The insider threat in employees’ pockets
- By Will Kelly
- May 22, 2015
Although organizations like the FBI might be restricting their employees to agency-issued mobile devices, a growing number are embracing at least some degree of a bring-your-own-device environment. But agencies that choose that path must figure out how to balance security with usability.
GCN asked several mobility experts to share their advice on how agencies can support BYOD while protecting agency data from insider threats, accidental and otherwise.
“It’s about governance first,” said Susie Adams, chief technology officer for Microsoft’s Federal Business Practice. “You have to carefully balance information security classifications.”
Agencies must develop an understanding of the sensitivity of their data. She advised classifying data as low, moderate or high impact.
“You also have to balance the policies that govern access to the data,” she added. “Just in general: Who should be able to access that data?” The answer might depend on the trustworthiness of the device itself.
“Not all devices are created equal,” Adams said. “We know it depends on the version of the device, how old the device is, does the device have malware on it? Has it been compromised?”
“There are a few considerations when implementing a BYOD program,” said Paul Brubaker, director of government solutions at VMware’s AirWatch. “What’s most important is to partner with an [enterprise mobility management] solution that can accommodate the broad range of available devices and applications while also [giving] IT the security tools they need to securely deploy and manage this breadth of devices and applications.”
In an email interview, Brig. Gen. Kevin Wooton, principal deputy director of integrated operations at Air Force Space Command, said a commitment to a risk management framework is essential.
“Any attempt to translate a traditional ‘risk-averse’ security model will likely make the devices so locked down as to be useless,” he wrote. “This doesn’t mean you don’t want your security folks to be muted or to give them short shrift, but decision-makers must understand rationale, modern security capabilities within mobile device management ‘sandboxes’ and their own agencies’ risk tolerance. Key to that will include not treating all data the same with regard to sensitivity and then drawing appropriate lines in the sand that maximize the user experience while incorporating the critical security requirements.”
Wooton concluded by saying, “If one doesn’t understand the already value-added security coming from modern mobile device makers and the MDMs, typical agencies will have trouble finding the happy medium between security and usability.”
Chris Roberts, vice president of the worldwide public sector at mobile security platform provider Good Technology, took a broader view.
“I think usability doesn’t just mean the native applications on the device,” he said. “It means [asking] what sort of a password do I need to put in just to get access to my phone? Is that more complicated today than it was yesterday when this device fully belonged to me? It means [asking] would I possibly lose data or applications on that device? There are a number of things that affect usability beyond the ease of use, which is why they got the devices in the first place.”
Justin Marston, CEO of Hypori, a startup company that develops a virtual mobile infrastructure platform, offered another usability/mobile security balancing option.
“What we’ve seen the government actually doing...is enabling dual personas but doing it with enterprise-owned phones,” Marston said. “They’ve been trying Samsung Knox, they’ve been trying Good, and you have this incredibly ironic situation where you have an enterprise-owned phone provided by [the Defense Information Systems Agency] under the [DOD Mobility Unclassified Capability] program that lets you do email and calendar in a special container, the Good container, and that’s all you can do.”
He added that users can download any app on the personal side of a government-owned device, but the government side maintains a “BlackBerry experience.”
Bringing it all together
Ensuring mobile security in a government enterprise requires an approach that brings together MDM, containerization or virtualization, mobile application management (MAM) to counter risky mobile apps, identity management and even a tool for securing agency data from insider threats.
Wooton recommended that agencies “push the MDM vendor in this area and make sure the contractual relationship takes advantage of the MDM’s capabilities to do just this. Most of the major ones are looking at this issue and offer capabilities that can provide awareness and supplement or create coverage in the insider-threat arena.”
To mitigate insider threats, he said agencies should monitor the usage data from their MDM servers and note the increased segregation of native applications outside the MDM and the greater availability of mission applications within the MDM’s control. He also said contracts with MDM vendors should include requirements that they upgrade their capabilities to counter insider threats.
“The risk associated with maximum usability of mobile devices, even within the BYOD environment, almost always outweighs the danger of employees trying to circumvent device or agency policies,” Wooton said. “By providing an acceptable-risk approach, an agency has a much greater opportunity to increase productivity (a given with a workforce using mobile devices) while still being able to monitor threats, both from the inside and external.”
Brubaker agreed. “The key to mitigating and monitoring insider threats is setting up and enforcing policies,” he said. For example, the IT staff can institute an action that automatically removes agency data from a rooted or jailbroken mobile device.
Roberts added that “in terms of securing data on the device, I think that containerization is absolutely the right way to go. There are a couple of models that are emerging right now for how to do this, and containerization and virtualization seem to be the two dominant ones being discussed in the federal space. I don’t see people discussing that MDM, pure mobile device management alone can work to give you a balance between usability and security.”
Adams, meanwhile, advocated that agencies move from device-centric to user-centric security and establish a platform for identity management.
“The devices may change, but the users are going to stay the same most of the time,” she said. “Maintaining control over employee access to data regardless of the device becomes probably the most important thing you need to do, especially if you are going to enact a BYOD policy.”
Will Kelly is a freelance technology writer based in Springfield, Va.