Agencies seek to secure mobile access to government network resources
As mobile networks expand, security and reliability take center stage
In one corner are government executives who want more flexible, mobile computing options that allow access to the data and applications needed to perform their jobs and deliver government services.
In the other corner are government IT administrators, who are focused on meeting mission objectives while complying with multiple requirements, including mandates for improved security, protection of personally identifiable information, expanded telework, data center consolidation and cloud-first, among other initiatives.
Consumerism is driving users to bring personal mobile devices to work, which raises requirements for better security protections and upgrades to agency networks to adapt and securely embrace mobility. “The pressure is on for both users and IT administrators to come to some sort of agreement,” said James McCloskey, a senior research analyst at Info-Tech Research Group, London, Ontario.
The Federal Mobility Strategy, which launched early in 2012, is structured to help accelerate the government’s adoption of mobile technologies and services by:
* Improving delivery of government information, products and services.
* Engaging citizens more fully and meaningfully with government.
* Reducing the cost of government operations through technology-enabled efficiencies.
* Increasing productivity by freeing government employees and contractors from outdated work practices.
Greater acceptance of mobile technologies is needed. Current industry estimates indicate that the number of the smart phone users will reach 1 billion by 2016.
While agencies await further guidance on how to securely implement greater mobility for workers, some innovative use cases have emerged. The Veterans Affairs Department, in an effort to stay current with private-sector health care settings, has provided tablet PCs for VA physicians to use in tracking patient encounters. Meanwhile, the Air Force purchased a large number of iPads for training, maintenance and operations staff to use on flight decks. And the U.S. Census Bureau mobilized more than 140,000 devices in its latest census effort. “At this early stage, the primary government trend has been to focus primarily on field workers, not a government organization’s entire workforce,” said Lauren Jones, a senior principal analyst for Deltek's Federal Market Analysis program.
Info-Tech estimates that by 2013 nearly every user in public- and private-sector organizations will be bringing a personal mobile device into the workplace. Ignoring the use of mobile devices can add up to a costly mistake because as much as 24 percent of an agency’s operational budget is at risk in lost time and increased risk by ignoring the influx of mobile devices on government networks, according to Info-Tech’s research.
Instead, government organizations should consider infrastructure changes to cover the cost of mobile device management and enable greater operational flexibility and efficiency, McCloskey said. Most government organizations already restrict the use of mobile devices. A variety of security technologies can be used to address different security challenges related to a bring-your-own-device environment.
Some primary tools to consider include:
• Mobile device management, which offers greater control over smart phones and tablet PCs and reduces risks and support costs.
• Secure Sockets Layer virtual private network, which provides browser-based secure access to organizational resources and might offer an application virtualization portal, along with improved enforcement of mobile security policies.
• Network access control, which generates tight control over who can use personal mobile devices to access specific systems, beyond simply providing separate guest wireless access.
• Data leak prevention, which allows IT control over the movement of sensitive data from critical systems.
• Security information and event management, which increases the visibility of potential security disruptions with centralized logging for audit and incident management.
CDW Government security experts recommend that agencies strive to minimize the sensitive-data footprint on all mobile devices. High-risk users and highly regulated environments benefit from the adoption of virtualization (of both applications and/or desktops) to reduce risks associated with data leakage.
By dealing with mobility issues, organizations can turn the headache of securing mobile devices into a clear case for network transformation, according to Info-Tech’s McCloskey. “Understanding and articulating the mission-focused value of mobile devices can help shape agency budget requests for capital expenses, such as security and virtualization, and aid agencies in realizing important opportunities to maximize IT value while transforming network infrastructures,” he said.
The success of mobile computing security requires a networking environment that optimizes user connectivity. Agencies must also develop a unified strategy for embracing mobility. The highest level of success can only be achieved when connectivity is combined with unified communications (UC) collaboration solutions and implemented with client/desktop or application virtualization solutions that allow for consistent, device-independent access to the applications users need to complete their daily tasks, Deltek’s Jones said.
In an era of greater transparency and accountability, along with tight budgets, widespread use of mobility solutions makes good sense. “Increased federal reporting requirements will encourage agencies to think more strategically [and] keep track of devices for mobile expense management and for required reporting on energy use compliance,” Jones said.
Government organizations should look for new guidance on mobile device security from the National Institute of Standards and Technology this summer, with the fourth revision of NIST’s Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53). NIST currently recommends cryptography validated to meet Federal Information Processing Standard 140-2 to protect the confidentiality, availability and integrity of information on mobile devices.