Keep Data Off Mobile Devices & Away From Adversaries
Why we must focus on protecting the data rather than securing mobile devices.
Mobility is proving essential for warfighters, intelligence officers, and public-sector professionals who spend much of their day outside an office if not in unfriendly territory.
Combat troops in particular depend upon mobile devices and connectivity to get up-to-the minute information to stay aware of their situation. They can do their jobs much more efficiently using light, handheld smartphones and tablets as opposed to heavy, clunky computers.
On the civilian side, a US Forest Service official similarly can inspect remote radio communications towers more efficiently and, thanks to mobile technology, stay in touch with colleagues and write reports while he or she is out in the field.
Mobility – and the need to secure mobile communications – is growing more urgent as the number of federal employees expected to retire – and the surge of your Millennials replacing them – continues to grow. Consider: 53% of full-time federal workers will be eligible for retirement by 2014 and nearly 61% will be eligible by 2016, according to a forecast from the US Office of Personnel Management (OPM). Most of these workers will be replaced by Millennials and younger generations -- professionals who tend to view mobility and the ability to bring your own device as a “right,” not a privilege.
Given that the momentum can’t realistically be halted, attention now turns to how to manage mobility and, in particular, mobile cybersecurity threats.
Predictably, the first wave of protection has taken hold in the form of encryption, containment, and mobile device management (MDM) solutions. These approaches focus on protecting the device.
Yet, they are ill equipped to adequately protect the wide range of highly-classified and sensitive-but-non-classified data that exists across many federal agencies. That’s why the cybersecurity industry must shift its focus: Protecting the data, as opposed to the device.
After all, devices are merely end points. Locking them down is complex and unmanageable – and fails to provide a real solution to the challenge of protecting the data mobile users still need to do their jobs.
Smartphones, tablets, and laptops may not be cheap, but you can replace them at a reasonable cost. The data, however, is often priceless and irreplaceable. Losing critical data could result in the complete disruption of critical operations for our Department of Defense (DoD), intelligence, and domestic agencies.
So why allow the data to remain so vulnerable by insisting that it reside on the device itself? Why not extend virtualization and secure redisplay concepts and technologies to ensure that data – and apps – can be safely accessed without compromising the user experience?
This day is coming soon when you’ll be able keep all of your valuable data and apps running in the back end IT systems of the enterprise, instead of on a smartphone or tablet, with the ability to replicate a mirror image of these key assets/tools onto the device itself.
Users won’t notice a difference, so they won’t complain about productivity interruptions. They will be able to securely access information to make confident decisions, especially under pressure during a time-sensitive mission.
With a virtual environment, IT system administrators will be able to limit user access to data within specific geographical endpoints (geofencing) – like near a Secure Compartmented Information Facility (SCIF). When they’re inside the SCIF, users can call up what they need to get the job done. When they leave, they no longer can do so and the data is no longer on the device, thus further protecting critical information.
Yes, the IT industry is developing these solutions now and some are already available. Bandwidth will no longer be a constraint. With increasing connectivity options, this virtualized environment is becoming very “real” to create, with desktop and remote-access paradigms for the mobile user. Industry is finally recognizing that any effort designed to protect the device will have limited impact. Again, it’s all about protecting the data, not the device.
In September 2012, the Defense Information Systems Agency (DISA) issued a Broad Agency Announcement (BAA) to equip its workforce with mobile devices that allow for Common Access Card (CAC)-enabled virtual thin client solutions. The pending virtual solutions will cover this requirement, in addition to all National Security Agency (NSA) mobile security standards.
This means that today’s mobile/BYOD generation government professionals – regardless of how old they are – can relax. No one needs to take their favorite devices away. Especially when we’re 100 percent confident that we’ll be better positioned than ever to protect what is in them.
Ashok Sankar leads market development and product strategy for Raytheon Trusted Computer Solutions. He specializes in cross-domain and multi-level security products for the Defense Department and the intelligence community.
Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters in “The Great Email Migration” report. (Free registration required.)
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.