Dismantling the barriers to increased use of mobile devices

Security is just one obstacle to more widespread adoption of mobile devices throughout government.

Although it is clear that mobility is the key to productivity, employee satisfaction and potential cost savings in government, several challenges have slowed adoption as agencies devote increasingly more attention and funds to resolve the issues. Cost, lack of clarity about regulatory compliance and IT integration issues are serious concerns for the vast majority of the 243 respondents to the recent survey by the 1105 Government Information Group. But security risks overshadow all the others.

Six out of 10 respondents were “very concerned” about security risks related to employee use of mobile and wireless technologies, while 32 percent categorized themselves as “somewhat concerned.” As Figure 1 shows, security risks are the highest barrier to more widespread adoption of mobile and wireless by government, by a large margin (see Figure 1).

Figure 1

Although two-thirds of the survey respondents say they’ve installed mobile device security solutions, they remained extremely concerned about the extent of their protection. In fact, more than a third say they either need to upgrade or will upgrade their security solutions.

The main security concerns cited were robust identity authentication and credential management, potential data loss and leakage, viruses and malware introduced via mobile devices, secure and timely identity provisioning, and the need for more widespread use of data encryption.

“All of these issues have one thing in common: You don’t want people to have access to information that they shouldn’t have access to,” says Josh Sawislak, a senior fellow at the Telework Exchange, a public/private partnership focusing on the federal telework and mobile community. “At the same time, users have to be able to get to the data they need, and without that, these systems are useless. It’s a tough balancing act.”

Balancing act

However, that balancing act is eminently doable, says Chris Smith, U.S. federal chief technology and innovation officer at Accenture Federal Services and formerly CIO at the U.S. Department of Agriculture.

“Security has to be built into how you architect and execute a solution,” Smith says. “Start with a mobile device management approach, and then architect your applications so they are secure sitting on top of that, and then make sure that they are secure when traversing the network.”

Mobile device management begins with implementing policies and procedures to ensure that sensitive data never actually resides on a mobile device. To help agencies, the National Institute of Standards and Technology offers a series of guidelines to help agency managers manage mobile devices. With a mobile device management policy in place and mobile device management tools being properly used, if the device is ever compromised, the data won’t be compromised as well.

“The ideal situation is where credentialed users can access the information they need on mobile devices but not store the data on those devices,” Smith explains. “But if for some reason some information has to be stored on the device, make sure the encryption on the device is sufficient.”

NIST guidelines for securing mobile devices

• Develop system threat models for mobile devices and the resources accessed through them.
• Evaluate the pros and cons of each provided security service, determine which services are needed, and then design and acquire the solutions that provide those services.
• Have a mobile device security policy.
• Implement and test a prototype of your mobile device solution before putting it into production.
• Fully secure each agency-issued mobile device before allowing users to access it.
• Regularly maintain mobile device security.

Source: Guidelines for Managing and Securing Mobile Devices in the Enterprise, NIST, July 2012

No matter what else you do, be thoughtful about what information and applications can be accessed via mobile device.

“Don’t just grab your most highly complex compute problem with a lot of personally identifiable information on it and put it in a mobile app without thinking through your mobile device management strategy, how you are monitoring things on an ongoing basis and controlling those policies,” Smith notes.

According to the survey, half of the agency decision-makers say their employees fail to follow proper data backup and security procedures for their mobile devices. Although this problem might be even more acute at state and local government offices, it appears that fewer than 20 percent of respondents don’t worry about employee compliance (see Figure 2).

Figure 2

There is a simple fix to that, experts say: mobile device management. This type of off-the-shelf solution addresses just this kind of problem by automating the procedure.

Other barriers
Other concerns cited by study participants include budget and resource constraints, including a lack of confidence that agencies have the resources to manage wireless initiatives; confusion about how mobile/wireless implementations will comply with government regulations; and difficulty in integrating mobile/wireless solutions. As Figure 1 above shows, roughly half of respondents indicated some level of concern about more than 14 different types of concerns.

Those concerns make a great deal of sense, says Sawislak; he says the two biggest barriers to the increased adoption of mobile computing in government are culture and policy.

“It’s not as much of a technology issue; the technology is there,” Sawislak says. “It’s about updating the [Federal Information Security Management Act] rules to reflect mobile and cloud computing, privacy controls, application security and other cybersecurity issues. These changes are critical to truly enabling a mobile workforce.” Industry experts say these changes are due sometime in 2012.

Another troubling barrier is, ironically, the surging popularity of mobile devices. About one-third of survey respondents aren’t certain that they can effectively manage the explosion of interest in mobile/wireless functionality.

There is only one answer to that, Sawislak says.

“They have no choice. If they don’t find a way, they won’t be able to recruit and retain top people,” he says. “It’s not just about saving money on office space or commuting costs or having a continuity plan. It’s also about retaining valuable government employees.”

About this report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please e-mail us at [email protected].