Policy and Technology: Working in Concert

Federal employees have been using mobile devices in some form or another since the turn of the century. Back then, of course, those devices weren’t very "smart." Many agency employees were still using Personal Digital Assistants (often called PDAs). Even at that early point, though, agency officials knew these devices could improve productivity, but they could also compromise security and make information management more complicated.

As it became clear mobility was here to stay, policy leaders OMB and GSA, along with standards and technology experts at NIST, issued guidance to help agencies develop mobile security policies to address their specific needs. Over the years, agencies have refined their mobile requirements based on risk tolerance and other factors, sometimes making the mobile devices used by agency employees non-compliant. At the same time, the mobile devices themselves, along with security applications, have improved significantly.

All this adds up to one thing: It's time to reexamine agency mobile security policy. If the policy doesn’t fit the current environment and requirements, the first step is updating policies governing authentication, access control, platform security, data security and application security. Next, evaluate currently approved mobile devices. If they can’t be updated to meet mobile security policy requirements, it may be time for replacements.

"What worked a few years ago for agencies may not work today," says Johnny Overcast, Director Government Sales for Samsung. "The best way to validate existing devices or make the decision to move to new ones is by reviewing the devices, directives and policies."

Ironclad Mobile Security

At the highest level, agencies must be certain mobile devices and the supporting infrastructure approved for employee use meet agency and Federal Government security requirements. The platforms should at least support the ability to ensure the integrity of the operating system and applications while in use, run only verified and authorized applications and provide controls to ensure the integrity and confidentiality of information stored on the device. Finally, devices should meet all applicable government requirements such as Common Criteria (NIAP), NIST and others as appropriate.

Application and data-level security is the next line of defense. One way to safeguard critical applications and data is by isolating them in a container managed by the agency. This provides an area of the mobile device completely separate from areas reserved for personal use, as appropriate. Applications and data in containers are fully encrypted and authenticated, preventing unauthorized users and other applications from interacting with the contents.

Samsung Knox, for example, secures data in containers with Defense-grade Sensitive Data Protection (SDP) technology, along with an Advanced Encryption Standard (AES) cipher algorithm with a 25-bit key. Data remains encrypted even after the user turns off the device or exits the container. At the application level, the system’s virtual private network automatically kicks in when users launch protected applications.

These methods work well for agency-furnished mobile devices, but many of the same concepts can apply to situations where employees are allowed to use their own personal devices (BYOD). For all these tactics to work well, agency policy must specifically identify acceptable platforms and stipulate the Mobile Device Management (MDM) technology to use for remote management and content wiping.