Federal CIOs Face BYOD, Mobile App Security Challenges
- 28 August, 2013 14:12
As the federal government warms to the idea of allowing employees to use their own mobile devices for work and develops new device management policies, agency CIOs and others will still have to grapple with the challenges associated with application security, experts warn.
The initial challenge for federal IT managers evaluating BYOD policies was to ensure that their agency's infrastructure was secure enough for new devices to enter the network and provide for central management, according to Tom Suder, president of the mobile services provider Mobilegov.
With those policies in place, agencies have cleared the way for the development and adoption of innovative new applications that could boost productivity in a mobilized workforce. But those apps invite a host of new security challenges.
Mobile Device Management vs. Mobile Application Security
"I think we're definitely in exciting times here. We're actually talking about doing better work for the government. I think we've shifted the conversation from mobile device management (MDM) and getting people -- you know, authorizing devices on the network. Even the DoD has authorized iOS and Android devices on their network in conjunction with an MDM," Suder said during an online presentation yesterday.
"And I think we're really getting to the point now where we're going to have these real good mission apps, doing-your-job kind of apps, and I think it's going to, you know, increase efficiency and make people do their jobs better, but I do think that we need to balance that with security, and there hasn't been too many enterprise mobility apps out there, so I think this is definitely an area we need to be paying attention to," Suder said.
"There has been a gap on mobile application security," he adds.
The government's cautious embrace of new mobile devices and applications comes amid a broader evolution in the government's $80 billion IT operation, and, like the move toward cloud computing, comes with a White House mandate.
Federal CIO Steve VanRoekel unveiled the federal government's mobile strategy last January at the annual Consumer Electronics Show in Las Vegas, directing departments and agencies to develop strategies for the adoption of new devices and applications.
Since then, the Obama administration has issued the more sweeping digital government strategy, which laid out a series of deliverables with due dates, including mile markers for mobile adoption.
Agencies, particularly those moving toward BYOD, have been developing device management policies with features like remote data wiping and encryption, but those policies, if left at the device level, fail to address the unique security concerns associated with mobile apps, according to Tom Voshell, senior director of solutions engineering at SAP's regulated industries division.
"There are multiple ways to secure an application. Now, a lot of folks would say, 'Well I have a secure device, so therefore my applications are secure.' Well, mobile device security only takes you to a certain level," Voshell says. "There are encryption methods for locking the data down on the devices. But that's not really protecting everything that happens in an application."
On the mobile-application security front, Suder sees a potential model in the FedRAMP program the government developed for cloud computing technologies.
To win FedRAMP certification, a cloud product must meet a set of baseline security standards that are common to all agencies and departments -- the idea being that a single certification would enable more rapid adoption by sparing each federal entity from having to conduct its own security evaluation.
The Department of Homeland Security 'Car Wash' Program
Suder points to the "car wash" program that the Department of Homeland Security is developing to evaluate mobile applications, so far limited to those developed in-house.
DHS envisions car wash as a one-stop testing environment for developers to screen their apps for security problems, such as coding flaws or the potential to access sensitive information without appropriate safeguards.
"Car wash is meant for government, [in this case] government-developed apps," Suder says. "They were talking about using it while you're developing your app, so you don't go down the road that's too far down your mobile development, and then next you know you gotta totally rewrite the code. So I think they're meaning it to be more of a collaborative type of thing and it's just a tool that you run your code through so you don't get stuck at the end and have to redo all your code. So I think car wash isn't meant to fix it. Car wash is meant to identify where the issues are and what you've got to fix."
As DHS polishes the program, car wash could become available to other agencies later this year, the department has signaled. That repeatable security test environment, which could grant a seal of approval recognized across the government, could emulate the FedRAMP cloud-computing framework for mobile applications.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Updated: Bill Morrow new head of NBN Co
Cloud debate now about speed and sophistication
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Queensland government to provide 200 services online by 2015
Deliver Protection and Elasticity for your Network
IT teams are constantly being asked to increase overall IT flexibility and business agility by incorporating emerging cloud technologies into their data centre architecture. The question is, how do you embed this elasticity whilst handling the increasingly unpredictable traffic load and maintain strict performance level agreements? Find out how to satisfy these often opposing goals within larger data centre infrastructure and increase capacity and performance as conditions dictate.
Multi-Factor Authentication; Current Usage and Trends
In this digital age, validating identities and controlling access is vital, which is why multifactor authentication has become such a fundamental requirement in so many organisations. This survey looks at the authentication landscape in Europe, the Middle East, and Africa, and offers insights into how it is expected to change in the coming years.
Benchmarks for Security - A Comparative Test
In a head to head comparison of 8 end-point security products, we look at which performs the best across crucial performance metrics - from installation time to memory usage. Download to find out which performs the best!