Government // Mobile & Wireless
Commentary
11/27/2013
11:30 AM
Ashok Sankar
Ashok Sankar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%
Repost This

Keep Data Off Mobile Devices & Away From Adversaries

Why we must focus on protecting the data rather than securing mobile devices.

Mobility is proving essential for warfighters, intelligence officers, and public-sector professionals who spend much of their day outside an office if not in unfriendly territory.

Combat troops in particular depend upon mobile devices and connectivity to get up-to-the minute information to stay aware of their situation. They can do their jobs much more efficiently using light, handheld smartphones and tablets as opposed to heavy, clunky computers.

On the civilian side, a US Forest Service official similarly can inspect remote radio communications towers more efficiently and, thanks to mobile technology, stay in touch with colleagues and write reports while he or she is out in the field.

Mobility – and the need to secure mobile communications – is growing more urgent as the number of federal employees expected to retire – and the surge of your Millennials replacing them – continues to grow.  Consider: 53% of full-time federal workers will be eligible for retirement by 2014 and nearly 61% will be eligible by 2016, according to a forecast from the US Office of Personnel Management (OPM). Most of these workers will be replaced by Millennials and younger generations -- professionals who tend to view mobility and the ability to bring your own device as a “right,” not a privilege.

Given that the momentum can’t realistically be halted, attention now turns to how to manage mobility and, in particular, mobile cybersecurity threats.

[Is it time to take a more integrated approach to security? Read It's Not 'Mobile Security,' It's Just Security. ]

Predictably, the first wave of protection has taken hold in the form of encryption, containment, and mobile device management (MDM) solutions. These approaches focus on protecting the device.

Yet, they are ill equipped to adequately protect the wide range of highly-classified and sensitive-but-non-classified data that exists across many federal agencies. That’s why the cybersecurity industry must shift its focus: Protecting the data, as opposed to the device.

After all, devices are merely end points. Locking them down is complex and unmanageable – and fails to provide a real solution to the challenge of protecting the data mobile users still need to do their jobs.

Smartphones, tablets, and laptops may not be cheap, but you can replace them at a reasonable cost. The data, however, is often priceless and irreplaceable. Losing critical data could result in the complete disruption of critical operations for our Department of Defense (DoD), intelligence, and domestic agencies.

So why allow the data to remain so vulnerable by insisting that it reside on the device itself? Why not extend virtualization and secure redisplay concepts and technologies to ensure that data – and apps – can be safely accessed without compromising the user experience?

This day is coming soon when you’ll be able keep all of your valuable data and apps running in the back end IT systems of the enterprise, instead of on a smartphone or tablet, with the ability to replicate a mirror image of these key assets/tools onto the device itself.

Users won’t notice a difference, so they won’t complain about productivity interruptions. They will be able to securely access information to make confident decisions, especially under pressure during a time-sensitive mission.

With a virtual environment, IT system administrators will be able to limit user access to data within specific geographical endpoints (geofencing) – like near a Secure Compartmented Information Facility (SCIF). When they’re inside the SCIF, users can call up what they need to get the job done. When they leave, they no longer can do so and the data is no longer on the device, thus further protecting critical information.

Yes, the IT industry is developing these solutions now and some are already available. Bandwidth will no longer be a constraint. With increasing connectivity options, this virtualized environment is becoming very “real” to create, with desktop and remote-access paradigms for the mobile user. Industry is finally recognizing that any effort designed to protect the device will have limited impact. Again, it’s all about protecting the data, not the device.

In September 2012, the Defense Information Systems Agency (DISA) issued a Broad Agency Announcement (BAA) to equip its workforce with mobile devices that allow for Common Access Card (CAC)-enabled virtual thin client solutions. The pending virtual solutions will cover this requirement, in addition to all National Security Agency (NSA) mobile security standards.

This means that today’s mobile/BYOD generation government professionals – regardless of how old they are – can relax. No one needs to take their favorite devices away. Especially when we’re 100 percent confident that we’ll be better positioned than ever to protect what is in them.

Ashok Sankar leads market development and product strategy for Raytheon Trusted Computer Solutions. He specializes in cross-domain and multi-level security products for the Defense Department and the intelligence community.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters in “The Great Email Migration” report. (Free registration required.) 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
asankar
50%
50%
asankar,
User Rank: Apprentice
12/5/2013 | 11:39:25 AM
Re: VDI and data security
Actually, the VMI - hosting the native mobile apps offers a better experience than VDI on a mobile device given the relative 'weight' (less) of the mobile application.  That is important since the primary driver behind device adoption is the user experience.  People should be careful not to evaluate VDI on a mobile device and think that would be the same with VMI.  Also VDI is just windows desktops and organizations are slowly discovering that wrapping and other means to optimize them for mobile may not be the best approach compared to native mobile app development.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
12/3/2013 | 7:18:50 AM
Re: VDI and data security
Actually I'm referring to both but yes virualizing mobile apps in a safe sandboxed VDI solution would address a large number of the mobile security concerns out there.  MDM solutions are still around but mobile devices are tough to manage in general.  Moving those apps to an environment that you can work with and tighten controls on removes enough obsticles to security that it's worth a look for those who need to lock everything down.  
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
12/2/2013 | 7:41:09 PM
Cloud access, not mobile storage
I absolutely agree that one of the easiest ways to help reduce this threat is to leverage virtual desktop technology.  The key is to keep data residing off the device, ideally in a cloud location, and accessed remotely, with no footprint left behind.  In addition, looking at strategies such as whitelisting files for how they can be accessed, used and stored, could go a long way to ensuring data is protected when accessed remotely, and eliminate a lot of the BYOD headaches that come from ensuring secured access to resources.
asankar
50%
50%
asankar,
User Rank: Apprentice
12/2/2013 | 5:59:16 PM
Re: VDI and data security
SaneIT:

Your comment is very valid.  As clarification, we are referring to virtualizing native mobile applications and not a desktop environment.  We are already seeing solutions that are very close to local performance for email access, document review and video rendering.  It is only a matter of time and don't believe it is too far off.
asankar
50%
50%
asankar,
User Rank: Apprentice
12/2/2013 | 5:55:02 PM
Re: Data vs Devices
On J_Brandt's and David Carr's comments:

Yes, control is an issue - both from the user and corporate ends - and that is probably why BYOD is still having trouble taking off.  In this case we are talking about sensitive and classified data.  Many in the federal government, especially in DoD, are warming to the concept of mobile thin clients given the sensitive nature of data.  I guess for personal data, based on your risk tolerance, you may be comfortable with local data but do the same rules apply for PII or classified data that is mission critical?
asankar
50%
50%
asankar,
User Rank: Apprentice
12/2/2013 | 5:45:44 PM
Re: Data vs Devices
We are seeing the same sentiments with a wider audience as MDM starts to get used more.  MDM does have its merits and is needed but the technology may have been oversold on its capabilities.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
12/2/2013 | 10:00:42 AM
VDI and data security
VDI will go a long way to address most of the issues of mobile device data leaks but the problem is that a fast, reliable and trusted VDI solution has to be built first.  Right now the average office worker can sign up for Google Drive or Dropbox in under 2 minutes and start syncing data between a handful of devices keeping local copies where they want.  Anyone that I talk to about VDI is all for it and loves the concept but those who have implemented and are using it successfully are harder to find.  
shamika
50%
50%
shamika,
User Rank: Apprentice
11/30/2013 | 10:29:12 AM
Re: Data vs Devices
Data must be protected in order to maintain the integrity and confidentiality of people hence necessary control measures has to be taken to prevent any data loss.
Shepy
50%
50%
Shepy,
User Rank: Apprentice
11/28/2013 | 7:19:52 AM
Re: Data vs Devices
"I'll re-suggest an idea I've thrown out there before, but I really think at some point we're going to see virtualized cell phones and mobile devices, where there can be a corporate VM and a personal VM, with a hypervisor smart enough to allow phone calls etc to be routed through to appear on the active VM, and to provide notifications from either one. That way corporate can encrypt "their" VM and storage, it can require higher security, have remote wipe and all the things corporate likes. Meanwhile the personal VM is isolated from the work VM and can have pictures of cats on it, a shorter PIN, and so on."

There is kind of a hybrid of that happening already with the guest mode in android multi-user devices, allowing a locked down more secure version for when you pass the device to a friend.
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
11/28/2013 | 12:51:51 AM
Re: Data vs Devices
Regardless, if data does need to be cached in any way on the device, we need encryption on the storage. The problem is that you really don't want to mix corporate and personal data.

 

I'll re-suggest an idea I've thrown out there before, but I really think at some point we're going to see virtualized cell phones and mobile devices, where there can be a corporate VM and a personal VM, with a hypervisor smart enough to allow phone calls etc to be routed through to appear on the active VM, and to provide notifications from either one. That way corporate can encrypt "their" VM and storage, it can require higher security, have remote wipe and all the things corporate likes. Meanwhile the personal VM is isolated from the work VM and can have pictures of cats on it, a shorter PIN, and so on.

 

Thin client is cute, and in some cases perhaps essential, but highly impractical in many instances when it's the only way to work.
Page 1 / 2   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
Protecting Critical Infrastructure: A New Approach NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.