Securing Federal Employees' Mobile Devices: Big Opportunities, Big Challenges
"Cybercriminals don't even need to steal your phone if they can get all of the data on your mobile devices from an unencrypted file on your PC or laptop. Encryption should be a non-negotiable part of any serious data security effort. If it's not encrypted, it's not protected," said Tim Keanini, chief technology officer at nCircle.
The burgeoning market for mobile devices such as smartphones and tablets is not only affecting consumer use of information technology, but also having an impact on the private sector workplace, as employers see the value of mobile communications.
The mobile IT market is clearly hot. Worldwide shipments of major brand smartphones increased by 50 percent to 152.3 million units in the first quarter of 2012 versus the same period last year, according to IDC.
Global tablet sales at 17.4 million in the first quarter of 2011 represented a "a robust year-over-year growth rate of 120 percent," up from 7.9 million units in the first quarter of 2011, the firm said.
While the pace of tablet sales cooled a bit from the last quarter of 2011 to the first quarter of 2012, the Consumer Electronics Association reported that smartphones and tablets will remain high-demand items in U.S. households this year.
Federal workers, like everyone else, have embraced the use of mobile devices. As a result, mobile technology is gaining traction in the federal workplace. Two-thirds of federal respondents to a recent survey conducted by MeriTalk said they would like the technology they use at work to keep pace with the technology they use in their personal lives, including tablets and other mobile devices.
But along with the convenience and productivity associated with mobile devices used by federal agencies comes a challenge: making sure that device and data security is strong.
"Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats," said Karen Scarfone, co-author of a just-released draft document published by the National Institute of Science and Technology, (NIST), an agency of the U.S. Commerce Department.
Mobile Evolution Requires Security Update
The NIST draft includes proposals for updating government guidelines for securing smartphones and tablets used by federal agencies. The guidelines do not cover laptops, because the security controls for laptops are different from those for smartphones and tablets. NIST is seeking comment on the draft from private sector entities such as hardware and software vendors, telecom providers, federal agencies, and the public.
While mobile devices allow workers, including government employees, to do their jobs in multiple locations and to improve their efficiency, such devices "can easily be lost or stolen, and users may be tempted to download non-secure apps that might conceal malware that could be used to steal confidential data," NIST said. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization's computer network remotely.
The proposed guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business.
Such programs manage the configuration and security of mobile devices and provide secure access to an organization's computer network. They are typically used to manage the smartphones that many agencies issue to staff. The NIST document offers recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.
"Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and personally owned mobile devices by enterprise users. In addition to managing the configuration and security of mobile devices, these technologies offer other features, such as providing secure access to enterprise computing resources," NIST said.
There are two basic approaches to centralized mobile device management: Use a messaging server's management capabilities (sometimes from the same vendor that makes a particular brand of phone); or use a product from a third party, which is designed to manage one or more brands of phone.
NIST also recommends developing system threat models for mobile devices and those resources accessed through them, instituting a mobile device security policy, implementing and testing a prototype of the mobile device solution before putting it into production, securing each organization-issued mobile device before allowing a user to access it, and regularly maintaining mobile device security.
Vendors Are Part of Solution
Vendors to the federal market will need to meet government security requirements associated with mobile devices, but those security goals could also lead to market opportunities.
An example is the capability to implement centralized management. "There have been a number of industry days sponsored by federal agencies inviting the private sector to showcase their technologies," Tom Karygiannis, senior researcher at NIST, told the E-Commerce Times.
"The Federal Business Opportunities website has also listed various requests for information and requests for proposals for mobile device enterprise tools. My sense is that the federal government will look for commercial, off-the-shelf solutions for this technology," he said.
In addition to concerns about the devices, security related to commercial apps, as well as specialized, government- related applications for smartphones and tablets is both a worry and an opportunity.
"Microsoft, Apple and Google do some app vetting before the apps are released on their app stores, but government agencies should put their agency-approved apps through a more rigorous app-vetting process," Karygiannis said.
"Depending on the agency's mission, additional security or reliability testing would be recommended. NIST is working with other government agencies to develop app-testing guidelines. There are a number of commercial tools that are available for app testing, and we are also working closely with researchers to identify testing gaps and develop new testing tools and techniques," he added.
Encryption Essential Tool
"The NIST guideline is in draft form now, and people with operational experience should comment to help the document mature. One key point I'm planning to contribute is requiring encryption for tablet and smartphone backups," Tim Keanini, chief technology officer at nCircle, told the E-Commerce Times.
"Cybercriminals don't even need to steal your phone if they can get all of the data on your mobile devices from an unencrypted file on your PC or laptop. Encryption should be a non-negotiable part of any serious data security effort. If it's not encrypted, it's not protected," he said.
"Sensitive data must be encrypted using the federal FIPS-140-2 validated cryptographic modules," NIST's Karygiannis noted. For example, the agency recently certified an open source cryptographic module for Android 4.0.
"There are a number of vendors that offer various security technologies ranging from encrypted file systems to virtualization for mobile devices," Karygiannis said. NIST offers an overview of the FIPS process and a list of vendors that have gone through the validation program.
"Mobile device security is a serious problem for everyone, not just the federal market. The NIST guideline proposal is a great opportunity for the security community to help define best practices for this critical technology," Keanini said.