Warning: Agencies Must Lock Down Mobile Security

Some federal IT shops' first instinct in response to security concerns about the use of mobile devices is to forbid their use on agency networks. But that's not happening at many agencies. Rather than avoiding the risk of losing data on mobile devices, agencies are instead seeking ways to manage the risk. The promise of mobile technology — its impact on creativity and productivity — is too great to do otherwise.

"An incredible amount of innovation could happen if there's 24x7 access anywhere, anytime," says Troy Lange, mobility mission manager in the National Security Agency's Information Assurance Directorate. NSA currently supports thousands of mobile devices and would like to "greatly expand that number," Lange adds.

Rather than locking out mobile devices, agencies are moving swiftly to let employees use them as much as possible, while implementing multiple layers of security to limit the risks posed by mobile computing. Federal IT leaders are embracing mobility as a means to better fulfill their agency missions while maintaining the focus on protecting sensitive government data that could be accessed on a lost, stolen or compromised device. They're actively engaging wireless manufacturers to protect sensitive government data, which requires a higher level of security than is generally available on commercial smartphones. They're also looking to the cloud to serve data securely to remote devices, and working to establish mobile policies to minimize data loss.

NSA, Lange says, is eager to advance enterprise mobility so employees can mimic what's possible on personally owned smartphones. "The important point is being able to re-create that rich user experience, not because it's fun, but because it's enabling our mission. It really allows us to conduct our job of providing national security," he says.

Embrace, but Protect

Agencies face a number of thorny issues regarding mobile security: How do they integrate mobile devices into an overall IT architecture? How can they meet federal security requirements? Should they let employees use their personal devices for government work?

Despite these questions, agencies are aggressively implementing the technology, says W. Hord Tipton, executive officer at the International Information Systems Security Certification Consortium (ISC)2. "It's not an area where they're throwing up their hands and saying, 'We can't do it.' They're doing it proactively," Tipton says.

The security threat from hackers, thieves and others demands that agencies remain vigilant. "There aren't a lot of specific examples where mobile devices have been attacked by worms or Trojans," Tipton says. "But one should not take any type of false comfort that the threat isn't there, or isn't real now."

Emma Garrison-Alexander, CIO at the Transportation Security Administration, notes that as mobile devices and platforms proliferate, so do security challenges. "The amount of malware that is being developed for the mobile platforms is increasing significantly, and as the major platforms grow in popularity, the malware becomes more sophisticated," Garrison-Alexander says. So how do agencies lock down their systems and data as mobile use increases? There's no one-size-fits-all strategy, but a common theme involves layered security — deploying protection at multiple points in the network, including on end-user devices, on data traversing a network and on the network devices that data passes through. Robust, clearly defined security policies are also part of this multilayer defense.

"Our goal is to protect TSA data, maintain integrity of that data, making sure we have confidentiality, integrity and availability of network services, as well as ensuring our network has layered security to keep us from danger," says Garrison-Alexander. Mitigating risk "will be key to our pursuit of any significant new mobile initiatives."

A layered security strategy requires protecting the end device — whether it be a smartphone, a notebook PC or a tablet computer — with encryption and antivirus technology, along with additional security on the servers where the data actually resides.

"We can have some data resident on the devices, but, for the most part, our data is going to remain in the data center," Garrison-Alexander says. "We need a way to access the data, display it and use it for whatever employees need at the moment."

The multilevel approach to security is critical because TSA employees communicate with other government employees and partners in the private sector on a worldwide basis, Garrison-Alexander says. TSA currently provides mobile devices such as smartphones and Apple iPads to 13,000 employees.

Mobile Thin Clients

NSA, which manages secure communications for anyone connected to national security systems, displays similar vigilance when it comes to security layers. The agency is looking to use cloud-based data storage — thereby keeping data off mobile devices — so that the data can be given maximum protection.

"We have to get over the fact that widely deployed mobile phones are going to get lost. It's a fact of life," Lange says. "But with cloud storage, the data isn't resident on that end device," and therefore the risk is mitigated.

By moving to cloud storage, the agency will treat end-user devices, including smartphones, as thin clients with no resident data. Instead, thin clients tap into server-hosted applications and interact with data stored in the cloud. In addition, as part of the multilayered approach, NSA uses multiple levels of encryption that scramble data all the way to the top-secret classification, Lange says. As data is in transport, the agency moves it to edge devices over virtual private networks, he adds.

Agencies also emphasize the importance of clear, robust policies. For example, the Environmental Protection Agency instructs users not to leave devices unattended in public places and to keep "devices in sight at all times when going through security checkpoints at airports and other locations." Users throughout government encrypt information on mobile devices.

For the Marine Corps, the level of security that's available for mobile devices is the key factor in limiting what data and applications can be accessed. The Marines' specific concern is the "limited ability" of commercial mobile devices to support military policies, says Capt. Josh Dixon of the Marine Corps Systems Command. "For example, if the military is deployed operationally in an environment with high-emission threats, the devices are not capable of adequately mitigating this threat while continuing to transmit," Dixon says. The Marines use mobile devices only in low-threat environments and for nonsensitive information, he says.

TSA uses mobile devices for tasks such as e-mail, as well as browser-based access to internal resources and systems. Garrison-Alexander lists an "incredible variety" of off-the-shelf apps that could support TSA's mission in the future: command and control, location and mapping, and emergency response and hazardous materials databases.

The common goal among agencies — to use such applications to make their employees more productive — promises to drive a whole new range of secure mobile activity in the federal sector for years to come.