The Census Bureau has deployed a virtual desktop infrastructure to support employees’ BYOD efforts, says CIO Brian McGrath. Now it’s considering BYOD approaches for 2020 census-takers.

How Agencies Approach BYOD

Bring-your-own-device programs are still scarce in the federal government, but several agencies are making the case and readying deployments.

The 2012 Digital Government Strategy called for accelerated adoption of mobile workforce solutions, and agencies have been looking for ways to ramp up mobile strategies ever since. Many have found the business case for bring-your-own-device (BYOD) programs compelling.

By allowing employees to access Windows desktops remotely from personal devices, the U.S. Census Bureau's virtual desktop infrastructure (VDI) implementation has helped the agency reduce the number of regional offices from 12 to six. For the 2020 census, the Bureau is considering a full-scale BYOD implementation that allows enumerators to interview the public using census applications installed on their personal smartphones and tablets.

The Marine Corps has started ­planning what it calls a personally owned, corporate-enabled mobile ­device strategy, and the National Oceanic and Atmospheric Admin­istration (NOAA) has switched from BlackBerry phones to agency-issued iPhones as a possible prelude to a full-scale BYOD implementation.

During the process, they're discovering both the benefits and management challenges of BYOD. "Public agencies face many of the same BYOD challenges as private firms, including maintaining employee privacy, securing data on lost and stolen devices, and devising clear and meaningful BYOD policies," says Rich Santalesa, founder of the Sm@rtEdgeLaw Group, a technology-focused law firm.

Low TCO

At the Census Bureau, low total cost of ownership is the driving force behind its developing BYOD strategy.

"For an agency this size, the cost of procuring thousands of corporate-issued laptops and providing all the required infrastructure and help desk support is formidable," says Brian McGrath, associate director for infor­mation technology and CIO for the Census Bureau. "Rather than purchasing 6,000 laptops, we can now have 6,000 people working remotely, either permanently or intermittently, using their own equipment."

Through a Citrix XenDesktop VDI implementation, all the data and applications reside in the data center's private cloud. Users connect securely with two-factor authentication, including RSA tokens.

McGrath sees a raft of advantages to the VDI approach. "The endpoint device has no data stored on it, so we don't have to get involved with device encryption," he says. "If a mobile device is stolen, there's no risk to any sensitive data."

Support costs are low because users are already comfortable with their own devices, and it's much easier to keep software up to date on a few data center VDI servers than across thousands of different devices.

The bureau's strategy for the 2020 Census may be different, however. Instead of hitting the streets with paper forms or Census-issued notebooks, enumerators may take their personal smartphones, tablets and notebooks along with them and use them to fill out digital forms. How they will access the forms is still being determined. One possibility is to give users VDI access to centralized forms over wireless ­connections. But the bureau is also considering installing Census applications directly on the enumerators' devices.

"We're investigating whether we can write one set of code and port it to Windows, Android and iOS, or whether we'll be forced to write applications for each environment separately," McGrath says.

There are obvious management, security and privacy challenges to mixing Census and personal applications and data on the same device. "Instead of securing the entire device, we're looking closely at ways to separate, protect and secure just the data and applications used to conduct Census Bureau business," McGrath says.

The bureau is working with the National Institute of Standards and Technology to analyze a number of approaches, including several mobile data management solutions, as well as methods of baking security directly into the applications and data.

Keeping Private Private

When it comes to the Marine Corps' BYOD plan, an overriding concern is user privacy. "It all boils down to the fourth and fifth amendments of the Constitution," says Robert Anderson, chief of the Marines' Vision and Strategy Division. "We must ensure that the Marine Corps cannot be held liable in regards to a user's personal information on the device."

90% of government employees use at least one mobile device for work purposes. Of these, 69% use an agency-provided device, 15% use a personal one, and 16% use both.

SOURCE: "2014 Mobilometer Tracker: Mobility, Security, and the Pressure in Between" (Mobile Work Exchange and Cisco Systems, January 2014)

The Marine Corps is looking at two strategies. One is to utilize a Type 1 hypervisor on the devices that separates the phone at the chipset layer into two virtual machines.

"When the device boots, it does multiple tests at the hardware layer to ensure there hasn't been any compromise of the chipset," says Anderson. "Then it boots two virtual operating systems simultaneously, one for personal use and one for work applications and data." To protect user privacy, IT management and monitoring would be limited to the work environment only, without touching or monitoring personal applications and data.

As an alternate course of action,in case the hypervisor strategy doesn't work, the Corps is also considering sandboxing services for iOS and Android. The sandboxing works at the operating system level to separate work from personal applications and data using a container approach that prevents interaction between the two environments.

"We're using DARPA [Defense Advanced Research Projects Agency] toolsets to run security analyses on the devices, operating systems and sandboxing technologies," says Anderson.

The business case for BYOD in the Marines? Aside from the hardware savings, the Corps believes it can forgo the cost of voice and data plans. Anderson estimates that by replacing half of its 11,000 enterprise-issued BlackBerry devices with personally owned, corporate-enabled devices, the Corps could empower 85,000 new devices and users, allowing faster collaboration and decision-making.

Initially, the Corps envisions using personal devices for email, calendars, tasks and notes. The next step will be providing users with access to SharePoint and other web portals.

Pursuit of Happiness

Shortly after NOAA started its transition from BlackBerrys to the iPhone 5 in 2011, IT realized it would need a robust mobile device management (MDM) solution to provision, manage and secure the agency-issued phones. After investigating several solutions, it signed on with Fiberlink's MaaS360 cloud-based management platform.

"MaaS360 let us put a lot of stand­ardization into security configuration, provisioning and management," says Daniel McCrae, director of NOAA's service delivery division. "It enforces all the federal security guidelines, including password lengths and complexity, encryption and user-application constraints. If we go BYOD, it will be a key component."

Meanwhile, NOAA has started surveying its user base to gauge the demand for BYOD and to determine the conditions that need to be put in place. The program would have to support a variety of devices in diverse environments, such as forecasting offices, storm damage assessment areas and ships at sea, McCrae says. Aside from cost savings and data access, McCrae appreciates the possibility that BYOD could boost user satisfaction. "It positions the agency as a good place to work with a lot of flexibility in technology and tools," he says.

To that end, NOAA is investigating MaaS360's application and data sandboxing capabilities. "If we want people to sign up, sandboxing will have to be done in a way that is nonintrusive and nondestructive to the user's personal ­applications and data," McCrae says.

NOAA is also learning from its MDM decisions. For example, the agency eventually embraced application blacklisting (specifying apps not allowed) for managing apps on mobile devices, a significant change from the whitelisting approach (specifying apps that are allowed) the agency took before implementing its MDM system.

"BYOD has us asking a lot of questions," says McCrae.

Khue Bui
Apr 29 2014