The federal government knows the use of mobile devices is fundamental for its agencies. In fact, mobility is a cornerstone of the May, 2012 digital strategy developed for the federal government. This strategy is titled, “Building a 21st Century Platform to Better Serve the American People.” Its goal is to provide guidance on how federal agencies can efficiently and securely manage the devices mobile employees use to access information.
As part of the policy, the General Services Administration set up a Digital Services Innovation Center and required the Office of Management and Budget to create a Digital Services Advisory Group. The goal is to help share lessons learned, identify best practices for federal use of mobile devices, and find ways to support mobile security. It also includes oversight of new “Bring Your Own Device” (BYOD) concepts.
Federal agencies with mobile security concerns have new re- sources at their disposal. The National Institute of Standards and Technology (NIST) created a publication on mobile risk management titled, “Special Publication 800-164: Guidelines on Hardware–Rooted Security in Mobile Devices.” This publication helps agencies address three specific challenges with mobile devices: Device Integrity, Isolation of Processes, and Protected Storage. Here’s what the NIST says about these challenges:
Device integrity is the absence of corruption in the hardware, firmware and software of a device. A mobile device can provide evidence that it has maintained device integrity if its software, firmware and hardware configurations can be shown to be in an acceptable state as determined by a trusted third-party. This approved state is communicated through notifications device owners allow their device to send to the information owner. A device with integrity can communicate its configuration, health, and operating status in a way that information owners can rely upon to make decisions about interacting with the device and device owner.
Isolation of Processes:
Isolation prevents visual hacking, or unintended interaction, and information contexts on the same device.
Protected storage keeps the data on devices confidential, and protects device integrity while the device is at rest, while in use (in the event an unauthorized application tries to access a device in protected storage), and upon the removal of access.
NIST dives deeper into technology solutions for each of these three key components. There are commercial offerings that can be used by agencies to check that a device is in compliance with policy, as well as to run all enterprise applications in a separate safe zone. Encryption has several commercial options as well. By following this framework, organizations can pick the best mix of IT for their workforce, and commercial solutions to provide NIST–recommended security for the device.
Three additional things are recommended to help enable an “end-to-end” mobile security solution. They are:
Mobile Security Policy:
Government agencies need to develop policies that shape a wide range of activities. When it comes to mobile device security, most agencies will probably choose to update their existing policy with special sections on mobile security. Although that’s a good logical step, changing existing policy documents takes time. Agencies may want to consider issuing temporary guidance on mobile security so the organizations can implement security procedures immediately, while waiting for a final policy update.
What should this mobile security policy include? The key is a concise direction on what individuals are authorized and not authorized to do. This is especially important with mobility solutions since enterprise data will be on the devices. Policy should also spell out what controls will be put in place by a user role, and should also provide guidance on topics such as training.
Training and Guidance for the Workforce:
Enterprise policy should apply to all employees, and include specific training programs. These programs may take the form of online training with frequent or annual refreshers since the threats and technology change quickly within this domain.
Visual Privacy Protection:
Mobile devices are used on planes, trains, stores, restaurants, coffee shops — virtually everywhere. When device screens, whether a laptop, tablet or smartphone, are unprotected, visual hackers can capture sensitive and confidential data, just by looking at the screen. Privacy screens belong on every device to better protect data from visual hacking.
Government agency employees are only going to continue to be more mobile, making the need for a well-rounded security strategy that much greater. The sooner a strong “end-to-end” mobile security solution is established, the sooner mobile data security will increase.
Did you know?
1 “BYOD Insights 2013: A Cisco Partner Network Study,” Cisco Concierge, 2013.
2 Thomson, Herbert H, PhD. “Visual Data Breach Risk Assessment Study” 2010. People Consulting Services.
3 “Qualitative Research with Professionals in the Financial Industry – China,” OnResearch, January 2014.
3M is a trademark of 3M Company. ©2015, 3M. All rights reserved.