Five Tips For Secure Mobile Access

on December 14, 2012 at 7:00 AM

The Department of Defense is taking a leadership role in leveraging mobile device technology to improve information sharing, collaboration and efficiencies. In a recent press release, Teri Takai, DoD’s chief information officer, said “As today’s DoD personnel become increasingly mobile, a wide variety of devices offer unprecedented opportunities to advance the operational effectiveness of the DoD workforce This strategy will allow mobile devices across the department to converge towards a common vision and approach.”

There are significant challenges that await agencies, like the DoD, that are looking to implement mobile strategies and “bring your own devices” (BYOD) policies – the most daunting being security. In order to overcome various security challenges, agencies must take several factors into consideration. The five tips found in this piece will outline crucial items for agencies to consider when adopting mobile practices for their employees:

  • Place emphasis on controlling the information that can be accessed on the device, not controlling the device itself. With traditional desktop computing environments, the IT department can easily control the information that is being distributed. Even laptops are capable of being remotely locked or wiped should they fall into the wrong hands. However, the mobile devices that will be connected to agency systems and datacenters through mobile and BYOD initiatives aren’t as sophisticated as that yet. Since BYOD devices don’t belong to the agency, but belong to the individual employee, the agency can’t wipe or lock the device or otherwise impact the data that isn’t theirs. Also, the disparate operating systems utilized by mobile devices make adopting one single mobile device management solution almost impossible. This ultimately renders device management ineffective. Instead, the emphasis needs to be placed on controlling the information that can be accessed by the device, not on controlling the device itself.
  • Implement policies to secure information. In order to promote information sharing and increase collaboration, security, privacy and data protection must be built into every step in the technology lifecycle. Assessment and authorization processes must be streamlined and there must be systems in place for continuous monitoring, identity authentication and credential management. In order to ensure that data is only shared with authorized users, the data itself must be secured, with a rigorous and constantly updated identity authentication and credential management system. Agency employees must be aware of the system, and what’s required of them to ensure compliance.Requiring agency employees to protect their mobile devices with passwords is simply not enough. There must be a data loss protection plan in place that can actually stop data from falling into the wrong hands. Educating agency employees is also crucial – they must know what is and what is not permissible with their mobile devices while both inside the building and while accessing government networks from an outside location. If device limitations are in place, employees must know and understand them, as well as know how to work with the agency’s IT department if needed.
  • Purchase technology that will help to protect accessed information. When a cell phone is carried through the door of a building, it brings along its own separate network. Therefore, deciding which mobile devices should be granted access to internal government networks is crucial. By setting device limitations, agencies have more control over security settings, what networks are able to be accessed and where information collected on the device is stored. While it may seem cost effective to limit devices entirely, employees are looking for flexibility – they want devices that will help them bring their personal and professional lives together. That being said, government agencies need to limit the BYOD list to ten or so devices, to allow flexibility while also being reasonable about the resources that it will take to manage the different operating systems. As new devices are released, agencies should be sure to refresh the list.
  • Desktop virtualization for mobile devices is also growing in popularity. Allowing virtual desktops for use on mobile devices will offer employees a consistent desktop view across multiple device types and will also move all data to a server, rather than risking storage on individual devices, thereby enhancing security
  • Understand how data is being distributed and where it’s being stored. The days of data storage in on-site facilities or data centers are coming to an end and cloud usage is growing rapidly in popularity. As agencies strive to cut costs, cloud services will only become more popular. The important factors with data distribution and storage are flexibility, collaboration with mobile devices, and security. While the unknown future is always more intimidating than the comfortable past, cloud storage has gained enough experience that many agencies are starting to see more benefits and fewer liabilities, particularly with private and hybrid clouds.

Know how to control the data if the device is out of the operator’s control. What happens if an employee loses their smartphone or tablet? As part of any mobile security program, government agencies must build in processes and procedures that can be implemented rapidly and remotely to deal with lost or stolen mobile devices. Government agencies must ensure that there are safeguards in place to prevent the improper collection, retention, use or disclosure of sensitive data. Updating and refreshing these safeguards as technology evolves and changes is critical. Should a device make it into the hands of the wrong person or persons, there must be a plan in place that allows an agency to control and protect said data. For example, an agency might implement a remote lockout capability that locks the user out of network access after several minutes of inactivity or when the device becomes idle. Agencies should also maintain the ability to wipe data from a device remotely in the event that it is lost or stolen. If incorporated properly, mobile management solutions can even boot users from the network if they attempt to jailbreak their devices to work around agency security controls.

As DoD’s Teri Takai stated: “The DoD Mobile Device Strategy takes advantage of existing technology, the ability to use or build custom apps, and a workforce increasingly comfortable with mobile devices. This strategy is not simply about embracing the newest technology — it is about keeping the DoD workforce relevant in an era when information and cyberspace play a critical role in mission success.”

Mobile Device Strategies, like the one being implemented by the DoD, lead to an age of a more transparent, mobile and agile government. They could also spell significant trouble in the data and network security arena if not planned for effectively. Employees want the flexibility that mobile devices deliver; government agencies must be sure that all factors are carefully considered and that responsible processes and policies are in place and enforced to maintain security as we move more rapidly to leveraging mobile technology in the government space.

Timothy P. Coffin is President of iGATE Government Solutions, the leading integrated technology and operations provider of Business Outcomes based solutions. For more information visit http://www.igate.com/government-solutions/overview.aspx.