BYOD Security Demands Mobile Data Protection Strategy

WASHINGTON — As federal agencies slowly warm to the emergence of an increasingly mobile workforce, the traditional methods of securing a desktop environment will have to evolve to account for a vast new crop of wireless devices, a senior official with Symantec warned on Wednesday.

Federal CIOs, which have been developing mobility strategies for their agencies and departments at the direction of the White House, need to take an information-centric approach to securing the files and applications on mobile devices, rather than trying to lock down the device itself, Gigi Schumm, Symantec’s vice president and general manager for the public sector, said in a presentation here at the FedScoop government IT conference.

The security issues associated with an increasingly mobile workforce are amplified when CIOs consider adopting a “bring-your-own-device,” or BYOD, policy, allowing employees to access potentially sensitive work files and applications on their personal device. At the same time, just as in the private sector, federal workers are coming to expect that they should be able to work on their favorite devices, and adopting BYOD policies, as some agencies are considering, could help lower IT acquisition and management costs.

BYOD: What Can We Learn from China?

The Consumerization of IT and BYOD Guide

“If agencies allow their users to bring their own devices then they don’t have to buy those devices and maintain them for their life,” Schumm said, though she noted that “the more important gains are going to be the gains in productivity.”

“But there’s an elephant in the room, right? That is how are we going to manage and secure all the information across these mobile devices. Because the truth of the matter is despite all of the virtues, widespread mobility does create a larger threat environment for government employees, and for anybody really,” she said.

BYOD remains an unsettled area of federal IT policy. In January, Steven VanRoekel, the CIO of the federal government, offered a first glimpse at a comprehensive mobile strategy, and has since been working with the agencies to formulate specific policies on a number of areas, including rules of the road for working with developers, mobile security and BYOD policies.

Those last two, of course, are closely coupled. For starters, the greatest virtue of mobile device, they’re small and they travel with their users, also invites loss or theft. For that reason, Schumm urged a security strategy that focuses on access control and identity management, so that even if the device falls into the wrong hands, the risks would be minimized.

“Secondly, they’re typically personal devices, which means you’ve got this potentially hazardous intermingling of personal and public data and applications and policies,” she said.

Mobile devices, as a class, are generally more vulnerable to specific types of attacks by virtue of the way they operate, she added.

“Because they are portable, and they don’t have a great deal of processing power, they’re particularly reliant on network access and cloud services. And so because you don’t have a fixed perimeter,” Shumm said, “they are more susceptible to a host of threats, including network- based attacks and data-loss events.”

For Symantec, the risk profile of a BYOD workforce demands that agencies reorient their approach (often a cultural challenge in the federal government) and acknowledge that they cannot exercise complete control over the device, and focus on identity assurance and locking down access to sensitive files and applications.

Agency CIOs have been understandably reluctant to welcome in a mélange of new mobile devices into their IT portfolio, just as many of their counterparts in the private have raised similar objections. But Schumm argued that many of the concerns can be satisfactorily addressed if security personnel can implement adequate safeguards that protect the vital information, regardless of what device it lives on.

“Where you really need to go to get to — fulfill the promise of true bring-your-own-device is … where the agency doesn’t have control over the machine, they haven’t bought the machine, but they do have control over the relevant data and applications. So in other words you can manage and secure the applications that are critical to your agency, your mission, and those apps that are personal apps when they’re there — you know, Angry Birds or Words With Friends, you don’t need to worry about. But you can control the data flow to make sure that government data stays where it should be in government apps, and it’s not shared,” Schumm said.

“So this is where the train is heading — true, complete BYOD. And the new paradigm demands a new security posture which we call information-centric,” she added. “So it’s not that we’re going to move away from device-centric security, but we need to layer an information- centric approach on top of it, and that is security that focuses on protecting the data wherever it moves, and wherever it rests.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.