The future of mobile data management

By Will Kelly as written on gcn.com

Many government agencies have mastered the basics of mobile device management (MDM), but the growing number increasingly powerful devices is changing the mobile threat landscape, and bringing a whole new level of complexity as security concerns shift from apps to data.

GCN spoke with a range of experts about the evolving challenges. The following tools and tactics are worth watching as agencies seek better ways to secure their data:

Data loss prevention

Look for DLP solutions to become location- and destination-aware, said Brian Kenyon, chief strategy officer for cybersecurity firm Blue Coat Systems. “We're starting to realize that data is going to [mobile] devices, so rather than saying we need to prevent it, we need to move to a model [where] is this okay… so we know what data is going, what devices it's going to and if we're comfortable with that or not.”

The federal sector is increasingly interested in extending data loss prevention (DLP) capabilities -- beyond data center and PC controls -- to the mobile world, added Rob Potter, vice president, public sector, Symantec.

Because most agencies need some kind of hybrid cloud environment, he said, they must expect data to become portable from the cloud to an on-premise environment and then to a mobile device. Expecting to secure data through virtualization or having it never leave the data center is a false hope, considering the amount of information sharing that takes place in government and the intra-agency dependencies that go along with that sharing, he said.

Therefore, Potter recommended that government agencies move toward a comprehensive method of DLP, including:
•Know that agency data is going to move
•Put controls around agency data that identify who is try to access it
•Place protections around the data

Derived credentials: CAC and PIV for a mobile workforce

“The part I think that is starting to become more of a challenge these days is around the access control piece,” said Dan Quintas, solutions engineer, AirWatch. “We know that as of a few months ago, the concept of using a username and password to access resources is essentially off the table for any federal agency. What that means is we're looking at alternative forms of authentication.”

It can be expensive to deploy CAC and PIV readers to a mobile workforce, according to Quintas. Nor are they necessarily the right answer for mobile authentication.

“Where people are starting to look now is around the concept of derived credentials,” in which a soft certificate – derived from the user’s CAC or PIV certificate -- is installed on a mobile device, Quintas explained.

However, derived credentials and single sign on are independent of one another, Symantec’s Potter stressed. Having a derived credential infrastructure will simplify the sign-on process, but agencies must drive SSO across applications, multiple devices, and inside their infrastructure.

He acknowledged the hesitation among agency IT managers who say, "I'm never getting derived credentials so I have single sign on,” but pointed out that derived credentials are about trusting multiple components in an enterprise environment. Once you achieve that trust, Potter said, SSO becomes much easier for a federal agency.

Common criteria

Citrix's Rajiv Taori, who vice president for product management in that firm's mobile platforms group, echoed Quintas’s observations about derived credentials and sees Common Criteria security standards as another option for agencies to protect their data on mobile devices. With every agency doing something different for security, he said, standardization is an important next step for improving data security.

Windows 10

Sean Ginevan, MobileIron's senior director for strategy, predicted Windows 10 will change how federal agencies manage their mobile devices. He sees federal customers asking whether to treat Windows 10 devices like desktops, “where the security model is, I'm inside the network, and I join the Windows domain, and I get my security policies and update that way,’ or do I treat them more like mobile devices?"

Ginevan wasn’t the only expert to mention Windows 10's place in the agency toolbox. Chuck Brown, a product manager for FiberLink, an IBM company, said his company is also getting inquiries from some federal customers about the new operating system. Windows apps are in place, and users would require little to no retraining.

Windows 10 could enter the “side door” to mobile device management as agencies change out Windows laptops for Windows 10-based tablets like the Microsoft Surface, according to Brown and others.

Mobile app vetting

Mobilegov President Tom Suder said app vetting will become increasingly important. Mobile app developers don’t necessarily think about how an app’s security affects backend systems, he said, which can open data centers to potential attack. Agencies need to secure and authenticate both the app and the mobile device, he said, to ensure that it’s not doing anything you don’t want it to do.

Adam Salerno, Veris Group's manager for federal programs, agreed, and sees agencies adopting app vetting as another layer of security beyond MDM. He explained that the app vetting process runs mobile apps in a sandbox where security specialists look at the mobile app’s code -- and at the static and dynamic natures of the app.

“We can observe the [app] behavior and notice if contacts or data and other things are being exfiltrated in ways that are not obvious to a user,” Salerno said.

Cloud services

Cloud services are part of the evolving tactics that will take agencies beyond traditional MDM. As more cloud vendors achieve certification through the Federal Risk and Authorization Management Program, Salerno sees more questions for agencies to resolve around VPN access, data flow between the cloud and mobile devices, auditing tools on the cloud service side and the potential requirement for a hybrid cloud with data being synced to a virtual appliance residing behind an agency firewall.

Suder mentioned that mobile backend as a service (MBaaS) could help agencies link their mobile users to legacy backend databases and systems. Because MBaaS provides easy-to-use developer tools including user authentication, he said, it could prove to be an economical option for agencies mobilizing their data.

Containerization (or not)

Agencies' use of secure virtual container technologies beyond MDM seems uneven, based on the interviews conducted for this article. FiberLink’s Brown sees containerization alive and well with agencies making secure containers the next step beyond MDM along with implementing DLP. And Salerno added that agencies can use secure containers, because they apply an additional level of encryption security above and beyond what’s on the device. Containers can work on agency-owned and BYOD devices alike.

Quintas from AirWatch, however, sees containers differently. In his company’s conversations with federal agencies in particular, he said, IT managers report that while the concept of using the email container is a very strong security solution, end users are starting to revolt against it.

“Those mobile IT teams in federal are starting to wrap their arms around [the idea that] maybe the email container's not the answer for everything,” Quintas explained. "Maybe you can achieve security using the native protocols that are there today."

Source: Adam Salerno, Veris Group's manager for federal programs, agreed, and sees agencies adopting app vetting as another layer of security beyond MDM. He explained that the app vetting process runs mobile apps in a sandbox where security specialists look at the mobile app’s code -- and at the static and dynamic natures of the app.