The future of mobile data management

 

Connecting state and local government leaders

Just managing the device is no longer an option. Here's where the experts see mobile-security strategies heading in 2016 and beyond.

Many government agencies have mastered the basics of mobile device management (MDM), but the growing number increasingly powerful devices is changing the mobile threat landscape, and bringing a whole new level of complexity as security concerns shift from apps to data.

GCN spoke with a range of experts about the evolving challenges.  The following tools and tactics are worth watching as agencies seek better ways to secure their data:

Data loss prevention

Look for DLP solutions to become location- and destination-aware, said Brian Kenyon, chief strategy officer for cybersecurity firm Blue Coat Systems.  “We're starting to realize that data is going to [mobile] devices, so rather than saying we need to prevent it, we need to move to a model [where] is this okay… so we know what data is going, what devices it's going to and if we're comfortable with that or not.”

The federal sector is increasingly interested in extending data loss prevention (DLP) capabilities -- beyond data center and PC controls -- to the mobile world, added Rob Potter, vice president, public sector, Symantec.

Because most agencies need some kind of hybrid cloud environment, he said, they must expect data to become portable from the cloud to an on-premise environment and then to a mobile device. Expecting to secure data through virtualization or having it never leave the data center is a false hope, considering the amount of information sharing that takes place in government and the intra-agency dependencies that go along with that sharing, he said.

Therefore, Potter recommended that government agencies move toward a comprehensive method of DLP, including:

  • Know that agency data is going to move
  • Put controls around agency data that identify who is try to access it
  • Place protections around the data

Derived credentials: CAC and PIV for a mobile workforce

“The part I think that is starting to become more of a challenge these days is around the access control piece,” said Dan Quintas, solutions engineer, AirWatch. “We know that as of a few months ago, the concept of using a username and password to access resources is essentially off the table for any federal agency. What that means is we're looking at alternative forms of authentication.”

It can be expensive to deploy CAC and PIV readers to a mobile workforce, according to Quintas. Nor are they necessarily the right answer for mobile authentication.

“Where people are starting to look now is around the concept of derived credentials,” in which a soft certificate – derived from the user’s CAC or PIV certificate --  is installed on a mobile device, Quintas explained.

However, derived credentials and single sign on are independent of one another, Symantec’s Potter stressed. Having a derived credential infrastructure will simplify the sign-on process, but agencies must drive SSO across applications, multiple devices, and inside their infrastructure.

He acknowledged the hesitation among agency IT managers who say, "I'm never getting derived credentials so I have single sign on,” but pointed out that derived credentials are about trusting multiple components in an enterprise environment. Once you achieve that trust, Potter said, SSO becomes much easier for a federal agency.

Common criteria

Citrix's Rajiv Taori, who vice president for product management in that firm's mobile platforms group, echoed Quintas’s observations about derived credentials and sees Common Criteria security standards as another option for agencies to protect their data on mobile devices. With every agency doing something different for security, he said, standardization is an important next step for improving data security.

Windows 10

Sean Ginevan, MobileIron's senior director for strategy, predicted Windows 10 will change how federal agencies manage their mobile devices.  He sees federal customers asking whether to treat Windows 10 devices like desktops, “where the security model is, ’I'm inside the network, and I join the Windows domain, and I get my security policies and update that way,’ or do I treat them more like mobile devices?"

Ginevan wasn’t the only expert to mention Windows 10's place in the agency toolbox. Chuck Brown, a product manager for FiberLink, an IBM company, said his company is also getting inquiries from some federal customers about the new operating system. Windows apps are in place, and users would require little to no retraining.

Windows 10 could enter the “side door” to mobile device management as agencies change out Windows laptops for Windows 10-based tablets like the Microsoft Surface, according to Brown and others.

Mobile app vetting

Mobilegov President Tom Suder said app vetting will become increasingly important. Mobile app developers don’t necessarily think about how an app’s security affects backend systems, he said, which can open data centers to potential attack. Agencies need to secure and authenticate both the app and the mobile device, he said, to ensure that it’s not doing anything you don’t want it to do.

Adam Salerno, Veris Group's manager for federal programs, agreed, and sees agencies adopting app vetting as another layer of security beyond MDM. He explained that the app vetting process runs mobile apps in a sandbox where security specialists look at the mobile app’s code -- and at the static and dynamic natures of the app.

 “We can observe the [app] behavior and notice if contacts or data and other things are being exfiltrated in ways that are not obvious to a user,” Salerno said.

Cloud services

Cloud services are part of the evolving tactics that will take agencies beyond traditional MDM. As more cloud vendors achieve certification through the Federal Risk and Authorization Management Program, Salerno sees more questions for agencies to resolve around VPN access, data flow between the cloud and mobile devices, auditing tools on the cloud service side and the potential requirement for a hybrid cloud with data being synced to a virtual appliance residing behind an agency firewall.

Suder mentioned that mobile backend as a service (MBaaS) could help agencies link their mobile users to legacy backend databases and systems. Because MBaaS provides easy-to-use developer tools including user authentication, he said, it could prove to be an economical option for agencies mobilizing their data.

Containerization (or not)

Agencies' use of secure virtual container technologies beyond MDM seems uneven, based on the interviews conducted for this article. FiberLink’s Brown sees containerization alive and well with agencies making secure containers the next step beyond MDM along with implementing DLP.  And Salerno added that agencies can use secure containers, because they apply an additional level of encryption security above and beyond what’s on the device. Containers can work on agency-owned and BYOD devices alike.

Quintas from AirWatch, however, sees containers differently.  In his company’s conversations with federal agencies in particular, he said, IT managers report that while the concept of using the email container is a very strong security solution, end users are starting to revolt against it.

“Those mobile IT teams in federal are starting to wrap their arms around [the idea that] maybe the email container's not the answer for everything,” Quintas explained. "Maybe you can achieve security using the native protocols that are there today."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.