There is little indication that the bring-your-own-device (BYOD) trend at government agencies will abate anytime soon. This presents a challenge for agencies seeking to rapidly extend policy and security controls to smartphones and tablets. Consider a 2013 survey by Telework Exchange, which finds that nearly half (49%) of federal employees say they use their personal devices for work-related tasks. Of these, 64% indicated they use their own smartphones and 19% use a tablet for work.
The challenge for agencies is to simultaneously support and encourage BYOD for the convenience and productivity benefits it delivers, while also putting in place effective policies and procedures that prevent data leakage and mitigate operational costs that come along with mobile device management. The fact is that, however unwittingly, mobile end users may be accessing sensitive documents and files in a way that compromises IT security via “consumerized” cloud services that place agency data at risk.
Some of the security red flags occur when BYOD is extended to “bring data anywhere you want”. BYOD need not and should not be a data free-for-all. Just because workers can enter a government agency with their own device does not mean they need to leave with government data resident on it.
Agencies have options
The good news for agencies evaluating different paths toward further opening up BYOD to users is that there are options. Determining the best option is preceded by the need to ask questions related to the specific agency’s mobility and security needs. For example, to what extent should an agency open up its network, application and data and expose itself to risk of hacking and information leakage? Would clamping down on an employee’s access to mobile data overly inhibit productivity and usability and layer in additional complexity?
In some cases, the added convenience of BYOD isn't worth the risk of opening up access, even if it is secured access. In other cases, for knowledge workers that may often need to work from anywhere on data that isn't so sensitive, the balance can easily tip towards more free access to data. And of course, other government workers spend their entire day in the field performing a function that requires (or is greatly facilitated by) always-on access to a government system via a mobile device.
As agencies explore these questions, they are better positioned to evaluate three
primary options on how to secure access to government data on mobile devices:
1. Don't do BYOD
Agencies can opt to restrict use only to secured mobile devices provided by the agency that are not used for personal purposes. This is the device equivalent of an "air gapped" network, and allows the agency complete control. The downside is the reduction of employee convenience and potential dissatisfaction from having to carry multiple devices, while incurring additional costs associated with multiple mobile device management.
2. Secure the device itself
This approach acknowledges BYOD in the enterprise and focuses on securing the device. This can be done either by rigorously testing various mobile systems and accrediting them for use, or through innovative approaches like running a secured "virtual phone" within the personal phone.
3. Secure the data
If we assume the device is insecure, we can focus on security the data instead of the device. This approach looks to stream data to the mobile device as needed using existing access controls. It is a path that is perhaps most intriguing for its potential to allow measured BYOD usage growth in the agency without compromising security.
Streaming data to the mobile device as it is needed can reduce potential risks as no government data gets stored locally, and thus is less subject to loss or compromise. With streamed data, government workers can view and annotate the documents, spreadsheets, and presentations they need in order to work, but they do not have to store those documents on a local untrusted device. Or they can stream access to, for example, an internal SharePoint site to gain access to necessary information without having to open the SharePoint site up to the world.
With a streaming solution, no documents actually leave government systems, and all access controls are enforced every time a document is accessed. In some cases, temporary offline access to documents can be provided, but only if allowed by access controls, not as a by-product of the technology itself. And in general, the streaming solution means that only one application on the end-device is accessing the government network via a secured connection, so no other apps on the mobile device get access – preventing intrusions by any other potential malware on the phone. It is much easier to secure and validate one known application than thousands of unknown applications on a BYOD.
The data streaming solution has advantages over two other more traditional solutions: opening VPN access and using a cloud syncing solution. While VPN access works as far as allowing for documents to be downloaded and stored locally (depending on the application), it allows any application on the mobile device access to the internal network. So all it takes is one piece of malware or a compromised phone and you have an internal network intrusion via the VPN.
On the other hand there is cloud syncing. This approach syncs up copies of data across multiple devices (mobile and desktop/laptop). While this solution is often quite convenient and has the benefit of constant offline access, it tends to put data out on multiple unsecure devices and potentially on a public cloud infrastructure, which may or may not meet government security requirements.
In the previously referenced Telework Exchange survey, just 11% of federal employees said their agency has an official BYOD policy – indicating that agencies are still feeling their way through the proper balance between mobility and security. As the path towards BYOD evolves, understanding the options available for securing government data on mobile devices – and selecting the one that best meets their needs – can ensure that worker productivity increases without negatively impacting data and device security.