Striking the Mobile Security Balance
When the FBI first launched its mobility program, the emphasis was on security above all else, but employees found the devices so secure that they were nearly impossible to use.
“We treated these devices like a desktop,” David Rubin, the bureau’s head of mobility, said Tuesday. “We have a picture of one of our agents sitting on the ground with their device plugged into a wall in the middle of a kidnapping investigation. Now how is that mobility?”
That was the first lesson the FBI had to learn as it ventured into the world of mobile device management (MDM). The agency has since learned that devices need to be controlled tightly — but not so tightly as to negate the benefits of the mobility program.
Rubin was one of three panelists at the “Enabling a Secure Mobile Workforce” event, held by the Bethesda chapter of AFCEA, an international information technology association. The other panelists were Joseph Ronzio, special assistant to the chief health technology officer at the Department of Veteran Affairs, and Walter Bigelow, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) chief of the IT Systems Management Division in the Office of Science and Technology.
The ATF’s goal is to be “reasonably liberal” with security of the devices it distributes, Bigelow said during the event. He said the agency has about 3,600 iPads and 3,000 iPhones distributed among approximately 6,500 employees and contractors.
“Security and mobility is all risk management,” Bigelow said. “You want to have a managed device and a managed environment, but you don’t want to have to lock that sucker down. One of the keys is getting feedback from the end users and seeing exactly what they use the device for and then make adjustments for that as you go along.”
One idea that is starting to gain traction in the federal MDM community is the creation of mobility security standards akin to the Federal Risk and Authorization Management Program’s standards established for cloud computing.
The three panelists were all in favor of such a measure, although Rubin and Bigelow said that both the FBI and ATF must meet similar requirements for providing technology for the Justice Department.
Ronzio said he wants the federal mobility community to break the silos that currently dictate much of the way that agencies, including the VA, buy mobile connectivity. He said his longer-term hope is that management of mobile devices will blend into the enterprise management practices that oversee all computing practices within a federal agency.
“I want to move to managing the entire computing infrastructure universally without four or five people needing to come to someone’s desk for different technology problems,” Ronzio said.
Along with overhauling how an agency manages mobile devices, Bigelow said he would like to see solutions for monitoring the different types of unified communications that are used on the devices. He said that ATF is looking into using SMS text messaging, which sounds easy enough, but has been a challenge to work with the carriers to capture the messages after they are sent.
Bigelow added that for other kinds of unified communications, such as Yahoo Messenger or Google Voice, where the messages are data instead of SMS, it is nearly impossible to capture the messages, a capability undercover agents need to communicate with targets during an investigation.
“No one has the solution that can lock this down that we’ve seen yet,” Bigelow said. “Our agents need to be able to use the technology that the bad guys use to communicate, and then we need to be able to recover it to put it in our case management system to be used as evidence.”