howard said. “You need to be able to intelligently review those against your requirements and find the best one that fits your needs.”

Mobile security guidance is thin

Agencies working on security strategies for mobile devices don’t have much to go on.

Federal guidance specific to mobile security is limited. But teams are distilling mobile approaches from broader security frameworks. Starting points include the National Institute of Standards and Technology’s Special Publication 800-53, which provides guidelines on security measures for information systems.

“Those are broad requirements and need to be tailored and interpreted within the context of mobile architecture,” said Paul Nguyen, vice president of cyber solutions at Knowledge Consulting Group, which provides security assessment, compliance and other services to government agencies.

In addition, NIST’s SP 800-124 offers guidelines on security for mobile phones and personal digital assistants. Nguyen said some of the language in that document could be tailored to meet the needs of mobile application developers.

Additional guidance is on the way. NIST plans to publish updated guidelines on mobile phone security in fiscal 2012, said Tom Karygiannis, a computer scientist at NIST’s Computer Security Division.

Agencies, meanwhile, are talking to one another to get a better handle on mobile security. Patrick Howard, chief information security officer at the Nuclear Regulatory Commission, said mobile security concerns have compelled agency managers to compare notes on their approaches.

“CISOs are talking frequently on this issue — much more frequently than on any other topic, I’d say,” he added.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.