By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering
Here’s an interesting article written by my colleague Jim Hansen. It seems that our BYO challenges are not over, and Jim offers some great steps agencies can take to help with these issues.
In 2017, the Department of Defense (DoD) released a policy memo stating that DoD personnel—as well as contractors and visitors to DoD facilities—may no longer carry mobile devices in areas specifically designated for “processing, handling, or discussion of classified information.”
For federal IT pros, managing and securing “allowable” personal and government devices is already a challenge. Factor in the additional restrictions and the real possibility that not everyone will follow the rules, mobile-device management and security can seem even more overwhelming.
Luckily, there are steps federal IT pros can take to help get a better handle on managing this seemingly unmanageable Bring Your Own Everything (BYOx) environment, starting with policy creation and implementation, and including software choices and strategic network segmentation.
Agency BYOx Challenges
Some agencies allow personnel to use their own devices, some do not. For those that do, the main challenges tend to be access issues: which devices are allowed to access the government network? Which devices are not?
For agencies that don’t, there’s the added challenge of preventing unauthorized use by devices that “sneak through” security checkpoints.
Implementing some of the below best practices to support your government cybersecurity solutions can help ensure complete protection against a BYOx threat.
Three-Step BYOx Security Plan
Step One: Train and Test
Most agencies have mobile device management policies, but not every agency requires personnel to take training and pass a policy-based exam. Training can be far more effective if agency personnel are tested on how they would respond in certain scenarios.
Effective training emphasizes the importance of policies and their consequences. What actions will personnel face if they don’t comply or blatantly break the rules? In the testing phase, be sure to include scenarios to help solidify personnel understanding of what to do when the solution may not be completely obvious.
Step Two: Access Control
Identity-based access management is used to ensure only authorized personnel are able to access the agency network using only authorized devices. Add a level of security to this by choosing a solution that requires two-factor authentication.
Additionally, be sure to create, maintain, and carefully monitor access-control lists to help ensure that users have access to only the networks and resources they need to do their jobs. When establishing these access control lists, include as much information as possible about the users and resources—systems and applications—they are allowed to access. A detailed list could aid in discovering and thwarting fraudulent access from a non-authorized device.
Step Three: Implement the Right Tools
Mobile phones are far and away today’s biggest BYOx issue for federal IT pros. As a result, access control (step two) is of critical importance. That said, ensuring the following basic security-focused tasks are being implemented is a critical piece of the larger security picture:
• Patch management – Patch management is a simple and effective security measure. Choose a product that provides automated patch management to make things even easier and keep your personnel’s devices patched, up to date, and free of vulnerabilities and misconfigurations.
• Threat detection – Users often have no idea their devices have been infected, so it’s up to the federal IT pro to be sure a threat detection system is in place to help ensure that compromised devices don’t gain access to agency networks.
• Device management – If a user tries to attach an unauthorized device to the network, the quicker the federal IT pro can detect and shut down access, the quicker a potential breach is mitigated.
• Access rights management – Provisioning personnel, deprovisioning personnel, and knowing and managing their access to the critical systems and applications across the agency is necessary to help ensure the right access to resources is granted to the right people.
Sticking to the basics and implementing a logical series of IT and end user-based solutions can help reduce the risk of mobile technologies.
Find the full article on our partner DLT’s blog Technically Speaking.
The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.