5 Mobile Security Lessons From the Department of Defense
Several years ago, the National Security Agency wasted millions on a circuit-switched approach to mobile security strategy. With help from the Department of Defense, the NSA is doing things differently now. Enterprise CIOs can learn a few things from the effort, too.
Wed, September 26, 2012
CIO — Try this thought experiment. You want to provide smartphones, iPads and other mobile technologies to your workforce, but you're understandably concerned about security. For the sake of argument, let's also say you have virtually unlimited resources. How would you go about implementing secure mobile technology for your people?
Given that money is no object—bear with me on this point—you'd probably develop a hardened security communications capability that will provide impenetrable voice and data communications for devices that support the technology. True, your people will only be able to use devices that contain this proprietary technology, but at least you'll be able to sleep easy knowing that hackers can't compromise your sensitive communications.
Seems like a no-brainer, but there are three deal-killing flaws with this approach.
- It will likely take years to develop the necessary security technology, by which time the underlying communications infrastructure will be obsolete.
- Your employees will find the devices clunky and limited, and they'll do what they can to go behind your back and bring their own devices to work, thus bypassing your expensive security apparatus.
- You'll no doubt use up the purported unlimited budget—which, in the real world, is never even close to unlimited.
Hypothetical MBA business case exercise? Unfortunately, no. This all-too-real scenario is an example of U.S. tax dollars at work. Several years ago, the National Security Agency (NSA) wished to develop secure mobile communications for intelligence and defense purposes, so it spent five years and millions of dollars developing the Secure Mobile Environment Portable Electronic Device. SME-PED took a hardware-centric, circuit-switched approach to security, which renders it obsolete in today's 4G (and beyond) mobile-enabled world.
As a result, it's now time to replace SME-PED. Back to the money trough for sufficient funds for another five-year development project, right? Not so fast. It appears that the NSA and, notably, the Department of Defense have learned several important mobile security lessons from SME-PED.
The newly released DoD Mobility Strategy Memo lays out an entirely different approach to enabling a mobile workforce. Instead of the traditional "dump money on the problem" route that SME-PED took, this memo details a mobility strategy that focuses more on empowering people than on restricting communications.