In our monthly series on mobility we are featuring best practices and expert opinion from our own Practice Directors and partner community on the issue of mobility and BYOD. Recently, we sat down with Scott Montgomery, VP of Public Sector Solutions at McAfee, to get his perspective. As we continue the final part of this series we’ll get his perspective on how the U.S. Army is handling managing numerous mobile devices and what lessons can be learned.
TechSource Editor: A recent survey conducted by a Pentagon Inspector General uncovered that the Army’s smartphones and tablets were not configured to remotely wipe and protect sensitive data. There is concern about how to secure and maintain data sent, received and stored on mobile devices in general and this study reveals that the concern is legitimate. What best practices must be put in place to address these concerns?
Scott Montgomery: Is this really any surprise? We continue to have ongoing security and misconfiguration issues with the legacy brick and mortar networks and tools despite decades of maturation, training and influx of practitioners. The problem is magnified with respect to mobility. There are no ‘experts’ with respect to DoD mobile security because the space is extremely nascent, the number of people who know anything beyond Blackberry is incredibly finite, and the OS, underlying gadgets and particularly the apps change at a blistering pace. There are however, a few things that we can do that will assist in getting our arms around the problem:
- It’s a computer. Treat it like a computer. Don’t segregate it because it’s unwired, don’t say, ‘it’s special’ and relegate it to different policies and tactics. Treat it like you would any other computer. I assure you, 5-8 Gb of the right mission data exfiltrated from your network on an Android tablet is just as lethal to your warfighting effort as it would have been on a laptop or DVD.
- Ensure that you have good visibility to the device when it’s attempting to get on your network.
- Make policies for what state it has to be in before you permit that connection – no jail broken or rooted devices, for example.
- Make policies for how the device gets onto your network – through an IPSec VPN only? Through an SSL VPN only? Through a thin or near-zero client only? You’ll find that different connection methods give you varying degrees of control, but your users will fight you tooth and nail if they perceive you are drawing boundaries against their productivity. Test drive your policies with users in limited pilots.
- Audit and report against your mobile devices using the same criteria you do for your desktops and laptops so you have complete visibility to the risks you are taking on.
- Consider using outsourcing, as there may be limited expertise available to you. The most critical part of the outsourcing effort is creating service level agreements with your outsourcing partner that can a) be measured cleanly, b) be audited independently and c) create accountability in your partner.
TechSource Editor: Anything else to add?
Scott Montgomery: People who are ‘standing their ground’ against mobile technology being employed universally by warfighters are on the wrong end of Custer’s Last Stand. The populace who wants mobility outnumbers you and will fight to your death to get what they want. Executed properly, mobility can not only add to the morale, welfare and recreation of our warfighters, but can also assist mission as well – in a growing number of ways that we haven’t even considered yet. Get on board; it’s going to be a hell of a ride.
COMMENTS