At Los Alamos Lab, mobile security gets picky
- By Henry Kenyon
- Dec 15, 2011
This article has been updated to correct references to the FIPS 140-2 security standard.
Large government agencies with many internal organizations face a conundrum when they plan to deploy new mobile systems or upgrade existing ones.
The steps the Los Alamos National Laboratory took to deploy wireless in its complex and highly security conscious environs show how a big organization picks and chooses systems and services to meet the requirements of different user groups.
Research at Los Alamos covers a range of areas, from basic science to highly sensitive nuclear weapons work. Because of its broad range of research and a large population at varying security levels, the lab wanted to develop a more flexible and secure wireless capability, according to Anil Karmel, a solutions architect at Los Alamos.
Nuclear agency on fast track to new supercomputing capacity
Fast science: DOE turns on 100-gigabit network
There are currently some 20,000 wireless devices running on Los Alamo’s existing network. For very secure applications, the lab issued BlackBerry 160 Bold devices to selected personnel, Karmel said.
The devices were encrypted to Defense Information Systems Agency (DISA) and FIPS-140-2 standards. The devices also had their serial ports, cameras and Wi-Fi disabled and were equipped instead with a Los Alamos-developed SIM card.
The initial pilot in 2008 consisted of 50 users and featured basic calendar and voice applications. Later in 2008, the pilot was expanded to 300 users. There are now 3,000 secure BlackBerry users at Los Alamos, Karmel said.
But this deployment covers only a small part of the Los Alamos scientific community. To reach a wider swath of personnel, Los Alamos chose Good Technology’s Good Mobile suite of applications with enterprise email, calendar functions and data content supporting Apple iOS and Android mobile platforms.
Good Mobile’s security layout is similar to BlackBerrys, with FIPS-140-2 security and encryption following DISA’s Secure Technical Implementations Guide, Karmel said.
Unlike the BlackBerry deployment, data for the Android and iOS devices are kept in a mobile sandbox that can be remotely wiped if the smart phone is lost or stolen.
Data in the Good Mobile sandbox is locked down and fully encrypted. Personal data which is not in the sandbox is untouched by the enterprise system. “It’s not so much about securing the device as the data,” Karmel said.
Los Alamos is also using Apple mobile device management tools to selectively block device capabilities, such as cameras. Organizations within the lab can selectively permit users to write or list applications in an approved apps store via a central portal. These capabilities allow Los Alamos to balance its needs for user functionality with security.
The lab is currently considering providing Apple iPads with a remote desktop access capability.
While Good Mobile offers excellent security, in some cases it is not secure enough, Karmel said. For remote desktop access Los Alamos is considering capabilities offered by firms such as BoxTone, which offers a configurable security and encryption system similar to Good’s, he said.