Mobile data management offers serious challenges for federal IT
The rise of mobile technology has had a transformative effect on countless industries. From the bring-your-own-device trend to more flexible work hours and beyond, mobile devices have made it possible for organizations to enjoy greater efficiency, effectiveness and productivity, all while increasing employee job satisfaction. At the same time, though, mobile IT presents a number of serious challenges. Among the most severe: the risks associated with mobile data. Mobile IT can only prove beneficial if organizations can ensure the cybersecurity of data shared through this medium.
All of this certainly applies to the federal government. Virtually every agency has, by this point, embraced mobile IT to some degree, with many utilizing mobile software development to create customized apps, both internal and consumer-facing. However, the fact remains that cybersecurity in the realm of mobile data is a serious challenge. Recently, GCN contributor Will Kelly spoke to a number of industry experts to examine how the federal government is currently tackling these issues, and how agencies can potentially improve their performance in this area.
One of the biggest concerns that federal agencies must confront in light of the growing popularity and importance of mobile IT solutions is the need to prevent data loss regardless of where the data in question is being accessed or stored. While in the past cybersecurity efforts focused primarily on securing the actual computers and networks on which information was housed, this is not long effective as users turn to mobile devices which will extend beyond the organization's networks.
"Agencies need comprehensive data loss prevention strategies."
In this sense, mobile IT security is essentially following in the footsteps of cloud security efforts. Rob Potter, vice president of the public sector for Symantec, told Kelly that the growing prevalence of both hybrid cloud environments and mobile IT suggests the need for comprehensive data loss prevention strategies. He further explained that such tactics should recognize that agency data cannot be safeguarded entirely within the organization's networks, and therefore cybersecurity efforts should center around the data itself. This approach should include controls that identify anyone who attempts to access agency data, via mobile device or otherwise.
Cloud-based services are also playing a role in mobile device management on the federal level. Tom Suder, president of Mobilegov, told Kelly that agencies can turn to Mobile-Backend-as-a-Service as a means of uniting mobile users with legacy systems, including backend databases. He noted that these resources offer a variety of tools, including user authentication capabilities, which federal agencies can utilize to mobilize their data while continuing to ensure that that information remains protected.
The importance of authentication was a recurring refrain among the industry experts Kelly spoke to. More specifically, a number of IT professionals emphasized that earlier methods of user verification are no longer viable for secure mobile device management.
"The part I think that is starting to become more of a challenge these days is around the access control piece," Dan Quintas, solutions engineer for AirWatch, told Kelly. "We know that as of a few months ago, the concept of using a username and password to access resources is essentially off the table for any federal agency. What that means is we're looking at alternative forms of authentication."
"Only half of agencies have strong authentication across 95% of privileged users."
These alternative forms Common Access Cards or Personal Identity Verification cards. Several agencies have already made progress in this capacity. Notably, a recent report from Govtech Works found that the Department of Defense has achieved universal compliance with CAC and that 5.3 million PIV cards are now in circulation throughout the federal government. However, the report ultimately concluded that these efforts are not nearly enough to fully protect agencies' data and personnel. The latest White House report to Congress on the Federal Information Security Management Act revealed that only half of federal agencies were rated to have strong authentication across 95 percent of privileged users.
Speaking of the adoption of PIV authentication, Hildegard Ferraiolo, PIV program lead and a computer scientist at NIST, said, "Acceptance has been gradual [and] not as we would have hoped," Govtech Works reported.
Part of the problem, according to Quintas, is that PIV and CAC deployments can be costly, Kelly reported. However, one potential solution to this predicament may be the adoption of soft certificates, which can be derived from PIV or CAC. Quintas told Kelly that these soft certificates can be installed on the mobile device itself, simplifying the sign-on process for users without compromising security.
Ultimately, whatever approach federal agencies embrace, the fact remains that superior mobile device management and data cybersecurity must remain top-level priorities as they move forward with mobile adoption and software development efforts. Only by taking these issues seriously can the federal government continue to expand and improve its performance without compromising its data security capabilities.