Universal Issues Around Mobile Security

By Dan Ford ·

It seems everywhere I go I’m having interesting conversations with senior level government officials regarding mobile security.  A lot of these conversations involve the use of smartphones, encrypting data on these devices, keeping government data separate from personal data, and allowing employees to purchase the phones of their choice and have the government manage them. These are the same exact types of conversations that are taking place in the private sector.

Every time I turn around, I hear another vendor telling me they have the best answer to mobile security. Quite frankly, few vendors I have spoken with have been able to answer all of the questions senior level government officials are asking. Let me tell it to you straight - if your mobile security technology is mainly dependent upon Microsoft ActiveSync for deploying mobile security policies, you might as well just hand over the secrets to your agency.  Why? Because the person who wants to bypass your weak security polices can simply remove a SIM card or put a smartphone into flight mode, then back-up the data to another device.  There goes the opportunity for you to do a remote wipe or a “locate me” and along with it, your organization’s intellectual property.

There is a trend within industry that I’m starting to see within the federal government as well.  When it comes to mobile devices, the expectation is that the individual employee will purchase their own device and the organization will put the employee on their group plan or reimburse them for monthly fees.  This raises an important question - who actually owns the device? The answer: the employee.

I have been searching through case law and I haven’t yet found a case within the United States where an employee has sued their former employer for wiping their personal phone. In Europe this practice is illegal and in certain European countries, the employee may take both criminal and civil action against the employer.  In my opinion, it will only be a matter of time until wiping a personal device without the owner’s permission is considered illegal in the U.S. as well.

Perhaps you are like me and you are struggling with what defines Mobile Device Management (MDM). MDM can be a really confusing term.  If you do a Google search, you will find many vendors in this space.  MDM can simply be defined as authorizing mobile devices to connect, send, and receive email, while enforcing some organizational policies (i.e. password lock on the mobile device, using SSL, whitelisting/blacklisting applications, etc…). But, MDM is not security, it’s a commodity-based product. Many MDM products rely upon Microsoft ActiveSync to push and enforce the mobile policies, but they aren’t adding a lot of benefit above and beyond what Microsoft adds out of the box.  If your organization is relying upon MDM as your security model for mobile devices, then it is accepting a security model of a consumer operating system (iOS or Android) which is inherently weak.  These consumer operating systems do not meet government requirements surrounding encryption standards.  MDM security is not about whitelisting/blacklisting applications; the mobile device may not be owned by the organization, but perhaps by the employee.  A lot of MDM product vendors will tout the MDM security feature that allows a remote wipe capability - doesn’t Microsoft ActiveSync provide this as well? As mentioned above, it’s very simple to get around this feature.

The good news is that there are some MDM vendors that take the following approach to mobile security: keep the organization’s data and the individual’s data distinctly separate, provide a means to overcome the weak security posture of the mobile device’s operating systems, prevent users from backing up the organization’s locally stored data to third party applications (i.e. iTunes), and encrypt the organization’s data to government standards on the device as well as in transit (i.e. FIPS 140-2).

When you’re out there looking for that MDM security vendors that meet the above-mentioned approach, drop me a line and I’ll share my thoughts.  Stay tuned for an upcoming whitepaper on the architectural model for providing mobile security within the federal government.