As the federal government warms to the idea of allowing employees to use their own mobile devices for work and develops new device management policies, agency CIOs and others will still have to grapple with the challenges associated with application security, experts warn.
The initial challenge for federal IT managers evaluating BYOD policies was to ensure that their agency's infrastructure was secure enough for new devices to enter the network and provide for central management, according to Tom Suder, president of the mobile services provider Mobilegov.
With those policies in place, agencies have cleared the way for the development and adoption of innovative new applications that could boost productivity in a mobilized workforce. But those apps invite a host of new security challenges.
Mobile Device Management vs. Mobile Application Security
"I think we're definitely in exciting times here. We're actually talking about doing better work for the government. I think we've shifted the conversation from mobile device management (MDM) and getting people -- you know, authorizing devices on the network. Even the DoD has authorized iOS and Android devices on their network in conjunction with an MDM," Suder said during an online presentation yesterday.
"And I think we're really getting to the point now where we're going to have these real good mission apps, doing-your-job kind of apps, and I think it's going to, you know, increase efficiency and make people do their jobs better, but I do think that we need to balance that with security, and there hasn't been too many enterprise mobility apps out there, so I think this is definitely an area we need to be paying attention to," Suder said.
"There has been a gap on mobile application security," he adds.
The government's cautious embrace of new mobile devices and applications comes amid a broader evolution in the government's $80 billion IT operation, and, like the move toward cloud computing, comes with a White House mandate.
Federal CIO Steve VanRoekel unveiled the federal government's mobile strategy last January at the annual Consumer Electronics Show in Las Vegas, directing departments and agencies to develop strategies for the adoption of new devices and applications.
Since then, the Obama administration has issued the more sweeping digital government strategy, which laid out a series of deliverables with due dates, including mile markers for mobile adoption.
Agencies, particularly those moving toward BYOD, have been developing device management policies with features like remote data wiping and encryption, but those policies, if left at the device level, fail to address the unique security concerns associated with mobile apps, according to Tom Voshell, senior director of solutions engineering at SAP's regulated industries division.
"There are multiple ways to secure an application. Now, a lot of folks would say, 'Well I have a secure device, so therefore my applications are secure.' Well, mobile device security only takes you to a certain level," Voshell says. "There are encryption methods for locking the data down on the devices. But that's not really protecting everything that happens in an application."
On the mobile-application security front, Suder sees a potential model in the FedRAMP program the government developed for cloud computing technologies.
To win FedRAMP certification, a cloud product must meet a set of baseline security standards that are common to all agencies and departments -- the idea being that a single certification would enable more rapid adoption by sparing each federal entity from having to conduct its own security evaluation.
The Department of Homeland Security 'Car Wash' Program
Suder points to the "car wash" program that the Department of Homeland Security is developing to evaluate mobile applications, so far limited to those developed in-house.
DHS envisions car wash as a one-stop testing environment for developers to screen their apps for security problems, such as coding flaws or the potential to access sensitive information without appropriate safeguards.
"Car wash is meant for government, [in this case] government-developed apps," Suder says. "They were talking about using it while you're developing your app, so you don't go down the road that's too far down your mobile development, and then next you know you gotta totally rewrite the code. So I think they're meaning it to be more of a collaborative type of thing and it's just a tool that you run your code through so you don't get stuck at the end and have to redo all your code. So I think car wash isn't meant to fix it. Car wash is meant to identify where the issues are and what you've got to fix."
As DHS polishes the program, car wash could become available to other agencies later this year, the department has signaled. That repeatable security test environment, which could grant a seal of approval recognized across the government, could emulate the FedRAMP cloud-computing framework for mobile applications.
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.