In the rush to use mobile devices, agencies continue to struggle with how best to secure these smartphones and tablet computers. But should agencies look at these popular devices any differently than more traditional desktop or laptop computers?
Ron Ross, a senior security specialist at the National Institute of Standards and Technology, said tablets and smartphones really are powerful computers and agencies should apply a risk-based security approach to them like any other system.
“That’s a challenge. Today we are not doing it to the fullest extent. You have to ask the basic question, and this is where NIST is doing some work with the Homeland Security Department in exploring some of these new technologies, what kind of controls can an Android operating system or Apple operating system support?” Ross said Wednesday during a panel discussion on the Digital Government Strategy sponsored by AFCEA-Bethesda, Md. “What kinds of basic things that we would expect from any device or system, identity management, identification, authentication, access control and encryption, all of those core fundamental things that we do in cyber, how are those applied in these new technologies? We have to more work in understanding the technologies and how those fundamentals are applied.”
Similar to PCs, smartphones and tablets provide a direct path for attack against agency networks, and that is why the security and risk management basics remain the same.
Ross said the new security control guidance would address mobile threats. He said 800-53 will have “250 new controls in it based upon the new threats we see today. The customers don’t implement all of those controls. But the important thing from our perspective is to give senior leaders the appropriate choices to make those risk-based choices.”
Ross and others said the decision making process based on acceptable risk is just another example of how mobile devices are similar to traditional computers.
But agencies are not consistently applying this approach. For instance, the Office of Management and Budget and DHS required employees to log on to their agency’s network using secure identity cards under Homeland Security Presidential Directive-12 starting in fiscal 2012. But there is no mention in the Digital Government Strategy of how HSPD-12 fits in with smartphones or tablet computers.
Ross said it all comes back to risk tolerance. If an agency deploys a device and decides not to require employees to use their HSPD-12 card to log on, then that’s a risk they can live with. But agencies must understand all the risks to a system and how to mitigate them, and then explain it to the agency’s business leaders in a way they can understand.
NIST also is updating the HSPD-12 guidance, FIPS 201, to address mobile computing.
Mobile security reference architecture
DHS is developing a second document to help agencies protect mobile devices.
Sean Donelan, the program manager for the National Cybersecurity Division at DHS, said the agency is leading an interagency effort to create a mobile security reference architecture. It’s one of several reference architectures the government is creating to help implement mobile and shared services.
“Rather than every single agency having to go out and develop their own way of doing things, we get 30-40 agencies together and they develop a reference architecture, which is a halfway architecture that it is about 60 percent done,” Donelan said. “Each agency will go on and customize it to their own needs, but it gets the common things out there.”
Donelan said DHS will release the draft mobile security reference architecture this summer for public comment.
The document also will help move agencies away from securing the device and more toward securing the data.
“Protecting information is even harder than protecting systems. We don’t really understand what the issues are,” he said. “Encryption is given as one of those things that will solve the problem. But encryption is really hard to do right as we’ve seen over and over again. The concept of mobile, desktop, laptop or mainframe will go away and it’s going to be more about mission and information. We are not there yet. It’s going to be a culture evolution.”