March 28, 2011 By Hilton Collins
Elayne Starkey, Delaware’s chief security officer, was worried. In 2010, she was concerned about state employees accessing the government network with personal smartphones despite the availability of state-issued BlackBerrys. The Department of Technology and Information gave employees BlackBerrys that were secured to the government’s liking. Employees’ personal smartphones, however, were a different story. Owners may have had security controls on them; they may not have.
The idea of employees using unsecured devices to access the state network didn’t make the state’s security chief happy. And employees voiced concerns of their own: The current standardization model wasn’t working.
“They were carrying around their personally owned smartphone anyway, thinking, ‘Why can’t we just combine all this access into a single device? Why do I have a BlackBerry on one hip and my personal smartphone on the other?’” Starkey said.
So on Nov. 15, 2010, Delaware state employees no longer had wholesale access to the state network on personal devices. If someone wanted to use a personal device for government business, he or she needed a manager’s approval. And the phone in question had to meet specific security standards to get the green light.
“I’m sleeping easier at night because I know that, as of Nov. 15, we have closed a significant vulnerability,” Starkey said. “Before Nov. 15, there was unfettered access to state data.”
Mobile security in general has caused quite a few headaches. The National Association of State Chief Information Officers (NASCIO) cited numerous laptop breaches in a two-part report, Security at the Edge — Protecting Mobile Computing Devices, including 2007 Ponemon Institute data claiming that more than 42 percent of all U. S. data breaches — public and private — came from lost or stolen laptops. The estimated average cost of each breach was nearly $50,000.
With smartphones entering the picture, the possibilities for data loss and corruption dramatically increase. Kevin Murray, vice president of product marketing at iPass, a network and mobility services company, said mobile devices — and their dangers — are here to stay. “In 2010 and before, mobile workers were essentially the exception, not the rule, and what we’re seeing in IT in general is that the mobile worker is really setting the rules now.”
The iPass Mobile Workforce Report, released in November 2010, found that 22 percent of employees surveyed breached corporate policy by using an unauthorized smartphone for work even when their companies had a strict policy against it.
Delaware changed its mobile device strategy to meet employee demands, but not without setting rules. If employees want to use their personal mobile phones for work, their managers must agree that there’s a need for it. And even after approval, some smartphones may not make the cut.
Delaware still distributes state-issued BlackBerrys, but non-state-issued mobile devices must meet seven controls that include strong passwords that expire, inactivity time-outs, encryption, lockouts after seven failed password attempts and remote wiping capabilities in case of loss or theft.
The Department of Technology and Information also created a list of devices that support the security controls, and supplied information to employees on what to tell their providers if they need assistance.
Starkey would like her department to be even more helpful, but that’s not feasible. “As much as I’d love to be an expert on every single mobile device out there and every single operating system version that’s available on those devices, we just can’t do it,” she said. “It’s really impractical for them to look at the state help desk as their hotline for their personally owned smartphone questions.”
Many would likely agree that it’s unwise to lay security responsibilities mainly in the hands of the employee. Murray is one of them. “It can’t be, ‘Here’s your phone,’ or, ‘Here’s the instructions on what phone to buy. Good luck,’” he said. “The critical thing is, IT still has to be involved with enforcing the policy on that device, even if it’s user liable.”
Charles Robb, a NASCIO senior policy analyst, wrote in part two of the Security at the Edge series that of 36 surveyed states, 14 had policies allowing the use of personally owned smartphones for work, 10 prohibited their use, six were reviewing state policy on the matter, and six left the decision to individual state agencies rather than central IT.
Theresa A. Masse, Oregon’s chief information security officer, agrees with others about the impending threats smartphones pose, especially when government IT doesn’t own or control them. “Now you potentially have state information on a personally owned device, so we don’t know what’s on it,” she said. “We don’t know who else is using it. We don’t know how it’s stored. It’s a huge issue. Are people patching it? Where are they wandering around on their own personal device? What are they looking at?”
Masse’s department, the Enterprise Information Strategy and Policy Division, doesn’t issue government mobile devices en masse. The state leaves it up to individual agencies to decide how they’ll approach smartphone use on the job.
“We ask them to make it as a business decision and to consider the risk,” Masse said. If agencies decide to go mobile, they must develop internal policy on network access and information storage. Oregon’s policies on acceptable use and controlling portable and removable storage devices were implemented in 2007.
Nebraska’s stance is tougher: Employees aren’t allowed to use personal devices if they can access confidential information. The risks are too great. “If they have information that could walk away from state government, we have no ability to make sure that we are protecting the state against what that personal device could introduce to our networks,” said Nebraska CIO Brenda Decker.
The Mobile Lockdown
The first Security at the Edge paper cites 2008 National Institute of Standards and Technology (NIST) recommendations on cell phone and PDA security, which may not be as up-to-date as some might like, but it’s certain that people from the organization have some insight on the issue.
For starters, anyone assuming that federal information would be more attractive to cyber-criminals than state or local information should think again. “It depends,” said Tom Karygiannis, a senior researcher at NIST. “Los Angeles, how big is that economy, right? Or California, for example — the state of California is huge.”
Government users can download unsafe apps onto their smartphones just as they can with laptops or PCs. And losing a smartphone could be a recipe for disaster even if it has nothing to do with a traditional hacker-victim breach. “Let’s say you’re drafting some memo in the public sector and it’s just a draft,” Karygiannis said. “It’s meant for internal use and just discussion. This thing gets out and then people start writing articles on it. It’s not even true.”
He said users could compromise security out of device confusion. If a lab employee has a personal phone and a corporate one, it’s possible he may accidentally take a top-secret photo with a personal device instead of with the corporate phone. It’s an honest mistake, but now a top-secret image is on a personal network. “That’s just a goofy example, but you could be in an area where there are privacy issues and people shouldn’t be taking pictures,” Karygiannis said. NIST publishes guidelines and recommendations for various technologies at http://csrc.nist.gov.
The iPass report recommends that enterprise IT look beyond the laptop when it comes to IT security — rising smartphone and tablet adoption demand a more holistic approach. And managers should ensure that employee devices meet established security criteria before they’re approved.