May 18 2012

Locking Down BYOD

Agencies find ways to accommodate employees’ personal devices on federal networks.

Employees at the Federal Deposit Insurance Corp. (FDIC) have been authorized to use their own mobile devices at work for several years, and users have adopted the policy with enthusiasm. CIO Russell Pittman  says every recent meeting he can remember has included several people using tablet computers.

One of the reasons that the FDIC’s “bring your own device” (BYOD) initiative has worked so well, Pittman says, is because the agency made some security-based decisions early on that set the tone and prepared the agency’s network to deal with the risks involved.

“We needed to ensure that the corporate data was separate from the personal data, and that the corporate data was only available to those who should have access to it,” Pittman explains.

The agency accomplished this by first putting technology in place that allows employees to access corporate data and e-mail applications on their own mobile devices but that does not let them download or save it on the devices. This is accomplished by using a secure, browser-based gateway along with a mobile virtualization platform that isolates the personal and corporate environments.

As BYOD takes off, Pittman is considering letting users store some corporate information on their personal devices. If that occurs, the organization will add a secure containerization technology that will encrypt data at rest and allow the secure container to be remotely wiped if necessary.

BYOD gives agencies valuable flexibility, but accepting users’ personal mobile devices on agency networks requires that IT shops shore up network security. Without that, IT departments can quickly lose control of who has access to data and applications and whether users’ devices are fully secure, leaving agencies vulnerable to unauthorized access to sensitive information.

For organizations that allow users to save or download data to their mobile devices, the first step is to implement a mobile-device management (MDM) solution. MDM monitors devices that are connected to the network and can remotely lock or wipe these devices.

Even if an agency doesn’t let users download or save data on their personal devices, security is still a priority, says Andrew Braunberg, research director for enterprise networks and security at Current Analysis in Herndon, Va. Many solutions can bolster network security for BYOD. The goal of mobile application management (MAM) products is to make apps more manageable and secure. Some solutions accomplish this with “wrappers” that control the use of the application. Others use containerization, which creates private “sandboxes” for sensitive apps.

Hypervisors, which create virtualized platforms that ride on top of the operating system, and data loss prevention technology also help protect the network against the risks associated with personal devices.

At the U.S. Equal Employment Opportunity Commission, CIO Kimberly Hancher  is in the midst of an ambitious project to let all of the organization’s employees use their own devices to download and synchronize their e-mail, calendars, contacts and tasks between the network and their personal devices.

The project is partially cost-driven — Hancher has had to find ways to make significant budget cuts, including the amount she spends on agency-provided RIM BlackBerry devices — and partially an effort to remain on the cutting edge.

The percentage of organizations that allow users to access network resources via personal devices.

SOURCE: SANS Mobility/BYOD Security Survey, March 2012

“As we went into the 2012 fiscal year, we had such severe budget cuts that I had to think of another way to reduce costs,” she says. “I wanted to use this to spur action on BYOD. ‘Bring your own device’ means that employees turn in their EEOC BlackBerry and use their own device, thereby lowering the EEOC’s annual operational cost of mobile-device data and voice services.”

For this project to work, Hancher first had to find a way for the mobile devices and network to operate with the agency’s Novell GroupWise e-mail system. The agency deployed a cloud-based MDM system that lets the agency set policies while providing over-the-air synchronization of e-mail and personal information management. Data is stored behind EEOC’s firewall, and all data to and from devices is fully encrypted. EEOC e-mail stored on a device can be wiped if the device is lost, stolen or otherwise compromised. 

The pilot started in December 2011, and a second phase is under way to fine-tune policies. Hancher hopes to have the entire program available for employee use this summer. Eventually, she says, the system also will include a “privileged interface,” which will allow employees with appropriate credentials to access more information via their personal devices.

aaa 1