User-Driven Device Configuration
Ensuring mobile security is a multi-step process. Besides developing the right policies, it requires choosing mobile devices with rigid security features and the ability to configure them for specific use cases and to support security policies.
Effective, automated device configuration tools coupled with risk-based Enterprise Mobility Management (EMM) is the best way to limit access to certain applications or parts of the device for specific situations, roles and responsibilities, and locations. Mobile Device Management (MDM) systems are critical, as are highly configurable, easy to use auto-enrollment tools to ensure a common operating baseline, reduce administrative overhead, and eliminate the human component of device configuration.
"Device configuration isn't something anybody should take for granted," says Craig Ano, Senior Manager for Federal at Samsung. "The best way to ensure that devices are set up quickly and correctly is by eliminating the human element—in other words, by using auto-enrollment tools for devices whenever possible."
At its most basic level, an MDM solution should anchor the device management process. This is then layered on top of any type of mobile device. MDM/EMM is there to provide flexible policies and ongoing management of the devices.
All policies are not the same, though, and each organization should look at what data they are trying to protect and assign policies appropriately. For example, an inspector will have different data than a warehouse worker or an agency executive. Policies that agencies can customize and configure for each data protection use case are essential. The goal is to put enough security to protect the data without overly burdening the devices with security controls.
MDM systems can also prevent mobile devices from installing unapproved applications, track devices, enforce application whitelists and blacklists, provide geo-fencing, enforce data sharing restrictions and remotely wipe devices if they have been lost or compromised.
To provide even more granular protection, some agencies use containers. These are a software-based system that separates sensitive data and applications from personal data and applications, even when they're stored on the same device. They prevent sensitive data from leaking out, as well as malicious data and applications from entering. While this is certainly useful and effective on government-issued devices, it's especially important for agencies that let employees use their own devices.
For the most stringent containerization, consider devices where the container technology is built on top of the hardware security instead of the application or operating system layer. When containers are built on top of hardware security, the information inside is better protected against malware.
The exact restrictions imposed on any device depend on the specific agency and user security requirements. For the majority of government users—those using mobile devices to improve productivity—the most important device configuration capabilities most likely revolve around data encryption (at rest and in transit), authentication, device feature restrictions, and wireless network controls. Whether devices can connect to public WiFi networks or are restricted to approved WiFi networks; and whether Bluetooth is acceptable or should be blocked, are both critical. These configuration factors along with containerization are the most common use cases for most government mobile users.
For more secure environments or those dealing with classified data, there are many more possibilities. For example, for users who regularly enter classified areas, agencies can configure devices to immediately put the phone into secure mode where it can't transmit or receive data, gather or disseminate data, and the camera is inoperable.
There are many other secure use cases and situations as well. That's where enrollment tools to automate device configuration become more critical. An agency supporting 10,000 users, for example, probably has many categories of employees with different security clearances. Each will have different configuration needs. The device of a field inspector, for example, will have a different configuration from a first responder.
"It's important to make sure your deployment and configuration tools match the problems you’re trying to solve, and your user base," says Ano. "The more granular the control you can get with device configuration, the more effective it will be."