Overcome your mobile insecurity
Securing tablet PCs and smart phones calls for a mix of planning, policy and technology.
It was laptop PCs and BlackBerrys first, but now an expanded range of mobile technologies is poised to flood the government workplace.
The mass adoption of tablet PCs, along with Apple and Android smart phones, appears inevitable. Agencies are buying such devices to outfit an increasingly mobile workforce. The Veterans Affairs Department, for example, recently amended its Commodity Enterprise Contract to include tablet PCs.
But there’s also a bottom-up push from employees who want to use their personal devices at work. The so-called consumerization of IT — and the recognition that the bring-your-own-device approach can save procurement dollars — will likely add to the influx of devices.
“The younger workers who come in are more used to just dealing with one device. No one wants to carry four different devices,” said Patrick Howard, chief information security officer at the Nuclear Regulatory Commission. “Potentially, government can save some money by allowing people to use their own devices, as long as they can be appropriately secured.”
That, of course, is the big catch. There are numerous ways mobile devices can cause security trouble. Users run the risk of downloading malicious applications — or legitimate apps with security flaws — from online stores. Devices can also easily be lost or stolen, along with the data on them.
IT managers find themselves having to do a balancing act: They must support mobile technology for the flexibility it gives users while mitigating the risk of data loss and malware infestation. To that end, agencies have begun devising security strategies as an essential underpinning for allowing mobile devices in the enterprise.
Agency officials and security experts point to several must-have elements for any strategy to secure such devices.
1. Evaluate risk
Organizations need to know what they’re up against before they devise a security strategy. A key question to ask early on is: How do users intend to deploy mobile technology?
A basic first step is to understand the use cases for mobile devices in different lines of business, said Adeeb Parkar, information security analyst at the Census Bureau.
An agency might find that some uses are not appropriate for mobile technology — for example, accessing financial information.
Exploring various use cases helps an organization understand its tolerance for risk. Along those lines, agencies might opt to undergo a formal risk assessment. Jeremy Allen, a principal consultant at Intrepidus Group, a security consulting firm, said enterprises might start with a traditional, wide-ranging risk assessment — especially if they haven’t performed one in the past — and then narrow the scope to mobile technology. The assessment should identify high-risk areas, security gaps and how far an agency is willing to trust mobile technology.
“This helps us figure out where our risk threshold is and what data goes on devices and what doesn’t go on them,” Allen said.
Another approach is for agencies to classify their data according to its need for security and then pursue steps to protect it based on those classification levels, said Steve Vinsik, vice president of global security solutions at Unisys.
2. Assess the available technology
The latest crop of mobile devices is proving trickier to secure than laptop PCs. Allen cited severe market fragmentation as a complicating factor.
“On a laptop, you are almost certainly dealing with one of the few common” operating systems, he said. “It’s almost always going to be some variant of Windows or a pre-approved version of an OS at some pre-approved configuration. It’s very predictable.”
That’s not the case with mobile technology, where agencies must account for the idiosyncrasies of Apple’s iOS, Google’s Android, the BlackBerry OS and others.
“With mobile devices, we can have multiple-hour conversations about each platform,” Allen said.
“We really need to understand, with each device, what capabilities the device can provide in terms of user and security administration,” Parkar said. “Those types of capabilities need to be analyzed thoroughly and matched against whatever business operation could potentially use them.”
3. Establish policies and procedures
An understanding of use cases, risk tolerance and technology serves to inform an organization’s security guidelines.
“Before you can really start to deploy the consumerized devices into your environment, you have to have...policies and procedures in place,” Vinsik said. “If you don’t, you are just opening up more security holes into your organization.”
A couple of policy documents will likely come into play. A policy governing technical security controls would spell out the measures required to protect mobile devices and data. An acceptable-use policy, meanwhile, would outline the user’s responsibilities and include details such as requirements for password strength.
The General Services Administration is testing an approach that allows participants to use personal devices at work as long as they consent to the agency’s terms of service, said Casey Coleman, GSA’s CIO. That agreement includes a provision requiring that devices run GSA’s mobile security software.
A policy’s specifics would depend on context. “A smart phone that is used only for reading daily multimedia briefings may require different security controls than one accessing classified networks,” said Tom Karygiannis, a computer scientist at the National Institute of Standards and Technology’s Computer Security Division.
4. Encrypt and containerize
Device-level encryption provides a foundational component of mobile security. Encrypting the data on a device’s hard disk and removable media provides a key protection in the event of loss or theft. A given mobile platform might even have some level of encryption built in.
The pivotal question in the federal setting is whether encryption capabilities comply with NIST’s Federal Information Processing Standard 140-2, which provides accreditation for cryptography. BlackBerry’s cryptographic kernel for its PlayBook tablet has met the FIPS 140-2 standard, as has the module for BlackBerry smart phones. Apple’s iOS was under NIST review at press time.
William Keely, director of the Defense Information Systems Agency’s Field Security Operations Division, said the Defense Department’s baseline requirements call for mobile devices to use an encryption algorithm validated under FIPS 140-2 when storing and transmitting data.
In addition, DOD requires implementation of Secure/Multipurpose Internet Mail Extensions for e-mail services to enable digital signatures and encryption of messages, Keely said.
Containerization, meanwhile, offers a measure of security by segmenting a mobile device into enterprise and employee components. The idea is to limit a device’s function when it is connected to the enterprise, Vinsik said. The work side of a mobile phone, for example, could be restricted to e-mail and Internet.
Parkar said containerization also lets an organization isolate a particular business function in an encrypted zone that offers local rather than device-level encryption.
5. Enable local or remote data purges
The ability to purge data from a lost or stolen device is another mobile security must-have.
In the local approach, a wayward device erases its data after a set number of failed password attempts, said Keith Royster, a senior consultant at SystemExperts, a security consulting firm. In a remote wipe, a systems administrator initiates the wipe via Wi-Fi or cellular network when a user reports the loss or theft of a device, he added.
Parkar said remote wipe provides “added assurance that your data isn’t out there.”
Such data-erasing features might be coupled with online backups so a user’s data could be restored to a replacement device.
6. Set guidelines for authenticating users
Whether authenticating to a desktop or mobile device, the same rules apply: Organizations must set requirements for the minimum length and complexity of characters in passwords.
Application-specific security requirements might call for more than user name and password, however. Vinsik said a challenge/response feature could provide an additional layer of security. A face or voice biometric might also be required for access to certain types of information, but it involves hardware integration that is just now emerging.
“We see vendors coming out with those types of [biometric] solutions today, and that will really ramp up over the next year or two,” Vinsik said.
7. Evaluate security solutions
Fielding a mobile security solution will likely involve evaluating features native to devices, third-party products and perhaps infrastructure elements already in place.
NRC is in the process of reviewing vendor solutions, Howard said. Officials are also considering adapting the agency’s BlackBerry infrastructure to securely meet the business needs of other mobile devices such as tablet PCs.
The security choices available to agencies include mobile device management solutions. Vinsik said vendors are embracing security features as part of their MDM offerings. Products from Good Technology and Sybase, for example, include remote wipe, encryption and security policy enforcement.
“There are a lot of solutions out there now,” Howard said. “You need to be able to intelligently review those against your requirements and find the best one that fits your needs.”
Mobile security guidance is thin
Agencies working on security strategies for mobile devices don’t have much to go on.
Federal guidance specific to mobile security is limited. But teams are distilling mobile approaches from broader security frameworks. Starting points include the National Institute of Standards and Technology’s Special Publication 800-53, which provides guidelines on security measures for information systems.
“Those are broad requirements and need to be tailored and interpreted within the context of mobile architecture,” said Paul Nguyen, vice president of cyber solutions at Knowledge Consulting Group, which provides security assessment, compliance and other services to government agencies.
In addition, NIST’s SP 800-124 offers guidelines on security for mobile phones and personal digital assistants. Nguyen said some of the language in that document could be tailored to meet the needs of mobile application developers.
Additional guidance is on the way. NIST plans to publish updated guidelines on mobile phone security in fiscal 2012, said Tom Karygiannis, a computer scientist at NIST’s Computer Security Division.
Agencies, meanwhile, are talking to one another to get a better handle on mobile security. Patrick Howard, chief information security officer at the Nuclear Regulatory Commission, said mobile security concerns have compelled agency managers to compare notes on their approaches.
“CISOs are talking frequently on this issue — much more frequently than on any other topic, I’d say,” he added.