Securing the Line When Cutting the Cord

Security for mobile devices in the federal space is improving, but there’s still a lot of ground to cover

In June, we partnered with Market Connections to survey decision makers and influencers within the US federal IT space. While the report covers several areas, and I strongly recommend having a look at the whole survey, the section on mobile device usage caught my attention.

Observations

What is clear from the report is that mobile devices and the security issues that come with them are being taken seriously in federal IT—or at least some sectors. The problem is that “some sectors” is not nearly enough.

Let’s take one of the first statistics on the survey—permitting personal devices to access internal systems.

pastedImage_3.png

The good news is that 88% of the respondents said that some form of restriction is in place. But that leaves 11% with more or less unfettered access on their personal mobile devices. Eleven percent of the federal government is a huge number and there is almost no way to look at that 11% and derive a situation that is acceptable in terms of risk. And that’s just the first chart. Other areas of the survey show splits that are closer to 50-50.

For example, 65% of the respondents say that data encryption is in place. That means 35% of the mobile devices in the field right now have no encryption. Honestly, for almost all of the points on the survey, nothing less than a number very close to 100% is acceptable.

Recommendations

What can be done about this? Obviously this one essay won’t untie the Gordian Knot in one fell swoop, but I am not comfortable throwing my hands up and saying “yes, this is a very bad problem.” There are solutions and I want to at least make a start at presenting some of them.

Let’s start with some of the easy solutions:

Standard Phones

Whether or not phones are agency-provided, there should be a standard setup for each of them. Employees can provide their own phone as long as it’s on a short list of approved devices and allow for provisioning. This helps agencies avoid having devices on the network with known security gaps and allow certain other features to be implemented, like:

Remote Wipe

Any phone that connects to government assets should be subject to remote-wipe capability by the agency. This is a no-brainer, but 23% of respondents don’t have it or don’t know if it is in place (trust me, if it was there you’d know!).

VPN

Every mobile device that connects to federal systems should be set up with a VPN client, and that client set to automatically activate whenever a network is connected—whether wifi or cellular. Not only would this help with keeping the actual traffic secure, but it would force all federal network traffic through a common point of access which would allow for comprehensive monitoring of bandwidth usage, traffic patterns, user access, and more.

Security Training

The number one vector for hacking is still, after all these years, the user. Social engineering remains the biggest risk to the security of any infrastructure. Therefore before a device (and the owner) is permitted onto federal systems, the feds should require a training class on security practices—including password usage, two-factor authentication, safe and unsafe networks to connect on (airports, café hotspots, etc.), and even how to keep track of the device to avoid theft or tampering.

All of those options, while significant, don’t require massive changes in technology. It’s more a matter of standardization and enforcement within an organization. Let’s move on to a few suggestions which are a little more challenging technically.

Bandwidth monitoring

Note that this becomes much easier if the VPN idea mentioned earlier is in place. All mobile devices need to have their data usage monitored. When a device suddenly shows a spike in bandwidth it could indicate someone is siphoning the data off the device on a regular basis.

Of course, it could also mean the owner discovered Netflix and is binge-watching “The Walking Dead.” Which is why you also need…

Traffic Monitoring

Quantity of bytes only tells half the story. Where those bytes are going is the other half. Using a technique such as NetFlow, makes it possible to tell which systems each mobile device is engaged in conversations with—whether it’s 1 packet or 1 million. Unexpected connection to China? That would show up on a report. Ongoing outbound connections of the same amount of data to an out of state (or offshore) server? You can catch those as well.

The key is understanding what “normal” is—both from an organizational perspective and for each individual device. Ongoing monitoring would provide both the baseline and highlight the outliers that rise up out of those baseline data sets.

User Device Tracking

User Device Tracking correlates where a device logs on (which office, floor, switch port, etc.) along with the user that logs in on that device to build a picture of how a mobile device moves through the environment, who is accessing it (and accessing resources through it), and when it is on or off the network. Having a UDT solution in place is for more than just finding a rogue device in real-time. Like traffic monitoring, having a steady and ongoing collection of data allows administrators to map out where a device has been in the past.

In Closing

The mobile device section of the federal survey has much more useful information, but these recommendations I’ve raised—along with the reasons for why it is so desperately important to implement them—would, if executed, provide a higher level of security and stability. I hope you’ll take a moment to consider them for your organization.

Full survey results: http://www.solarwinds.com/assets/industry/surveys/solarwinds-state-of-government-it-management-and-m.aspx

Anonymous
  • No PEDs allowed and quite frankly, Love it.  I do not have to hear every coworkers device within 50 feet of my desk making sounds when someone posts something to their facebook account. 

    More work getting done and people actually talking. 

  • Still happy to be in an organization that doesn't allow any wireless devices.

  • Agreed,  that is where software like Good technology and Mobile Iron come into it.  They let you monitor and control devices that are connected to your network or even if they are not.  They help secure these devices where internal email, websites, and documents are being viewed on these devices.  The executive office of the president uses Good Technology,  I regularly talked to their administrators when i was supporting the software.  We were the reason that Mr. Obama had to give up his Blackberry.  So this technology is definitely becoming more and more mainstream in enterprise businesses and needs to be addressed by the Administrator in order to keep some sort of security.  Just my opinion and I am sticking to it.  Lol

  • Thanks for sharing. This is something that many organizations need to look at. They willingly allow people to put devices on the networks. Possibly have to go through some kind of training to get access to the capabilities. However, they don't monitor those devices, secure those devices, or put standards in place....

  • This is where, tools like Mobile Iron, and solid policy both written and network security save the day.