Security, management issues threaten to stall BYOD
Security is the biggest concern government has with all things mobile, but BYOD offers particular problems with things like trust, privacy and data assurance. There are possible answers, but they will need new policies to account for them, and new mobile management solutions.
There are a myriad of concerns for agencies in adopting bring-your-own-device policies, but it’s safe to say that security is near the top of most lists.
To federal IT managers, BYOD can be a nightmare, taking them outside of the tightly-controlled universe of government-furnished equipment — where agencies can closely manage such things as operating system updates, the applications on the device and how data is accessed — to the hodgepodge of operating systems, versions, applications and device hardware that BYOD represents.
In a July 2012 draft update to its guidelines on managing and securing mobile devices (SP 800-124), the National Institute of Standards and Technology (NIST) said that BYOD is a particularly untrustworthy way to introduce mobile devices into the government enterprise.
Current mobile devices lack the technical basis for trust features that are increasingly built into laptops and other kinds of host systems, it said. There are also frequent jailbreaking and rooting of mobile devices, “which means that the built-in restrictions on security, operating system use etc. have been bypassed.”
“Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data,” NIST said.
Agencies also have questions about how to handle situations with BYOD that current policies just can’t cover. Debora Plunkett, the National Security Agency’s information assurance director, told the audience at 1105 Media’s Cybersecurity Conference in October 2012 about issues involved with breaches of classified information.
“The procedures for dealing with it are to remove the device and, depending on where the device is in the ecosystem, sometimes you have to destroy the device,” she said. “Imagine how that would work in BYOD where I’d have to say ‘Ooops, I need your phone and you can’t have it back’?”
No one has provided all the answers to these security concerns yet, but given its importance to the government, a lot of people are working on it. The BYOD Toolkit published by the Obama Administration as a follow on from the Digital Government Strategy it published earlier in 2012 gives ideas of the broad approaches that can be taken:
— Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device.
— Walled Garden: Contain data or corporate application processing within secure application on the personal device so that it is segregated from personal data.
— Limited Separation: Allow comingled corporate and personal data and/or application processing on the personal device with policies enacted to ensure minimum security controls are still satisfied.
It’s an in-depth discussion that people need to engage in for this, said Kyle Keller, cloud business manager for EMC Federal. The first part of that is to ask whether agency data will be going to the user’s device, and if so if they will be allowed to copy that data to the device.
“Most customers I talk to say the desire is to give them access, but to maintain the data in their own or a shared data center they have with other agencies,” he said. “In that case, the question is how to take a data centric approach and secure the data and [control] access to it using two-factor authentication or something else.”
Organizations then need to consider the possibility that devices will be lost or stolen. The ability to remotely wipe a device clean is a “huge factor” in BYOD, he said.
Other approaches to security in the near future could include such options as implementing a hypervisor on the device itself. This would enable the IT department to create a specific work number for the user, set up a virtual instance of their workspace, and provide containers on the device that would automatically encrypt agency data.
A holistic approach to security would also help with identifying where BYOD makes sense in an organization and where it doesn’t, said Daniel McCrae, director of NOAA’s service delivery division. Such a managed risk approach would include things like the need for device security, use policies, encryption, remote management and so on.
“If you look at the nature of the work and a risk assessment points to a high degree of risk, or risk mitigation measures that would result in severely limited functionality, then maybe that type of work is not a good BYOD candidate,” he said.
So, any evaluation needs to start from the mission requirement said and determine if the nature of the work lends itself to a BYOD environment. That certainly doesn’t mean that there would be no security, McCrae said, “but if it’s to the point where the benefits are obviated because you do have that severely reduced functionality on the device, then chances are that the things they are trying to do with it are not a good fit for BYOD."
Another essential factor in security is the choice and use of mobile device management (MDM) tools, which provide a way for agency IT managers to centrally manage a range of different mobile devices and operating systems. They would be needed anyway, given the range of mobile devices that agencies will be taking on even if they provide those themselves. But there will be no way to manage and secure BYOD devices without them.
The problem with current MDMs, according to Tom Simmons, vice president of the U.S. Public sector for Citrix Systems, is that they generally require employees to provide rights to agencies so that they can manage device-based data and get access to the device-based components of the MDM technology. And as NSA’s Plunkett pointed out, they also would have to grant the government permission to use the MDM to wipe that device if it were compromised or lost.
“What we’re finding is that a lot of union negotiations and employee preferences would preclude the MDM of today from being the solution for BYOD,” he said.
What that is leading to in the near future are families of management solutions that embrace such things as mobile application management (MAM), mobile operations management (MOM) and other scenarios.
“In that case, it’s less dependent on putting a management technology on the device and more about managing the user profile and the applications and data that the user would have access to from any particular device,” Simmons said.
MDM was a decent descriptor a few years ago “when you were talking about a set of APIs to turn Bluetooth on or wireless off or to wipe the entire device,” said Chris Roberts, vice president, public sector for Good Technology. “Now, it’s got to become more of an enterprise mobility solution, a comprehensive platform to cover all of the relevant areas.”
That will be essential going forward, he said. Users are comfortable with government wiping a set of government apps and data from a device, but they don’t want their personal apps or data to be touched.
“This is where BYOD is stalling out right now, when end users look at the policies they are being asked to sign,” Roberts said. “So, if government just sticks with device management alone, then my prediction is that the adoption of BYOD will be slow going.”