Enabling and securing mobile workers is top of mind for many federal agencies at present. From the Department of Defense (DoD) that has nearly 70 mobile pilot programs in place today to civilian agencies like Equal Employment Opportunity Commission that has piloted a bring your own device (BYOD) program featured in the White House BYOD toolkit, mobility is reshaping the way agencies work. Scott Montgomery, Vice President of Public Sector Solutions at McAfee, recently shared his thoughts on securing the war fighter on Iron Bow’s TechSource blog. While Scott primarily talks about these issues through the lens of the Warfighter, there’s much that’s applicable across all agencies, as you’ll see from his best practices at the end of this piece.
Scott’s Thoughts on How BYOD is Impacting Federal Agencies:
There’s “A Tale of Two Mobiles” going on today. There is the government issued Blackberry, which is perceived as antiquated and a non-starter from the apps standpoint. However, it performs the mail and Personal Information Management (PIM) functions with a long history of security and extreme reliability.
Then there’s the ‘other’ gadget: a personally purchased smartphone or tablet which is almost universally either an Apple iOS or Google Android device, the latter from an increasing number of manufacturers. This is the true mobility tool for its holder because it gives them instant access to their electronic lives using a variety of personas: student, teacher, gamer, photographer, parent, traveler, music lover, consumer, child, community member, friend and so on.
The one persona that isn’t fulfilled by the ‘other’ gadget is as a warfighter, or someone who supports warfighters. The complex rules and policies for connecting devices to the Non-Classified IP Router Network (NIPRNet) are so onerous and the pace at which the devices, their OS, and their apps evolve is so fast that there are currently only a finite number of ways to do it – all with their own shortcomings.
Scott’s Thoughts on Mobility, BYOD, and the Warfighter:
The horse is already out of the barn as it relates to mobility supporting warfighters. There are a couple of really excellent examples that clearly demonstrate that regardless of 1990s dogma, mobile devices have to be on the network and we can never go back.
A few years ago, while LTG Michael Vane was running the U.S. Army’s TRADOC, he showed me an iOS app that demonstrated to a learning warfighter what to do with his hands while reloading a Patriot missile launcher. The team at TRADOC wasn’t doing overhead projectors, film strips, three-ring binders or whatever else they had done in 1960 any longer. They were going to train incoming warfighters in a hands-on manner using a tool that every single kid had seen, played with, or owned – an iPad. The positive impact upon learning was enormous – kids wanted to know more because they were learning in a way that stimulated them.
Today, TRADOC has an entire page of approved apps for Initial Military Training (IMT) for soldiers. These apps range from news of the day to Stars and Stripes, all the way to an app that trains soldiers on the proper way to call for a medical evacuation (MEDEVAC). Imagine going to a 19-year old kid considering a career in the military and telling him that the first thing he has to do is leave his smartphone or tablet at home in order to start his training. There’s no way to return to a pre-mobility state for training warfighters, nor should we consider one – the gains in efficiency and results are simply too great.
Scott’s Thoughts on Best Practices for Securing the Warfighter’s Mobile Technology:
We continue to have ongoing security and misconfiguration issues with the legacy brick and mortar networks and tools despite decades of maturation, training and influx of practitioners. The problem is magnified with respect to mobility. There are no ‘experts’ with respect to DoD mobile security because the space is extremely nascent, the number of people who know anything beyond Blackberry is incredibly finite, and the OS, underlying gadgets and particularly the apps change at a blistering pace. There are however, a few things that we can do that will assist in getting our arms around the problem:
- It’s a computer. Treat it like a computer. Don’t segregate it because it’s unwired, don’t say, ‘it’s special’ and relegate it to different policies and tactics. Treat it like you would any other computer. I assure you, 5-8 Gb of the right mission data ex-filtrated from your network on an Android tablet is just as lethal to your warfighting effort as it would have been on a laptop or DVD.
- Ensure that you have good visibility to the device when it’s attempting to get on your network.
- Make policies for what state it has to be in before you permit that connection – no jail broken or rooted devices, for example.
- Make policies for how the device gets onto your network – through an IPSec VPN only? Through an SSL VPN only? Through a thin or near-zero client only? You’ll find that different connection methods give you varying degrees of control, but your users will fight you tooth and nail if they perceive you are drawing boundaries against their productivity. Test drive your policies with users in limited pilots.
- Audit and report against your mobile devices using the same criteria you do for your desktops and laptops so you have complete visibility to the risks you are taking on.
- Consider using outsourcing, as there may be limited expertise available to you. The most critical part of the outsourcing effort is creating service level agreements with your outsourcing partner that can a) be measured cleanly, b) be audited independently and c) create accountability in your partner.