Mobile devices increase productivity, allowing employees to access enterprise resources while traveling and at home, speeding decision making and allowing mobile identity management. Federal agencies face a dilemma—how can they support these productivity-enhancing tools while protecting proprietary information and sensitive personal data.
The LMI Research Institute funded a 10-month project assessing mobile security requirements, policies, privacy issues, devices, carriers, and management software.
During the project, LMI:
- analyzed 300 LMI employee surveys regarding workplace smartphone use;
- interviewed senior leaders at intelligence agencies, Google, and the White House;
- reviewed more than 100 mobile device management (MDM) tools, validating six;
- selected, acquired, and validated mobile devices, and tested eight devices with the selected MDM solution; and
- developed a Bring Your Own Device Policy (BYOD).
Mobile Security Challenges
Lack of security: The challenges facing agencies seeking secure mobile communications are daunting. “If you use a phone or tablet out of the box you are going to regret it. The devices aren’t secure,” said David Shepherd, Senior Security Engineer with LMI. Shepherd noted that of 11 evaluated smartphones and tablets, even with on-device configuration, only nine met half of the agency’s security requirements.
Limited software updates: Mobile carriers are also inconsistent regarding operating system support, as some stop updating the operating system before the two year contract is up.
Data destruction difficult: It’s hard to remove proprietary data from a tablet or smartphone because mobile devices store data in many locations, and default wiping software may not sufficiently clear all data in all locations. Agencies also don’t always own the device, limiting what they can do with it, physically or otherwise.
Fast market pace. There are myriad market players, avalanche of new apps (some malicious), and uncertainty regarding the long-term viability of vendors.
The Solution: Mobile Device Management
LMI discovered that MDM software can solve many of these challenges. by creating a “virtual container” on a smartphone. The phone stores enterprise data and email in this virtual container, while private email and other content are kept separate—easier to secure, find, and later remove proprietary content.
Effective MDM solutions also simplify security configuration. Agencies can also configure the MDM software to disconnect a noncompliant device from the network and delete enterprise data and applications.
Plan for Mobile Security Today
In spite of the rapid market pace, it’s essential to develop a mobile device policy. As part of its research, LMI developed a draft BYOD policy balancing enterprise security with employee privacy (see sidebar).
BYOD Policy Recommendations
The BYOD policy drafted by LMI includes these and other recommendations:
- Implement a mobile device management (MDM) solution
- Identify supported smartphones, tablets, and operating systems/versions
- Establish virtual container approach for enterprise content
- Prohibit forwarding of work email to personal email addresses
- Specify user roles and responsibilities
- Prohibit use of jailbroken phones
- Notify user that at the end of employment, enterprise content will be remotely wiped from the phone.