Federal CIOs Face BYOD, Mobile App Security Challenges
- 28 August, 2013 14:12
As the federal government warms to the idea of allowing employees to use their own mobile devices for work and develops new device management policies, agency CIOs and others will still have to grapple with the challenges associated with application security, experts warn.
The initial challenge for federal IT managers evaluating BYOD policies was to ensure that their agency's infrastructure was secure enough for new devices to enter the network and provide for central management, according to Tom Suder, president of the mobile services provider Mobilegov.
With those policies in place, agencies have cleared the way for the development and adoption of innovative new applications that could boost productivity in a mobilized workforce. But those apps invite a host of new security challenges.
Mobile Device Management vs. Mobile Application Security
"I think we're definitely in exciting times here. We're actually talking about doing better work for the government. I think we've shifted the conversation from mobile device management (MDM) and getting people -- you know, authorizing devices on the network. Even the DoD has authorized iOS and Android devices on their network in conjunction with an MDM," Suder said during an online presentation yesterday.
"And I think we're really getting to the point now where we're going to have these real good mission apps, doing-your-job kind of apps, and I think it's going to, you know, increase efficiency and make people do their jobs better, but I do think that we need to balance that with security, and there hasn't been too many enterprise mobility apps out there, so I think this is definitely an area we need to be paying attention to," Suder said.
"There has been a gap on mobile application security," he adds.
The government's cautious embrace of new mobile devices and applications comes amid a broader evolution in the government's $80 billion IT operation, and, like the move toward cloud computing, comes with a White House mandate.
Federal CIO Steve VanRoekel unveiled the federal government's mobile strategy last January at the annual Consumer Electronics Show in Las Vegas, directing departments and agencies to develop strategies for the adoption of new devices and applications.
Since then, the Obama administration has issued the more sweeping digital government strategy, which laid out a series of deliverables with due dates, including mile markers for mobile adoption.
Agencies, particularly those moving toward BYOD, have been developing device management policies with features like remote data wiping and encryption, but those policies, if left at the device level, fail to address the unique security concerns associated with mobile apps, according to Tom Voshell, senior director of solutions engineering at SAP's regulated industries division.
"There are multiple ways to secure an application. Now, a lot of folks would say, 'Well I have a secure device, so therefore my applications are secure.' Well, mobile device security only takes you to a certain level," Voshell says. "There are encryption methods for locking the data down on the devices. But that's not really protecting everything that happens in an application."
On the mobile-application security front, Suder sees a potential model in the FedRAMP program the government developed for cloud computing technologies.
To win FedRAMP certification, a cloud product must meet a set of baseline security standards that are common to all agencies and departments -- the idea being that a single certification would enable more rapid adoption by sparing each federal entity from having to conduct its own security evaluation.
The Department of Homeland Security 'Car Wash' Program
Suder points to the "car wash" program that the Department of Homeland Security is developing to evaluate mobile applications, so far limited to those developed in-house.
DHS envisions car wash as a one-stop testing environment for developers to screen their apps for security problems, such as coding flaws or the potential to access sensitive information without appropriate safeguards.
"Car wash is meant for government, [in this case] government-developed apps," Suder says. "They were talking about using it while you're developing your app, so you don't go down the road that's too far down your mobile development, and then next you know you gotta totally rewrite the code. So I think they're meaning it to be more of a collaborative type of thing and it's just a tool that you run your code through so you don't get stuck at the end and have to redo all your code. So I think car wash isn't meant to fix it. Car wash is meant to identify where the issues are and what you've got to fix."
As DHS polishes the program, car wash could become available to other agencies later this year, the department has signaled. That repeatable security test environment, which could grant a seal of approval recognized across the government, could emulate the FedRAMP cloud-computing framework for mobile applications.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Bouncing Back From CIO Unemployment
Union slams latest fibre-to-premise trial in Tasmania
Forrester Research: Total Economic Impact Of The Management Suite
This paper presents a framework to evaluate the potential financial impact of the User Virtualization Platform on organizations having shared server-based computing environment.
Security in a Faster Forward World
Organizations today operate in a Faster Forward world, as they experience a shift towards an increasingly mobile workforce. Following this, an evolving stream of attackers are now targeting mobile devices where they can more easily access a larger number of high-value corporate and government assets. This paper will guide you through finding the right Web security partner that can improve efficiency while reducing risks and improving web experience.
The Power of Transformational Knowledge
Apple saves $5 million a year on case and email deflection, while its agents find information 47 per cent faster than before they invested in something called Transformational Knowledge. In today’s consumer-empowered marketplace, you cannot afford negative customer experiences. However many companies lack the tools and processes required to empower their employees to deliver great customer experiences. In this whitepaper, we look at how to breakdown silos and deliver great customer experiences.