5 Mobile Security Lessons From the Department of Defense
CIO - Given that money is no object-bear with me on this point-you'd probably develop a hardened security communications capability that will provide impenetrable voice and data communications for devices that support the technology. True, your people will only be able to use devices that contain this proprietary technology, but at least you'll be able to sleep easy knowing that hackers can't compromise your sensitive communications.
Commentary: When It Comes to Mobile Security, MDM Only Part of the Answer
Seems like a no-brainer, but there are three deal-killing flaws with this approach.
Hypothetical MBA business case exercise? Unfortunately, no. This all-too-real scenario is an example of U.S. tax dollars at work. Several years ago, the National Security Agency (NSA) wished to develop secure mobile communications for intelligence and defense purposes, so it spent five years and millions of dollars developing the Secure Mobile Environment Portable Electronic Device. SME-PED took a hardware-centric, circuit-switched approach to security, which renders it obsolete in today's 4G (and beyond) mobile-enabled world.
As a result, it's now time to replace SME-PED. Back to the money trough for sufficient funds for another five-year development project, right? Not so fast. It appears that the NSA and, notably, the Department of Defense have learned several important mobile security lessons from SME-PED.
The newly released DoD Mobility Strategy Memo lays out an entirely different approach to enabling a mobile workforce. Instead of the traditional "dump money on the problem" route that SME-PED took, this memo details a mobility strategy that focuses more on empowering people than on restricting communications.
Turning to the DOD for Strategic Advice?
The DoD may like an unlikely source for strategic innovation, but there are some important lessons for any organization looking to balance security concerns with the power of mobile communications. Here are five highlights.
1. Focus on software, not hardware. Even though the DoD's long-standing policy was to leverage hardware-based encryption technologies, the DoD Mobility Strategy centers entirely on software-based security. As a result, the devices themselves are purely commercial off the shelf (COTS). This fulfills the desires of DoD personnel and also helps future-proof the strategy, as the DoD must allow for the frenetic pace of technology development in the mobile space.
News: New Federal Mobile IT Strategy Must Address Security
In fact, the DoD met with Apple in 2010 and, according to a conversation with an Army general, asked for a few hardware tweaks to the iPhone. Apple steadfastly declined. Why? Not because it's an arrogant market leader, but because of the economic reality-even the largest order the DoD might place would only account for a day or two of iPhone production. It's just not worth the trouble for Apple to customize its hardware for even the largest customer.
2. Encourage interoperability. The DoD Mobility Strategy calls for "composable" solutions. In other words, the agency is expecting and encouraging interoperability across mobile apps, as well as among mobile, cloud and traditional on-premise apps.
While traditional thinking is that closed technology is inherently more secure, today's approach is to embrace openness and develop secure approaches that work in open, dynamic environments. As a result, if the answer to the question "Is there an app for that?" is Yes, then there should be a way to securely use the new app within the appropriate security context.
Analysis: DoD: Open Source As Good As Proprietary Software
3. Consider all end users. The new strategy focuses on needs of different constituencies. SME-PED, on the other hand, was essentially a one-size-fits-all solution. It may have been worth the trouble for certain command-and-control communications, but it was overkill for the everyday business of the DoD. In contrast, today's mobility strategy expressly calls out the different needs of executive users (battlefield commanders), tactical users (warfighters) and enterprise users (everyone else). Clearly, someone whose job is to pay bills for the DoD has very different security concerns than a strike fighter pilot.
4. Think globally, act locally. The new mobility strategy handles governance and management differently as well. Taking a page out of Service Oriented Architecture governance best practice, the DoD Mobility Strategy calls for centralized management of secure devices and distributed enforcement of security policies.
On the one hand, the DoD requires the ability to remotely wipe and disable lost devices, an example of a key centralized management capability. On the other hand, it's also counting on its extensive user base to understand and implement mobile security policies in the field. As a result, training and human management are central elements of the new strategy.
5. Don't treat everyone the same. The DoD now requires "just enough" security. There's no sense providing top secret-level security to users who only have secret clearances. DoD personnel without clearances at all still require a measure of security, but there's no sense spending the same kind of money to secure routine, unclassified communications as the agency must spend securing classified communications.
Mobile Security Calls on People to Pitch In
Perhaps the most interesting aspect of the DoD Mobility Strategy is that it emphasizes both technology and people. Gone are the days when security depended on a single set of hardened technology solutions, with people simply expected to use the technology properly.
Today's mobile environment is too diverse and dynamic to support such a black-and-white approach to security. Instead, it falls to the users of mobile technology to understand the role their gear plays in achieving the broad-based goals of the organization. As a result, the new mobility strategy represents a dramatic cultural shift for an organization used to relying on military precision and rigid technologies.
Tutorial: Steps for Achieving Proper Mobile Security Governance
For private sector organizations struggling with their own mobility strategies, there are important lessons here. A militaristic approach to mobile security is impractical at best-and dangerously ineffective at worst. Instead, the only way to take advantage of increasingly flexible and dynamic technologies is to put in place equally flexible and dynamic security policies and infrastructure.
Security won't be perfect. Then again, it never is. The DoD Mobility Strategy illustrates how even the most security-conscious organization can balance security concerns with the agility requirements of an increasingly empowered workforce.
Jason Bloomberg is the president of ZapThink, a Dovel Technologies company. ZapThink is a service-oriented architecture (SOA) advisory and analysis firm. Bloomberg focuses on enterprise architecture, SOA and cloud computing. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.
Read more about mobile security in CIO's Mobile security Drilldown.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts