Don’t let mobile apps be weak link


Government and industry experts have a word of caution for agencies looking to improve the management and security of their mobile initiatives: Don’t forget about the apps.

Whether the initiative involves government- or employee-owned devices, mobile apps have the potential to undermine any management or security measures that agencies might already have in place. Unless adequate controls are instituted, employees might unknowingly download apps that serve as backdoors to viruses and other types of malware.

Unfortunately, most agencies have yet to develop rigorous processes for reviewing and approving mobile apps for their workforces, according to a survey conducted by the 1105 Government Information Group.

Only 37 percent of respondents said their agencies had a process in place. An equal number said there was no such process, while 20 percent said their agencies had a streamlined process (see chart).

Figure 1


In contrast, more than half of respondents said their agencies were using or investigating other types of controls, such as enforcing the use of strong passwords (77 percent), identity and access management (72 percent), and mandatory encryption (63 percent).

Many experts recommend that organizations consider creating a mobile application store. The idea is to provide users with an inventory of apps, whether the software is commercial or agency-provided, that are certified as secure and otherwise compliant with agency requirements.

An apps store “works hand-in-hand with software policy enforcement, by providing an easy-to-find and easy-to-use method for mobile users to comply,” wrote Andrew Borg, research director for mobility and collaboration at the Aberdeen Group, an IT market research and consulting firm.

Such a capability is already offered as part of numerous enterprise mobility management solutions, according to Borg, in a report titled “Enterprise Mobility Management USA: Manageability, Security and Workforce Productivity.”

In setting up their stores, agencies need to decide which approach to take in enforcing their software policies: blacklisting or whitelisting.

With blacklisting, employees are allowed to download any application that is not expressly forbidden. On the one hand, this approach ensures that employees have access to a wide range of apps to help them do their jobs. On the other hand, it leaves agencies vulnerable to risky applications that should be blacklisted but simply have not been yet.

Whitelisting is much more restrictive. With this approach, employees can download only those apps that are expressly allowed by the agency. This puts more of a burden on the IT department, and it can try the patience of employees who want to get their hands on the latest technology. But it can pay off for the organization from a security perspective.

“Deciding which applications are necessary and which should be eliminated is not a trivial task,” wrote Chris Sherman, a researcher at Forrester Research, in a September 2012 blog post. “However, at the end of the day you are left with an endpoint environment with less reliance on antivirus techniques and a significantly reduced attack surface.”

But that does not mean that whitelisting is foolproof.

In a recent blog post, John Pescatore, director of emerging security trends at the SANS Institute, noted that this approach depends on the diligent oversight of IT staff. If the experts are not paying attention, malware can get through and unsuspecting users will be none the wiser until problems develop.

“Whitelists are like lifeguards at a beach,” he wrote. “People see them, trust them and jump into waters that could be dangerous because they expect the lifeguard to be looking for sharks and keeping the waters safe.”


Good things in store

As part of its recently announced Managed Mobility Program, the General Services Administration identified the following capabilities that an agency mobile application store (MAS) ought to provide:

  • Downloading internal and public applications from the MAS.
  • Adding an application to the MAS from a commercial application store.
  • Adding an enterprise application to the MAS via a Web interface.
  • Adding metadata to, and reporting on metadata on, applications added to the MAS.
  • Specifying the effective and expiration dates for an internal application.
  • Specifying the minimum operating system and model for an internal application.
  • Categorizing, grouping or tagging applications (e.g., as business applications, scientific applications, etc.).

Source: GSA


Methodology and survey demographics

Between May 13 and May 22, 2013, 206 subscribers of FCW, GCN and other 1105 Government Information Group publications responded to an e-mail survey about mobility trends in government agencies. Survey respondents were comprised of those with insight into their agencies mobile technology use and strategies. Beacon Technology Partners developed the methodology, fielded the survey and compiled the results.

Six out of 10 respondents were technology decision-makers (CIOs or other IT managers or professionals), while 40 percent were senior managers, program managers or other business decision-makers. Approximately 49 percent came from the federal government (32 percent civilian, 17 percent defense) and 51 percent from state or local government agencies.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at [email protected]