OF THE
M O B I L E
S E C U R I T Y
TABLE OF CONTENTS EXECUTIVE
SUMMARY
REVEALING
THE
CURRENT
REALITY:
GOVLOOP SURVEY RESULTS
FACING
AN
UNCERTAIN
FUTURE:
P E R S P E C T I V E S O N P O L I C Y, P E R S O N N E L & T R A I N I N G
3 8 18
B E G I N W I T H T H E E N D U S E R I N M I N D
Interview with Rick Holgate, Assistant Director for Science & Technology and the Chief Information Officer for the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) S A M P L E U S E R “ R U L E S O F B E H AV I O R ” F R O M A T F G E T Y O U R E N T E R P R I S E A N D E M P L O Y E E S R E A D Y
Interview with Bradley Nix, CISO at the Agriculture Department’s Food & Nutrition Service 6 S T E P S F O R S E C U R I N G A M O B I L E E N T E R P R I S E P A R T N E R I N G T O P R O T E C T A M E R I C A ’ S D A T A
Interview with Jeff Ait, Director, Public Sector – Americas, Good Technology
CONCLUSION MOBILE
SECURITY
CHEAT
ACKNOWLEDGEMENTS
1.
AGENCY OF THE FUTURE
SHEET
33 35 37
FOREWORD By the end of 2014, Gartner predicts that there will be 2.5 million mobile devices worldwide, with tablet shipments growing by 68 percent year over year. The Pew Internet and American Life Project reports that six out of ten Americans own a smartphone and two out of three check their phones incessantly. The same research reveals that mobile device owners most often use them to coordinate meetings, solve unexpected problems, find quick answers to questions or get up-to-the-minute information. In short, we can’t live without our mobile devices – and our reliance on them is only growing by the day. So what does the future look like when it comes to mobile devices in the workplace? Based on the research cited above as well as the survey results featured in this guide, it’s clear that employees are increasingly using mobile devices, both personally-owned and agency-issued, to complete mission-critical functions in their organizations. Our goal is to enable government’s transition to a mobile future safely and securely. Agencies shouldn’t have to inhibit access to data and hamper productivity in the process. They should be able to trust that their technology can handle an anytime, anywhere workforce without compromising the mission. We believe that’s not just possible; it’s imperative. And we’re committed to helping government agencies approach that future with bold confidence.
CRAIG ABOD President, Carahsoft Technology Corp.
MOBILE SECURITY
2.
MOBILE SECURITY A G E N C Y
O F
E X E C U T I V E
T H E
S U M M A R Y
One thing is certain: Government employees are using mobile devices to access agency data, and that reality raises significant risks. However, the question is not: How can we prevent them from doing so? The key query must be: How do we leverage that flexibility and mobility to achieve optimal productivity while still securing the mission?
Before many of you are able to answer that question, you might wonder if government employees are using tablets and smart phones to complete work activities. According to a recent report from market intelligence firm IDC, by 2017 more than 87 percent of all devices purchased in the market will be smart phones and tablets. That evidence corrobo-
rates the results of a GovLoop survey completed for this guide, which shows significant use of both agency-issued and personally owned mobile devices by government employees right now. The use of mobile devices is a trend that will increase quickly in the coming years and has implications for agency employees and the ways in which government will interact with citizens. In light of these trends, GovLoop is pleased to produce this most recent guide in its “Agency of the Future” series, this time turning our attention to the important matter of mobile security. Specifically, this guide contains the following valuable information:
3.
AGENCY OF THE FUTURE
F U T U R E
Results from a survey of 255 government employees. Expert insights from three of the most respected leaders in mobile security: • Rick Holgate, chief information officer at the Bureau of Alcohol, Tobacco, Firearms and Explosives. • Bradley Nix, chief information security officer at the Department of Agriculture’s Food and Nutrition Service. • Jeff Ait, director, Public Sector – Americas at Good Technology Sample User ‘Rules of Behavior’ from ATF 6 Steps for Securing a Mobile Enterprise from NIST Mobile Security Cheat Sheet, a summary of the guide’s core contents. This guide should be required reading for CIOs, CISOs and other senior-level stakeholders who wish to understand the current practices and perspectives of frontline employees using mobile devices in government today. Moreover, the guide will be a valuable resource for any government employee hoping to better understand the nuances and critical issues surrounding the secure use of mobile devices to perform their vital, mission-advancing functions.
“TRYING TO ACHIEVE THE SAME LEVEL OF CONTROL A N D P R E D I C TA B I L I T Y I N T H E M O B I L E E N V I R O N M E N T T H AT W E ’ V E E N J O Y E D W I T H T H E D E S K T O P M O D E L O V E R T H E L A S T 1 5 Y E A R S I S N O T A S U S TA I N A B L E P O S I T I O N . W E N E E D T O S H I F T O U R T H I N K I N G S O T H AT T H E R E IS LESS EMPHASIS ON CONTROLLING THE DEVICES T H E M S E LV E S A N D B E C O M E M O R E C O M F O R TA B L E W I T H A L L O W I N G P E R S O N A L LY O W N E D D E V I C E S . ”
- R I C K H O L G AT E , C H I E F I N F O R M AT I O N O F F I C E R , BUREAU OF ALCOHOL, TOBACCO, FIREARMS AND EXPLOSIVES
“WE WILL BE IN A PLACE WITH MOBILE DEVICES IN THE FUTURE AND WE WILL NEED TO MAKE DECISIONS ON W H AT T Y P E S O F D ATA T H O S E D E V I C E S C A N A C C E S S . W E N E E D T O D O A B E T T E R J O B O F I D E N T I F Y I N G W H AT I T I S S O T H AT W H E N W E G E T T O A P L A C E W I T H T H E T E C H N O L O G Y, W E C A N B E T T E R S E G M E N T T H E D I F F E R E N T T Y P E S O F D ATA T H AT W E A R E A L L O W I N G F O R DIFFERENT DEVICES.”
- B R A D L E Y N I X , C H I E F I N F O R M AT I O N S E C U R I T Y O F F I C E R , D E PA R T M E N T O F A G R I C U LT U R E ’ S F O O D A N D N U T R I T I O N
SERVICE
“I DON’T THINK YOU SHOULD RESTRICT ACCESS TO A PHONE WHEN THE PURPOSE IS TO HELP Y O U F U N C T I O N W H E N Y O U A R E A W AY F R O M Y O U R L A P T O P. R E S T R I C T E D A C C E S S W O U L D LOWER PRODUCTIVITY AND PREVENT ME FROM B E I N G A B L E T O D O M Y J O B P R O P E R L Y. ”
- GOVLOOP SURVEY RESPONDENT
5.
AGENCY OF THE FUTURE
REVEALING THE CURRENT REALITY G O V L O O P
S U R V E Y R E S U L T S
Government employees want mobile security policies that protect agency data while giving them flexibility to download apps and use personal devices that lead to higher levels of productivity. That’s the primary finding of a recent GovLoop survey of 255 public-sector professionals regarding mobile security in government. In our survey, we asked: Do you use mobile devices to complete your primary work activities? How much time do you use each device (e.g., laptop computer, smart phone, tablet) per week? Does your agency have a mobile device security policy? How much control do you have in downloading applications to your device?
USE OF MOBILE DE VICE S I S UBIQUIT OUS According to our survey, nine out of 10 government employees indicated that they use a mobile device to complete their primary work functions, which points to the relative ubiquity of these tools in the public sector. (See Figure 1.)
F I GURE 1
DO YOU USE A MOBILE DEVICE TO COMPLETE YOUR PRIMARY WORK FUNCTIONS? 14%
86%
No
Yes
Have you attended mobile security training in the past year? These questions, their answers and more are explored in this section.
MOBILE SECURITY
6.
Of the respondents who use a mobile device, our survey found that: 22 percent use mobile devices more than 40 hours per week to complete their primary work functions. 48 percent use them for work between 10 to 40 hours per week. 30 percent of government employees leverage mobile devices less than 10 hours per week. Note also that 46 percent of government employees are using mobile devices for at least half of their functional hours. That’s a significant amount of time, and a clear sign that mobile tools are gaining traction. See Figure 2 for full results and usage breakdowns.
A GE NCY-ISSUE D L A P TOPS AND P E RSONAL SMAR T P H ONE S AR E M O BILE DE VICE L E A DE R S
Our survey discovered the following proportion of personnel who spend more than 20 hours per week on a given device: 53 percent use agency-issued laptops.
As shown in Figure 3, a finding that likely comes as no surprise is that 75 percent of respondents indicated that their agency-issued laptop computers were the device they use most to get work done. However, in a result that should command attention, the second most-used device was employees’ personal smart phones. Specifically, agency employees use personal smart phones 60 percent of the time to complete work activities. Another 53 percent perform work duties with agency-issued smart phones. Personal laptops and tablets were used by just less than half of respondents and roughly one-third use agency-issued tablets.
17 percent use agency-issued smart phones. 14 percent use personal smart phones. 10 percent use owned laptops.
personally
Note that personal smart phones are used more than personal laptops for work, which is an early sign of the growing importance of smaller mobile devices. Although tablets were not used more than 20 hours per week, they are becoming an increasingly important productivity tool. Roughly 22 percent of survey respondents
FIGU R E 2
HOW MUCH DO YOU USE MOBILE DEVICES TO COMPLETE WORK ACTIVITIES? 30% 24%
22% 13%
11% 0-10 Hours/week
10-20 Hours/week
20-30 Hours/week
30-40 Hours/week
40+ Hours/week
B Y D E VI CE
Laptop Agency-issued
Smartphone Personally-owned
Laptop Personally-owned
Tablet Agency-issued
Smartphone Agency-issued
Tablet Personally-owned
FIGU R E 3
HOW MUCH DO YOU USE EACH DEVICE FOR WORK-RELATED ACTIVITIES? 76%
Laptop Agency-issued
7.
60%
53%
48%
47%
35%
Smartphone Personally-owned
Smartphone Agency-issued
Laptop Personally-owned
Tablet Personally-owned
Tablet Agency-issued
AGENCY OF THE FUTURE
said they use agency-issued tablets and another 21 percent said they use their personal tablets for work 10 to 20 hours each week. Three out of four respondents use their personal laptops and another 69 percent use their personal tablets less than 10 hours per week. Please see Figure 3 on the previous page for the full breakdown.
A PPLI C ATI O N A C C ES S A N D DOWNL OAD DY NA M I CS Having established that government employees are using mobile devices for work-related activities, we also wanted to learn what freedom and flexibility they have in modifying agency-issued devices, especially their ability to download mobile applications.
Seventy five percent of respondents said that they can download or use mobile applications. One out of four said they do not enjoy that kind of freedom. (See Figure 4 on next page.)
For those who answered “other,” their primary reason was that they don’t use agency devices and instead opt for using their own personal device. (See Figure 5 on next page.)
We drilled down a bit further to ask about the degree to which agencies are controlling their devices and learned that:
We also asked, “How much control do you think an employee should have for any device (agency-issued or personally owned) that is used for work-related activities?” Here’s what respondents told us:
28 percent of survey takers said that their agencies gave them a pre-loaded device with no ability for them to load more apps. 26 percent have an unfettered ability to download more applications.
19 percent said their agency had given them an approved list of apps that they could
download.
27 percent responded “other” or were unsure of their ability to download applications.
49 percent felt that there should be significant user control with some agency restrictions. 32 percent of employees were in favor of limited user control
and significant agency restrictions.
7 percent said there should be no user control and full device management by an agency.
Perhaps the most surprising response to this question was that
PR OTEC TI NG D ATA W H E N T HINGS GE T PE R SONAL In a previous report titled “Exploring Bring Your Own Device in the Public Sector,” GovLoop addressed the precarious circumstance in which employees are increasingly accessing agency data from personal devices. In that report, we wrote: The lines between professional and private lives have progressively blurred as technology has evolved. Work information accessed and stored on a personal device clearly still belongs to the organization, not the individual. Personal devices are used, however, to store music, photos and other personal data that is created or stored by employees. This combination of personal and professional data can create issues in the event that a device is lost or stolen, if there is a security concern, or when an employee exits the organization. To avoid potential ownership issues, it is important to make sure that there is a clear process for removing agency data from the device. One approach to dealing with the blurring of personal and professional data is containerization. This approach to data management would enable users to compartmentalize personal and work data, utilizing virtual desktop infrastructure and cloud computing. To read the full report and review our additional recommendations for a BYOD environment, please visit: http://www.govloop.com/profiles/blogs/new-govloop-report-exploring-bring-your-own-device-in-the-public-. MOBILE SECURITY
8.
only 8 percent of respondents thought that they and their colleagues should have full user control over their mobile devices. Figure 6 visually outlines the distribution of responses. When given an opportunity to offer commentary, government employees said:
“If it is my personal device, I control it. If it is not, then the agency controls it.”
laptops are ‘very controlled.’ Smart phones and iPads are wide open.”
“It depends on who owns it, and if it is subject to public records.”
Lastly, one survey taker opted not to use an agency-issued device in order to preserve a higher level of personal control and avoid overly intrusive agency-device management.
“You need to differentiate between devices. Desktops/
FIGURE 4
F IG UR E 6
DO YOU DOWNLOAD MOBILE APPLICATIONS ON THESE DEVICES?
HOW MUCH CONTROL SHOULD AN EMPLOYEE HAVE WITH A MOBILE DEVICE USED FOR WORK?
3%
Other
Significant user control, some agency restrictions
48%
22%
No
75%
Yes Limited user control, significant agency restrictions
FIGURE 5
WHAT CONTROL DO YOU HAVE IN DOWNLOADING MOBILE APPLICATIONS TO YOUR AGENCY-ISSUED MOBILE DEVICE?
32%
Full user control over the device
8%
No user control, full management by an agency
26%
19%
28% 5%
My agency has an approved list of apps that I can download
9.
27%
I can download whatever apps I want
Unsure/ Other
AGENCY OF THE FUTURE
My agency gave me a pre-loaded device with no ability to load more apps
Other
6%
MO B I LE S E CU RI T Y POL I C I ES ARE IN PL A C E BU T POTENTI A L LY HI NDER PR O D U C TI V I T Y When asked if their agencies had a mobile security policy in place, 77 percent said yes and 10 percent said no. Another 13 percent were uncertain. The good news is that the vast majority of agencies appear to be on top of their game when it comes to mobile security. The bad news is that up to a quarter of agencies may be operating without one. (See Figure 7.) We also wanted to understand the impact of these policies on employee productivity, asking, “Does the mobile security policy in effect at your agency hinder you from doing your job effectively?” The verdict was split, with 38 percent saying yes and 46 percent no. Almost one in five (17 percent) weren’t sure. (See Figure 8.) Going a step further, we asked, “Have you, in using your personal mobile device, ever circumvented your agency’s security policy?” To the relief of information technology security professionals everywhere, 66 percent responded no. But about one-quarter (26 percent) said yes, which is a significant enough representation to encourage security personnel to explore the implications of personal device use for work-related activities. (See Figure 9.) Consider also the following respondent comments:
“I use my own mobile devices -- smart phone, tablet and laptop -- so I can work more effectively at remote locations.” “When teleworking, if I cannot access a webcast due to security, I will simply access the webcast using my home PC. So I do not have to circumvent nor would I want to circumvent, but it is somewhat annoying.” “Goodness! The idea! I’m shocked, shocked to find that I have to go off the reservation to get work done!” Several others said that they weren’t intentionally circumventing policy for any reason other than accomplishing specific work tasks, such as training and research, through their mobile devices. FIGURE 7
D O E S Y OUR AG E N CY H AV E A M OBIL E D E V ICE S E CURITY PO LICY ?
AGE NCY E MPLOY E E S AR E W ILLING T O SIGN USE R AGR E E ME NT S…TO A POINT With this context in mind, we wondered if respondents thought it would be fair for agencies to ask them to sign a user agreement for any device -- agency-issued or personal -- that they used for work-related purposes. As shown in Figure 10, 72 percent said yes and 19 percent said no. Comments shed a bit more light on these responses, with one individual saying:
F I GURE 8
D OE S TH E M OBIL E SECU RITY POL ICY AT Y OUR AGENCY EVER H IN D E R Y OU F ROM DO ING YO U R JOB E F F E CTIV E LY ?
17%
Unsure
10%
46%
No
No
13%
Unsure
77%
Yes
FIGURE 9
H AV E Y OU CIRCUM V E N TE D Y O UR AG E N CY ’S S E CURITY PO LICIE S TO BE M ORE PR O D UCTIV E ?
38%
Yes
F I GURE 10
S H OUL D E M PL OY EES B E REQ U IRED TO S IG N A US E R AGREEMENT FO R * AN Y D E V ICE * USED FO R WO RKRE L ATE D ACTIV ITIES?
8% 25%
9%
Other/Explain
Unsure 19%
Yes
No 67%
No
72% M O B I L E S E C U R I T YYes
10.
“If it is a personal device, then no. If the employer pays for or issues a device, then the employer should have some agency restrictions.” Special circumstances might also precipitate the need for an agreement. For instance, another government employee suggested that: “There should be an agreement when sensitive information may be collected/transmitted/ stored.” Another said that agreements ensure that “employees know security limitations when using a device for government work-related tasks.” Ultimately, however, most respondents said it depends on the device, the level of staff usage and who owns it.
RE MOT E ACCE SS F RO M PE R SONAL D E VICE S IS RE L AT IVE LY S TA NDAR D AND S E C UR E When asked if a respondent’s agency permits remote access to work-related resources on personal devices, 63 percent said yes and 37 percent said no. (See Figure 11.) In order to gain remote access, 62 percent of respondents said their agencies require just a username and password. Six percent require a smart card and 26 percent must use all three. A common written response was the need for an RSA SecurID token, a mechanism used to assign a unique authentication code for a device user, in addition to more than one username and password combination. (See Figure 12.)
Finally, we wanted to understand respondents’ perceptions when it came to the biggest challenges to implement mobile device security. Figure 13 reveals the breakdown of responses: 26 percent of respondents say employees ignore policy and training in their mobile device
usage.
23 percent of employees lack
an adequate understanding of mobile security threats.
16 percent of respondents say agencies are not prioritizing mobile security in comparison
with other strategic needs.
16 percent of respondents say the costs associated with im-
FIGU R E 1 1
plementing secure, mobile device management approaches
DOES YOUR AGENCY PERMIT REMOTE ACCESS TO WORKRELATED RESOURCES ON DEVICES THAT ARE NOT AGENCYISSUED?
are too high. 37%
11 percent of respondents say
No
agencies are not offering adequate mobile security policy or training . 63%
Yes
FIGU R E 1 2
WHICH CREDENTIALS DO YOU USE WHEN ACCESSING WORK-RELATED RESOURCES VIA MOBILE DEVICES? 62%
Username and password
11.
T HE BIGGE ST CHALLE NGE S TO MOBILE SE CURI TY AND APPR OACH ES T O MIT IGAT E TH EM
6%
Smart Card
*******_ AGENCY OF THE FUTURE
26%
7%
Both
Other
*******_
To some degree, there appears to be a disconnect between employees’ reported responsiveness to mobile security policy and their perceptions of the biggest challenge. Remember that two out of three respondents said they do not circumvent policy, yet the top answer here suggests that agency personnel think their colleagues
FIGU R E 1 3
WHAT DO YOU THINK IS THE BIGGEST CHALLENGE TO IMPLEMENTING MOBILE DEVICE SECURITY IN AN AGENCY? 16%
26% 23%
16%
11% 8%
er
g in or g in ge ign n a s ini us ee ra ce oy t v i pl and de Em y le lic bi po mo e- ile r ad ob ei th an f m ng o ki ng lac di s an ee st oy e r pl nd ats E m e u re at th ile qu y ob rit m cu se ng to izi on rit is io ar pr mp ds es o e ci n c ne en y i gic Ag urit ate c r se st r se ehe ith ag ot w an ed m at e ci vic so de as le s ts bi e os o ch C , m oa re p r - y c u t ap ad ic en g ol m rin y p f fe r i t t o cu no se es ile ci ob en m Ag ate g u in eq ain tr
th
or
O 36%
No FIGUR E 14
HAVE YOU ATTENDED AGENCY-INITIATED CYBERSECURITY AWARENESS TRAINING IN THE PAST YEAR? 64%
Yes
are not abiding by established policy. This disparity might be an area ripe for further exploration.
72 percent cited establishing
Another incongruity in the responses comes from the fact that 62 percent reported attending mobile security training in the past year, yet it seems that a top challenge is employees’ continued lack of an adequate understanding of mobile security threats. So, is training the answer, or should agencies get more creative in delivering important mobile security awareness information? (See Figure 14.)
58 percent cited providing regular training on mobile security for employees.
In light of these challenges, we also asked respondents to rank risk-mitigation methods. Figure 15 (next page) illustrates the following order:
clear mobile security policy
for all employees.
49 percent cited deploying security software on mobile devices. 42 percent cited assisting employees in securing their personal device(s). 23 percent cited requiring
agency IT/cybersecurity personnel to conduct periodic assessments of mobile devices.
18 percent cited ensuring that
an employee is using agencyissued technology.
17 percent cited restricting access to certain websites from mobile devices. 6 percent cited restricting access to mobile devices. 1 percent cited restricting employees from working outside
of their primary duty location.
From these responses, it’s clear that employees see the need for policy and training. They are also open to having security software on their agency-issued devices and/or assistance with securing their personal tools. In light of these findings, government employees have made three bold statements regarding mobile security:
MOBILE SECURITY
12.
They don’t want to be required to use only agency-issued technology. They don’t want to be restricted in accessing mobile data and applications from any device. They don’t want to be anchored to their primary duty location to get work done. The bottom line regarding mobile security challenges is that the government workforce wants to use mobile devices – and they want to use them securely and to achieve optimal levels of productivity.
TO P 1 2 TAK EAWAY S F RO M TH E S U RV E Y Here’s a recap of notable survey responses: 86 percent use a mobile device to complete their primary work functions.
46 percent use them more than 20 hours per week. 75 percent said that their agency-issued laptop was the device they use most to get work done. 60 percent use their personal smart phones and 53 percent use agency-issued smart phones to complete work functions. 75 percent download or use mobile applications on these devices. 77 percent reported that their agency had a mobile device security policy in place. 38 percent believed these policies hinder their productivity. 26 percent have circumvented these policies to be more productive.
72 percent think sound policy is the top risk-mitigation approach. 27 percent suggested that policy and training are ignored and that agency employees still lack a solid grasp of the risks surrounding mobile devices. 58 percent say training is the answer, but 11 percent say that agency training is adequate. These results paint a fascinating picture and offer several important insights that assist senior leaders and other key stakeholders in establishing policy and protections for an increasingly mobile workforce. Mobile devices are here to stay and agencies ought to continue to evolve their strategies to address the changing technology landscape in their organizations.
72 percent are willing to sign user agreements for their devices.
F I G URE 15
WHAT ARE THE MOST EFFECTIVE METHODS FOR MITIGATING MOBILE SECURITY RISKS WHILE MAINTAINING EMPLOYEE PRODUCTIVITY?
72% 58% 42%
17% 1%
4%
23%
6%
ac
pr
m f ro a r y im
om r ea y cl lic o on ish p g bl ity in ta r Es cu ain e s tr le bi lar gu re t y on e ri e id u c ar ov s e Pr ile ftw so ob y m rit cu se es re y cu lo vic se ep e D ile d to s ) ob ee (s m oy c e p l ev i se em d er dit ile yb io sis ob /c er IT p As m r ei cy to ces th en l vi ag ne de on e i re r s b i l g qu pe o in Re y s m us rit es is cu ass ee g y l ly oy l o ca pl hno em tec an d ain re u e rt s su iss ce vice En cyto de en e ss il ag ce ob ac m m t r i c f ro ile st s ob Re site m eb to w ss ce
t ric st Re ces vi
de
er th s O ee oy f pl o em ide t uts ric o st g n Re kin io or at w loc ty
du
13.
18%
49%
AGENCY OF THE FUTURE
The Mobility/Telework portfolio at Carahsoft includes industry-leading and emerging technology solutions to enable government agencies to support a changing workplace. Organizations need to adapt rapidly to shifting user needs while maintaining data privacy and compliance requirements. Mobile Security, Development & Infrastructure
Deliver Optimized Experiences Across Mobile Device Types
Software-Defined Switching Platform
Secure Mobile Collaboration
Identity Assurance for iOS
Single Sign-On
Secure Mobile Storage & Device Management
iOS Security Training
Identity Access
Application Security Testing
Mobile Data Encryption Software
Integrated Mobile Workforce Platform
Development & Provisioning Tools for Mobile Apps
Secure Mobile File Sharing
Secure Enterprise File Sharing & Synchronization
Web Conferencing, Training, Collaboration
Enterprise Mobility Management
Document Collaboration
Mobile Printing and Faxing
Cloud Based Electronic Signature Platform
Secure Identity & Credential Management
Capture-Enabled Mobile BPM Platform
Mobile Enterprise Application Platform
End-to-End Business Process Management
Enterprise Access for Mobility/Telework
Enterprise Apple Integration, Management & Security
Push-to-Talk Voice Messaging System
Secure File Sharing & Mobile Productivity
Content Delivery Platform
Enterprise Mobility Management
Mobile Application Tools and Software
Applications
Mobile Device Management Enterprise Data Protection & Software Rights Mgmt Solutions
For government pricing and more information, contact Carahsoft at 888.662.2724. GSA Schedule GS-35F-0119Y
MOBILE SECURITY
14.
Mobility without vulnerability.
Enable productivity by protecting devices, apps, and data. BYOD is here, but so are the risks. Fortunately, Symantec, the world leader in protection, offers you the most comprehensive solution to manage, protect, and monitor your business information and apps across mobile devices, in or out of your office. Learn more at go.symantec.com/mobility
AGENCY OF THE FUTURE 15. Copyright Š 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
FEDERAL IT
TRANSFORMED Enable data mobility and drive down costs. Transform IT with EMC.
MOBILE SECURITY
16.
17.
AGENCY OF THE FUTURE
FACING AN UNCERTAIN FUTURE P E R S P E C T I V E S P O L I C Y,
O N
P E R S O N N E L
A N D
T R A I N I N G
In many ways, our survey results reveal the perspectives of public-sector employees who are using technology to perform their jobs effectively, providing an understanding of the reality of the average worker on the ground.
of Alcohol, Tobacco, Firearms and Explosives (ATF). Holgate is responsible for strategy, planning, management and delivery of IT and information services; financial investigative services; and laboratory services, in support of ATF’s mission.
We also wanted to gain the high-level insights of senior leaders who are responsible for ensuring the security of agency resources from an enterprise perspective. Although everyone in an organization bears responsibility for protecting infrastructure and information, the buck often stops in the C suite.
Second, we interviewed Bradley Nix, CISO at the Agriculture Department’s Food and Nutrition Service. In this role, Nix is responsible for leading the organization’s information security program, with a focus on mitigating risk to acceptable levels and demonstrating information assurance as a mission enabler.
That’s why we interviewed two agency chiefs who have been grappling with mobile security issues.
From them, you gain a sense of the challenges they are facing and the solutions they are developing to address them head on. From policy to personnel and training, Holgate and Nix shed light on what agencies must do to stay secure in a mobile world.
First, we spoke with Rick Holgate, assistant director for science and technology and CIO at the Bureau
MOBILE SECURITY
18.
BEGIN WITH THE END USER IN MIND: 6 SUGGESTIONS FOR AGILE SECURITY Interview with Rick Holgate, Assistant Director for Science & Technology and the Chief Information Officer for the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)
In Stephen Covey’s seminal work, The Seven Habits of Highly Effective People, habit no. 2 is “Begin with the end in mind.” Based on our interview with Holgate, this same principle could be applied to an organization’s mobile security posture with one twist: Begin with the end user in mind. “Trying to achieve the same level of control and predictability in the mobile environment that we’ve enjoyed with the desktop model over the last 15 years is not a sustainable position,” said Holgate. “We need to shift our thinking so that there is less emphasis on controlling the devices themselves, and become more comfortable with allowing personally owned devices,” he said. “We might not control the same aspects of accessing agency information in that mode, but we need to overcome some of the institutional inertia that makes it harder for us to con-
19.
AGENCY OF THE FUTURE
ceive of different models that are a bit more flexible and adaptable in light of rapidly changing technology.” He suggested that there are six ways to accomplish a shift in thinking and the adoption of fresh approaches without compromising agency security:
1. Deploy Flexible Models: First, agencies should consider having greater flexibility in their approach to mobile security. For instance, “rather than exert control over everything and lock it down,” Holgate said, “we need to get more comfortable with things like relying on proper user behavior, but also monitoring for deviations from proper user behavior on devices. We need to look for opportunities to monitor if something problematic is happening or not.” 2. Leverage Existing Controls: Holgate also said that agencies may look at the ways infor-
mation is accessed on the device using current control methods in the enterprise. For example, “if someone is doing something on email that looks unusual, most of these enterprise tools have the capability of identifying spam or problematic content. For the most part, we now have inherent continuous monitoring built into our enterprise services.”
3. Develop Sound Policy: ATF has had a mobile security policy called “Rules of User Behavior” in place for a couple years. All users are required to sign an agreement to acknowledge that they understand the rules and go through training and refresher courses to be aware of the risks associated with accessing agency information. “We have two flavors of it,” Holgate said. “One is standard for anyone using an enterprise device, including laptops, but we also have one for BYOD (Bring Your Own Device) for people who may not be using an agency-issued device to access agency information.”
4. Engage Your End Users: When it comes to identifying promising applications for mobile devices, ATF has a users group that governs the adoption of mobile applications. “The users group will help us to identify particularly attractive applications that are truly productivity enhancers,” Holgate said. “Particularly if the applications cost money, the users group helps prioritize the most useful ones, and we will fund those and adopt them as an enterprise application that we will deploy to all devices. Today there is a small number of those, probably 20-30, that are core productivity applications.” 5. Take a User-Centric Approach: Government could pull a page from the private sector, which “takes a more user-behavior-centric approach to mobile security,” Holgate said. Through that approach, government could rely more on appropriate user behavior and allow more latitude in device usage while monitoring problematic behavior and responding quickly. “That is a very different model than we are used to, which is more device control-oriented and control-centric,” he said. 6. Think Outside the Box: In a world where the enterprise is managing multiple points of access to information, agencies need to start thinking in ways that do not require the management of every aspect of every device. Holgate recommended several solutions, including virtual private networks “on demand or using 2-factor authentication or something that delivers the same level of security.” He also said that agencies could explore derived credentials or certificates or “publishing some
of these services that we’ve traditionally kept internally, but make them available in a way that’s secure yet accessible from outside the enterprise.”
level of confidence that an agency has controlled a device to some level of configuration, but they do not necessarily address any of the user behavior aspects.
Ultimately, Holgate said, “It’s thinking differently about how do I expose services to my end users, my customers. Does the boundary of what I’ve thought about as the enterprise need to change to accommodate that?”
If agencies are to begin with the end user in mind, Holgate advocated for “a complementary solution that takes into account what I can control technically while also incorporating user behavior aspects.” He said agencies should ask, “Are we in a position to know when users are deviating from what is expected and able to respond accordingly? That is the nirvana of mobile security.”
For instance, he suggested that mobile security baselines created by the departments of Homeland Security and Defense provide a
MOBILE SECURITY
20.
SAMPLE USER “RULES OF BEHAVIOR” GovLoop asked Holgate if he would be willing to share the ATF’s Rules of Behavior in order to provide a template for agencies that are looking to incorporate language that covers smartphones and tablets in their information security end user agreements. Holgate agreed and excerpts from the “ATF Handheld Device Users Rules of Behavior” are shown below.
G ENER A L L I M I TAT I O N S Employees must: a. Follow all directions, alerts and broadcasts from the mobility program that requires end user action. For instance, if users are advised not to install the latest operating system update, do not do so until the upgrade is approved. Once approved, install the update in a timely fashion. Failure to implement required end user directed changes or configurations after 3 notification attempts will result in your SAC/ AD/DAD being notified of your non-compliance. Continued failure to implement after 2 additional notifications to both the SAC/AD/DAD and end user will result in the mobile service being disabled and the device returned to the mobility program. b. Never use an app that will store any sensitive data on a non-ATF system such as “the cloud”. Never store any information on the device outside the Good encrypted container if AirWatch is not installed. Although, apps may be installed, the device is for official use only unless the nonwork activity has been authorized. Only install apps from the following approved AppStores: the ATF App Catalog, the Apple App Store, the Google Play Store and iTunes.
21.
e. Turn off a device’s Bluetooth capability when the device is not actively being used for authorized activities. f. Be aware that connecting to un-trusted, public WiFi networks presents risks that your connection may be monitored or intercepted and may be redirected to impostor web-sites which contain malicious code. Consider utilizing the device cellular service (3G or 4G/LTE), secure (password protected) Wi-Fi networks, or ATF-provided personal Wi-Fi Hotspots (MiFi’s). g. If a device is lost or stolen, the user must report the loss or theft to the ATF JSOC and their supervisor within one hour of discovery. The JSOC will then notify the ESA Helpdesk in accordance with ATF Incident Response Standard Operating Procedures (SOP). See ATF F 1851.11 Initial Reporting of Lost or Stolen Sensitive Property.
Employees may not:
c. Only utilize your official government email account for conducting government business. Security concerns mandate that work related material should not be stored or communicated through personal email accounts.
a. Use these devices for unauthorized non-work purposes.
d. Lock the screen when leaving your device unattended.
c. Store sensitive information on non-ATF servers or services.
AGENCY OF THE FUTURE
b. Install alternative web browsers as they may not be maintained as regularly as the native web browser.
d. Store any classified or National Security Information (NSI) on any handheld device. Mobile devices are not currently authorized to connect to classified systems. e. Take your handheld device into any area where classified information is stored, processed, or transmitted. f. Take your handheld device outside of the United States or United States territories without prior approval of the ATF Chief Information Officer (CIO). g. Circumvent security safeguards or reconfigure initial system settings, except as authorized and directed. h. Alter the operating system of the device to allow pirated or unauthorized applications. Tampering with the operating systems in this way (commonly called unlocking, jailbreaking, or rooting), will cause the device to be immediately wiped, recalled, and the incident reported to ATF Information Systems Security Office (ISSO) and the chief, Resource Management Section. i. Copy or distribute intellectual property — including music, software, documentation, and other copyrighted materials — without permission or license from the copyright owner.
j. Create, download, view, store, copy, or transmit sexually explicit or sexually oriented materials. Users are also prohibited from sending or exchanging electronic mail and/or messages that contain harassing, offensive, abusive, intimidating or defamatory materials to fellow employees or the public. k. Post agency information to external newsgroups, bulletin boards or other public forums (message boards, personal web sites, social networking sites and blogs) without prior approval. This includes: any use that indicates an affiliation with ATF or could create the perception that the communication was made in one’s official capacity as an ATF employee without prior approval from the Office of Public and Governmental Affairs. DOJ Order 2740.1A, Change 1; ATF O 9000.1A and ATF P 7500.1. l. Disclose official information regarding the Bureau, its mission, functions and/or specific activities, which is obtained as a result of the employee’s official duties, except as authorized by law, regulations or Department of Justice or Bureau directive. Any questions regarding the proprietary of a disclosure shall be directed to the Disclosure Division and Associate Chief Counsel (Field Operations and Information) or applicable field counsel. ATF O 9000.1A, Change 1.
MOBILE SECURITY
22.
Adobe® Experience Manager
helps agencies effectively mobilize and deploy different types of content – video, documents, images, and data – across multiple platforms, applications, and devices from one single solution.
Learn more about Adobe’s mobile application offerings for their most popular software.
Adobe Photoshop Express Combine images, drawings, and text
Adobe Air Distribute applications across multiple screens.
Adobe Content Viewer View digital publications that are created in the Adobe Digital Publishing Suite.
23.
AGENCY
Adobe Reader Allows you to view and work with PDF’s
Adobe LiveCycle Mobile ES Approve tasks remotely, view mobile content on demand, and capture data onsite.
Adobe Connect Mobile Attend virtual meetings anytime, from anywhere using your mobile device.
Adobe EchoSign for iOS Sign, track, manage, and access your documents from your iOS devices.
Adobe solutions for public sector are available through Carahsoft on GSA schedule # GS-35F-0119Y. OF THE FUTURE
™
IronKey Workspace. A secure, Windows 8.1 optimized PC on a Stick. TM
It doesn’t just go in your PC, it is your PC. IronKey Workspace solutions deliver a high performance, high security platform for enterprise Windows To Go deployments featuring military-grade security, device management and provisioning to securely outfit a workforce on the go.
Find out more at www.ironkey.com MOBILE SECURITY
24.
GET YOUR ENTERPRISE AND EMPLOYEES READY: 6 LEADING PRACTICES Interview with Bradley Nix, CISO at the Agriculture Department’s Food & Nutrition Service
Like Holgate, Nix stressed the importance of engaging the end user as a first step toward more flexible models of device governance. What has happened over the last couple years is that “all of a sudden you have brand new technologies that you have to secure with minimal impact to the technologies’ productive and attractive features,” said Nix. With that backdrop in mind, below are six practices that Nix is putting in place at USDA’s Food & Nutrition Service for mobile security:
1. Know Your Data: First, Nix noted that an agency should spend some time “securing and knowing their data.” He explained that “We have reached a future that allows us to make decisions on what types of data devices can access contingent on who is accessing the data, what they are using to access the data, and where that person is located. However, none of that is possible without a better understanding of our data’s sensitivity and where the data is located.” Nix said that having the
25.
AGENCY OF THE FUTURE
right tools to secure devices is important, “but we need to understand the data better first.”
2. Think Enterprise vs. Device: When agencies do arrive at a future where key data decisions have been made and the use of personal devices for work becomes more ubiquitous, mobile security “becomes more about controlling the virtualized environment of the devices rather than controlling the devices themselves,” Nix said. Agencies will want to “apply certain rules around that virtual environment with regards to encryption and what types of authentication are required to access that environment and even so far as where, from a location perspective, a person can be when they are accessing that data,” he said. 3. Assess Your ‘Risk Bubble’: Many of the adjustments in mobile security will “have to be done with a very specific understanding of the risk bubble that surrounds that business implementation. There is risk that I can recommend my business owners and agency customers accept that may not be acceptable in another
agency,” said Nix. “You can say the same thing across the government. If we take a data-centric approach to security, risk acceptance is going to be a very specific exercise – agency to agency, program to program – to say here is where I am going to require all data access to require a government furnished device, but allowing personally owned device in some other part of the government is completely acceptable because there is no significant risk to the program’s mission.”
4. Provide Practical Training: “Training often gets overlooked, but this is very important not only for mobile security, but also for security in general,” Nix said. “Sometimes people look at training and don’t have faith in its return on investment, but I disagree.” He has set up and is in the process of developing several training initiatives designed to help users “become savvier about what information security actions they can be taking to better secure the mission.” For instance, Nix has been developing the implementation of a controlled phishing exercise. As
described by Nix, “our goal is to implement a controlled phishing attack within our agency that duplicates attacks typically seen in the wild, where we would send our users an unsolicited email to see if they click on provided links in the email.” While Nix admits it’s a bit of a ‘gotcha’ exercise, when handled correctly it can improve lines of communication with end users. Nix recommended reaching out to employees after the exercise to say, “the link you just clicked could have been malicious and here are some of the things you need to remember whenever you get an unsolicited email.’ It’s a way to educate your customers and arm them with the knowledge that these things do exist and this is what will ultimately happen if you take certain actions.”
which users can send their spam.” Nix explained that his team responds to FNS employees who share information with them by telling what type of spam is received - generic or a targeted phishing attack.” This real-time exchange offers Nix and his team “an opportunity to interact with end users on a one-on-one basis to give them a better idea of what they are looking at and what they should be considering when they get those communications.” Ultimately, Nix said he’s in favor of providing users with their own
technology, but security will remain the overarching priority. “As much as I want to be innovative and support the ability for user to bring their own device – and I think there will be a place for that in the future – right now we are still challenged to meet mandated standards and control our data access.” He emphasized how the ever-changing landscape is creating challenges that precipitate the need for a bit more control right now, but through training and education, both the enterprise and its employees will be ready when that future mobile environment arrives at scale.
5. Context is Critical: Another facet of training that Nix addressed is the importance of helping end users “respect the data and make sure they are taking care of the data.” He said that context is critical. For instance, when an employee is “sitting on the beach reading email, they are not likely to be as cautious with the communications they receive on their mobile device.” It’s a much different scenario, Nix said, “when you are sitting behind your desk and you’ve got your tie on, sitting up straight in your chair.” Ultimately, agencies need to help people to “understand that they have to maintain that same level of vigilance when they are in these different capacities.” 6. Create Feedback Mechanisms: Nix recommended providing a place where employees can send their suspicious email, such as “a designated email to
MOBILE SECURITY
26.
6 STEPS FOR SECURING A MOBILE ENTERPRISE In June 2013, the National Institute of Standards and Technology released its “Guidelines for Managing the Security of Mobile Devices in the Enterprise” to offer specific recommendations for securing mobile devices, such as smart phones and tablets. We have summarized those six recommendations below.
1. Have a mobile device security policy. Define which types of the organization’s resources may be accessed via mobile devices, which types of mobile devices are permitted to access the organization’s resources and the degree of access that various classes of mobile devices may have—for example, organization-issued devices versus personally owned (bring your own device) devices. Address how the organization’s centralized mobile device management servers are administered and how policies in those servers are updated and check all other requirements for mobile device management technologies. Document the policy in the agency’s system security plan and ensure consistency with and complement security policy for non-mobile systems.
2. Develop system threat models for mobile devices and the resources that are accessed through the mobile devices. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices. Threat modeling helps organizations with: • Identifying security requirements.
27.
AGENCY OF THE FUTURE
• Designing a mobile device solution to incorporate the controls needed to meet the security requirements. • Identifying resources of interest and the feasible threats, vulnerabilities and security controls related to these resources. • Quantifying the likelihood of successful attacks and their impact. • Analyzing this information to determine where security controls need to be improved or added.
3. Consider the merits of each provided security service, determine which services are needed for an environment, and then design and acquire one or more solutions that collectively provide the necessary services. Categories of service to be considered: • General policy -- enforcing enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting, and reporting when policy violations occur. • Data communication and storage -- supporting strongly encrypted data communications
and data storage, wiping the device before reissuing it, and remotely wiping the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party. • User and device authentication -- requiring device authentication and/or other authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices suspected of being left unlocked in an unsecured location. • Applications -- restricting which app stores may be used and which applications may be installed, restricting the permissions assigned to each application, installing and updating applications, restricting the use of synchronization services, verifying digital signatures on applications, and distributing the organization’s applications from a dedicated mobile application store.
4. Implement and test a pilot of their mobile device solution before putting the solution into production. Aspects of the solution that should be evaluated for each type of mobile device include:
Ensure that the mobile device solution does not unexpectedly “fall back” to default settings for interoperability or other reasons.
5. Secure each organization-issued mobile device before allowing a user to access it. Ensure a basic level of trust in the device before it is exposed to threats. For any already-deployed organization-issued mobile device with an unknown security profile (e.g., unmanaged device), organizations should fully secure them to a known good state (for example, through deployment and use of enterprise mobile device management technologies). Supplemental security controls should be deployed as risk merits, such as antivirus software and data loss prevention technologies.
6. Maintain mobile device security. Check for upgrades and patches, and acquire, test, and deploy them. Ensure that each mobile device infrastructure component has its clock synced to a common time source.
• Connectivity. Reconfigure access control features as needed. • Protection. • Authentication.
Detect and document anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.
• Application functionality. • Solution management. • Logging. • Performance. All components should be updated with the latest patches and configured following sound security practices. Use of jailbroken or rooted mobile devices should be automatically detected when feasible.
Keep an active inventory of each mobile device, its user and its applications. Revoke access to or delete an application that has already been installed but has subsequently been assessed as too risky to use. Scrub sensitive data from mobile devices before reissuing them to other users. Perform periodic assessments to confirm that mobile device policies, processes and procedures are being followed properly.
MOBILE SECURITY
28.
Meet the Mobile Mission with BoxTone
From the first responders to agency staff, reliable mobile communication is critical. As your mobile deployment grows, make sure you address these key requirements:
How will you monitor mobile devices, messaging and apps to prevent downtime? Watch the video: boxtone.com/Gov_Support
How will you remotely support mobile users when they have issues? Watch the video: boxtone.com/Gov_Ops
Proven. Trusted. BoxTone has been helping federal agencies meet the mobile mission for more than 7 years.
29.
AGENCY OF THE FUTURE
Bring Your Own Data Meet the strictest federal regulatory standards for sensitive data protection. We’ll show you how to securely containerize sensitive agency information. good.com
MOBILE SECURITY
30.
IN DU S TRY P E RS P E C T I V E :
PARTNERING TO PROTECT AMERICA’S DATA Interview with Jeff Ait, director, Public Sector – Americas, Good Technology
31.
Why are we operating in such a complicated environment when it comes to mobile devices? Is it using the devices themselves, accessing data or downloading applications that is most problematic? The truth is that all of those factors are shaping agency mobile device deliberations in agencies today. To learn more, we spoke to Jeff Ait, Director of Public Sector Americas at Good Technology, to gain a private sector perspective on leveraging mobile for productivity while ensuring data security. Read our exchange with him below.
tion about mobility because you had government-furnished, locked down devices.
Q: Can you tell me about the evolution of mobility?
Q: What’s the biggest challenge today?
A: We have been talking about mobility for the last three to four years. The main driver to the explosion in mobility really came on the scene with the introduction of the iPhone. Prior to that, it was basically a Blackberry world and there wasn’t a huge conversa-
A: The biggest challenge today is getting through all the policies and procurement methodologies that actually allow people to utilize the information. We have to figure out: how do I get the same level of security that I had on those consumer grade devices that I had on
AGENCY OF THE FUTURE
Starting around the 2009-2010 timeframe, we saw major changes. We saw a couple of agencies begin adopting mobile technology that was non-Blackberry. So, iOS and Android, predominantly iOS, has been the main driver to the nonBlackberry environments. Then the question became: how do I actually use these non-Blackberry devices to run my organization – a calendar, contacts – you know, the types of things you would do on a Blackberry, but do that on an iOS, Android or Windows phone?
these locked down devices? Agencies are finding that if they lock these devices down the same way they did the Blackberry, people will stick their government devices in the console of the car or they will still carry their own iOS device and access agency data from them, because they are trying to take advantage of social media and other parts of the smartphone.
Q: What has been the impact of the Digital Government Strategy? A: The Digital Government Strategy includes a huge portion of mobility as part of it. This is really the first time we have seen formalization around mobility, including what it means to implement this and talking more than just Mobile Device Management (MDM). Obviously, you have configuration, but they are also talking about mobile application management, the data management side of it. And then there’s the identity and access management, too, to make sure you are who you say you are.
while the files are being used. We provide full application management controls, things like data loss prevention and block cut, copy and paste from out of the container. For instance, one of the issues is that an employee might get a government email and it has an attachment. They want to edit it, but the government hasn’t given them the editing tools to edit the file, so they copy and paste it into their personal email system, which has an editing tool. What they don’t realize is a lot of those commercial editing tools make snapshots to iCloud, share with Twitter and Facebook, etc. They are designed to be social applications and sharing environments. So we have paid a lot of attention to that through our partners to make sure we are not sharing data to places that the enterprise wouldn’t want it to be automatically copied to. From the overarching government view of this, those are the four key components that they look at as the mobile strategy today: Manage the Device, Manage the Application, Manage the Data, and Manage the Identities.
Q: So how can agencies secure these devices effectively?
Exchange messaging environment or Links or Sharepoint. Whatever your backend web service application environment is, we transport that data through our secure environment on an end-to-end basis to a container that sits on the smartphone. Then the information is stored in that container on a FIPS 140-2 validated encryption file system.
A: From Good’s perspective, we introduced containerization. We have an end to end strategy that includes servers that sit behind your firewall that bolt into your data sources, either your Microsoft
All of the applications that are supported by Good and its ecosystem of partners take advantage of that secure data in transit and data at rest. We also do data in use, so we keep the data actually encrypted
Q: What’s next for mobile security? A: I think you are going to see a combined application environment that has more usability in a more secure fashion, which will facilitate this transition away from traditional desktop/laptop computing environments. The evolution of applications and the interoperability of the apps in a secure nature will empower enterprises to start building business application environments, specifically around tablets. So I really see that application environment being the driving factor for people making business decisions.
MOBILE SECURITY
32.
CONCLUSION When it comes to mobile devices, the agency of the future has already arrived in government. With 90 percent of the public-sector workforce reporting use of them for an increasing proportion of their work, according to our survey, now is the time for agencies to establish policies, practices and technology that protect agency data. The importance of mobile security is stated clearly in the CIO Council’s “Government Mobile and Wireless Security Baseline:” Mobile devices face some of the same threats as desktop computers. However, these devices are subject to additional unique threats because of their size, portability, always-on wireless connections, physical sensors and location services. The diversity of available devices, operating systems, carrier-provided services and mobile applications presents additional security challenges to the confidentiality, integrity and availability of department and agency information. Agencies should follow NIST guidance and implement a risk-based approach to identify, assess and prioritize risk associated with mobile computing. As we learned from GovLoop survey respondents and experts such as Holgate and Nix, agency officials should keep the following factors in mind when
33.
completing their risk assessment and developing employee guidance: Take into account the increasing use of personal devices to complete mission-critical functions. Deploy flexible models that allow for adaptation in a quickly changing technology landscape. Expand current policies and training to include more specific, practical guidance on the risks and responsibilities associated with mobile devices. Invite employees to share feedback on how current policies promote or prevent efficient workflow and completion. Think data first, device second, such that secure access is the primary aim regardless of the tool an employee uses to initiate access. By addressing mobile security based on this balanced approach, agencies will find themselves ready for a future in which mobile devices are ubiquitous and employees are optimally productive wherever they happen to be accessing agency data.
Government Mobile Workspace - Unlocked Secure. Flexible. Accessible. Unlock agency personnel’s productivity with secure access to content and applications, personal and mission-critical, on any device, anytime, anywhere. www.vmware.com/go/mobilegov
MOBILE SECURITY
34.
MOBILE SECURITY CHEAT SHEET With every guide, GovLoop likes to provide you with a summary of what you just learned in the form of a “cheat sheet.” Consider what follows to be the print-out-and-post-near-your-desk version of this guide.
12 TA KE AWAYS F RO M G O V LO O P SURV E Y 86 percent use a mobile device to complete their primary work functions. 46 percent use them more than 20 hours per week. 75 percent said that their agency-issued laptop was the device they use most to get work done. 60 percent use their personal smart phones and 53 percent use agency-issued smart phones to complete work functions. 75 percent download or use mobile applications on these devices. 77 percent reported that their agency had a mobile device security policy in place. 38 percent believed these policies hinder their productivity. 26 percent have circumvented these policies to be more productive. 72 percent are willing to sign user agreements for their devices. 72 percent think sound policy is the top risk-mitigation approach. 27 percent suggested that policy and training are ignored and that agency employees still lack a solid grasp of the risks surrounding mobile devices. 58 percent say training is the answer, but 11 percent say that agency training is adequate.
35.
AGENCY OF THE FUTURE
12 T I P S F ROM S EN I O R G O V E R N M E N T L EA DER S CIO Rick Holgate’s Recommendations 1. Deploy flexible models. “We need to get more comfortable with things like relying on proper user behavior, but also monitoring user behavior on devices.” 2. Leverage existing controls. “If someone is doing something on e-mail that looks unusual, most enterprise tools have inherent monitoring built into the enterprise services.” 3. Develop sound policy. “We have one for anyone using an enterprise device [and] one for people who are not using an agencyissued device to access agency information.” 4. Engage your end users. “The users group will help us to identify particularly attractive applications that are truly productivity.” 5. Take a user-centric approach. “Take a more user behavior-centric approach to mobile security, allowing more latitude, which is a very different model than we are used to, which is more control-oriented and controlcentric.” 6. Think outside the box. “Consider publishing some of these services that we’ve initially kept internally, but make them available in a way that’s secure yet accessible from outside the enterprise.”
CISO Bradley Nix’s Recommendations 1. Provide practical training. “Sometimes people look at training and think it won’t give enough bang for what you are paying, but this is very important not only for mobile security, but also for security in general.” 2. Context is critical. “We need to help users respect the data and make sure they are taking care of the data through the same level of vigilance when they are operating in different capacities.” 3. Create feedback mechanisms. “Create an opportunity to interact with end users on a one-on-one basis to give them a better idea of what they are looking at and what they should be considering when they get [spam] communications.” 4. Know your data. “We need to do a better job of identifying types of data so that when we get to a place with the technology, we can better segment the different types of data that we are allowing for different devices.” 5. Think enterprise vs. device. “Be concerned more about controlling the virtualized environment of the devices rather than controlling the devices themselves.” 6. Assess your ‘risk bubble.’ “Understand the risk bubble that surrounds a business implementation and the degree of risk you can accept within your agency.”
RECOMM EN D ED READ I N G CIO.gov’s “Adoption of Commercial Mobile Applications within the Federal Government” CIO.gov’s “Creating a Foundation for Mobile Security” CIO.gov on Mobile Security CIO.gov’s “Government Mobile and Wireless Security Baseline” The General Accountability Office’s “Better Implementation of Controls for Mobile Devices Should Be Encouraged” NIST’s “Guidelines for Managing the Security of Mobile Devices in the Enterprise” NIST’s “A Role-Based Model for Federal Information Technology/Cyber Security Training” MOBILE SECURITY
36.
ACKNOWLEDGEMENTS GovLoop appreciates the many individuals who shared their experience and expertise with us for this guide through a series of surveys and interviews. We especially want to thank Rick Holgate and Bradley Nix for providing their critical insight into the achievement and maintenance of effective government customer service programs. We also thank Carahsoft and their partners: Symantec, EMC, Adobe, Ironkey, BoxTone Good Technology and VMWare, for serving as the exclusive sponsors of this guide, underwriting the research and interviews that led to this report. In addition, GovLoop would like to acknowledge the members of its internal team who conducted the survey analysis and interview, coalesced the information, and contributed to the creation of this guide: WRITERS: Andrew Krzmarzick, GovLoop director of community engagement. EDITORS: Steve Ressler, GovLoop founder and Pat Fiorenza, GovLoop senior research analyst. DESIGNER: Jeff Ribeira, GovLoop senior interactive designer. If you have any questions or feedback pertaining to this guide, please contact andrew@govloop.com.
ABOUT GOVLOOP GovLoop’s mission is to connect government to improve government. We aim to inspire public sector professionals by acting as the knowledge network for government. The GovLoop community has over 100,000 members working to foster collaboration, solve problems and share resources across government. The GovLoop community has been widely recognized across multiple sectors. GovLoop members come from across the public sector. Our membership includes federal, state, and local public servants, industry experts and professionals grounded in academic research. Today, GovLoop is the leading site for addressing public sector issues. GovLoop works with top industry partners to provide resources and tools to the government community. GovLoop has developed a variety of guides, infographics, online training and educational events, all to help public sector professionals become more efficient Civil Servants. LOCATION GovLoop is headquartered in Washington, D.C., where a team of dedicated professionals shares a common commitment to connect and improve government. 1101 15th St NW, Suite 900 Washington, DC 20005 Phone: (202) 407-7421 Fax: (202) 407-7501
37.
AGENCY OF THE FUTURE
MOBILE SECURITY
38.
1101 15th St NW, Suite 900 Washington, DC 20005 Phone: (202) 407-7421 Fax: (202) 407-7501
39.
AGENCY OF THE FUTURE