Mobile device management solutions have long been a staple of federal security efforts, but as mobile technology evolves, untethered users are doing more than just syncing calendars and reading email while on the road. They are also accessing sensitive agency data and interacting with proprietary applications, which opens the door to new security risks.
Agencies need MDM solutions that can do more than just carry out basic administrative tasks. Fortunately, MDM is keeping pace with these demands. "MDM is evolving in many interesting ways, and enhanced security capabilities are one of the most important examples," says Eric Klein, senior analyst at VDC Research.
Case in point: When healthcare providers at the Veterans Affairs Department meet with patients, many carry bureau-provisioned tablets that securely call up patient records. Although the underlying proprietary applications don't allow patient data to be downloaded onto the devices, the VA relies on the AirWatch MDM platform for other security controls, such as knowing the location of each device and who's using it.
"MDM is one of the cornerstones of a successful mobile program," says DJ Kachman, director of mobile technologies and client security for the VA's Enterprise Systems Engineering office. "We use MDM to see how each device is conforming to our policies, including if it's running approved applications and an approved version of the operating system."
Photo: Jimmy Daly
An agency's MDM solution must be flexible enough to handle the different ways that users employ their devices, says ATF's Walter Bigelow.
Verifying the validity of applications is one aspect of mobile application management, an operation that some vendors are combining with MDM solutions to create enterprise mobility management systems. These systems may also come with capabilities for creating secure workspaces that separate corporate and personal data, verify that encryption has been enabled on the device and give IT administrators a way to broadcast messages to mobile users. For example, the VA vets each new version of an operating system. "MDM gives us a consolidated method of communicating with all the users of mobile devices," Kachman says.
He sees bulked-up MDM programs as a positive trend for IT administrators. "It always makes more sense from an infrastructure perspective to have a solution that addresses a variety of capabilities rather than having to integrate a number of different components," Kachman says. "This gives us more control over how we expand going forward."
These new capabilities come on top of traditional MDM features, such as enforcing password policies, blocking jailbroken devices from logging on to agency networks and turning off device features that violate agency policies. MDM programs can also lock down lost or stolen devices and, when necessary, wipe the data that resides on them.
This feature came in handy for the Equal Employment Opportunity Commission when one of its executives reported losing a smartphone while on a Washington, D.C., Metro train during the morning commute. The agency used its MDM technology — the GO!Enterprise platform from Globo — to turn on the phone's geopositioning feature. The staff quickly determined that the phone was following the path of Metro's Red Line, indicating that it had probably dropped on the floor of a subway car rather than having been stolen. "This gave us insight into what had happened to the device so we could act accordingly," says CIO Kimberly Hancher. "We immediately followed our established procedures: We locked the device and did a full wipe of the data."
As a result, any sensitive government data or contact information that had been on the phone was protected from unauthorized disclosure.
Tailor MDM for Each Role
The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) also is deploying flexible MDM systems that let managers easily enable or disable mobile device features. The agency provides smartphones and tablets to a wide range of users, from senior executives to field agents. The agency uses these devices to give users access to investigative reports, videos, calendars and email, as well as public mapping applications. ATF uses a combination of MDM solutions from Good Technology and AirWatch to administer and secure the devices.
"It's important to understand the various use cases and how agents may use mobile devices differently than managers and administrators," says Walter Bigelow, chief of ATF's IT Services Management Division. For example, the bureau disables Bluetooth communications on many of the smartphones it provides to staff members to reduce security risks. Phones for some field agents are an exception. "Agents who spend a lot of time in the car need hands-free capabilities," Bigelow says. "Otherwise, if you're holding a phone in one hand and a gun in the other, there aren't any hands left for the steering wheel."
NIST's Mobile Security Guidelines
MDM is just one element of an in-depth defense strategy for mobility. The National Institute of Standards and Technology's Guidelines for Managing the Security of Mobile Devices in the Enterprise updated its mobile security recommendations, originally published in 2008.
Among the recommendations are that agencies institute a mobile device security policy and secure each agency-issued device before providing it to a user. The publication includes guidance on securing organization-provided devices as well as personal smartphones and tablets used for work purposes.