Mobiles attack! The mobile invasion is underway

There is no one-size-fits-all mobility solution -- especially since devices, resources and policies vary so widely. The push for Bring Your Own Device (BYOD) programs can further complicate the issue. But one thing holds true for every government organisation; mobility has become impossible to ignore. The technological gatekeepers can no longer rule as the "Department of No" – especially when the mobility push within government is coming from the very top as well as staff on the front line.

Frustrated staff are already bringing their own devices to work, while remote access tools such as Dropbox are a "weed" creeping into Australian offices, warns Rhys Evans, enterprise information systems national practice manager with IT infrastructure consultancy Thomas Duryea.

"Users will inevitably bring their own devices and services into the office, trying to work around security restrictions using whatever mechanism they can," Evans says.

"It's not nefarious. They do it because they want to use a device that enables them to best do their job. Despite this, some government departments still see devices such as iPads as simply a way for people to slack off."

"To be honest," he continues, "unlike in enterprise, we haven't seen a big Bring Your Own Device push from government yet. At the moment, government mobility seems more focused on enabling staff to work offsite and at home. Government employers are recognising that flexible work arrangements can boost productivity and help retain talent. Implementing a wider mobility strategy also lays a solid foundation for a BYOD policy."

Device knowledge. As with most IT projects, Evans says the key to a successful mobility strategy is to begin by focusing on requirements rather than specific devices and technologies. Once they assess their requirements, some government agencies may find their existing technology infrastructure is capable of supporting the new wave of handheld devices – whether they be work-issued or BYOD.

Smartphones and tablets running the latest versions of Apple’s iOS and Google’s Android offer support for Microsoft Exchange and the remote management tools incorporated into ActiveSync. It’s worth noting that some ActiveSync features require an Exchange Server Enterprise Client Access License.

At the same time Research In Motion’s (RIM’s) BlackBerry PlayBook OS 2.0 update supports ActiveSync, as does the upcoming BlackBerry OS 10. While these Blackberry devices can now work with Microsoft infrastructure, the introduction of BlackBerry Mobile Fusion allows BlackBerry Enterprise Server to support the influx of devices running iOS and Android.

RIM’s move to embrace ActiveSync within the secure BlackBerry environment grants government organisations the ability to support a wider range of devices while still addressing security requirements, says RIM senior director for enterprise Jeff Holleran.

“As organisations look to leverage a range of devices they need to determine how they’re going to establish common policies across different devices,” Holleran says.

“What we’re doing, in a nutshell, is providing security for ActiveSync. This enables organisations to leverage their existing BlackBerry investment – in devices, infrastructure and expertise – whilst bringing BlackBerry security to other devices.”

Managing the influx. The growing reach of BlackBerry and ActiveSync make it possible to enforce policies on a range of consumer-grade devices. These policies include mandatory password-protection as well as the ability to remotely lock and wipe lost devices.

The push to do more with mobile devices has sparked the rise of specialist third-party mobile device management (MDM) providers. Key players include the likes of Good Technology, LRW’s Pinecone, Sybase, AirWatch and MobileIron. A wide range of existing technology players are also targeting the MDM space, from virtualisation specialists Citrix and VMWare and networking players Cisco and Juniper to security vendors such as Symantec, Sophos and AVG.

Basic MDM features are rapidly becoming commoditised and advances in Microsoft’s ActiveSync may eventually kill off basic MDM offerings. Advanced MDM tools often distinguish themselves with extra features such as antivirus, device tracking and selective wipe options that can leave personal data intact.

Mobile device management features and security options are often restricted by the limitations of the device. When assessing the security capabilities of devices, government organisations should utilise references such as the Evaluated Products List, maintained by Australia’s Defence Signals Directorate (DSD) intelligence agency.

“Hardening” mobile devices to address security requirements can involve restricting the ability to install third-party applications. Other limitations may include disabling access to cloud-based data sync and backup services.

Imposing and enforcing such restrictions naturally becomes more complicated when running a BYOD program, where end users value such functionality on their devices. Meanwhile, Microsoft and RIM’s all-or-nothing remote wipe options may also not be a good fit with some BYOD policies, as they entail wiping personal data such as family photographs.

Users’ concerns about these capabilities are so strong that 86 per cent of respondents in a recent survey by MDM vendor Fiberlink said they were concerned or extremely concerned that their employers would delete personal pictures, music and email profiles.

A new paradigm. While MDM and usage policies are important, the trend is to move away from managing end devices and instead focus on managing secure access to resources. Vendors such as Good Technology, Pinecone, Citrix, Symantec, and VMWare achieve this by creating secure encrypted containers that can be remotely wiped whilst leaving the rest of the device’s contents intact. They provide apps that run on a range of mobile platforms including iOS and Android.

Different services utilise this secure area in different ways. Good Technology’s apps are designed around the idea of running applications inside the secure container, which is isolated or “sandboxed” from the rest of the device. Citrix’s Receiver offers secure remote access to applications running on a server, with the ability to optimise the interface of desktop applications for small-screened mobile devices.

For its part, Symantec’s Endpoint Management Suite lets IT managers set up corporate ‘app stores’ offering limited access to apps that it encapsulates inside a wrapper that enables password-protected access, encryption of data and the ability to stop employees copying data out of the app. Both Good Technology and Citrix Receiver offer the ability to support third-party applications and services within their secure environment.

This secure container approach to mobility gives government agencies greater control without simply relying on the security capabilities of the end device, says Jim Watson, APAC vice president and corporate general manager with Good Technology.

“To address today’s security risks, agencies need to go beyond basic MDM and adopt solutions that allow IT departments to set policies, control access and prevent data loss at an application and data level,” Watson says.

“By focusing first on security and control at the application level, government agencies can more readily embrace mobility and even BYOD without compromising policies or the user’s experience.”

Focusing on managing access rather than managing devices can be particularly important when it comes to BYOD programs, adds Nabeel Youakim, APAC vice president of products and the Microsoft Alliance with Citrix.

“The ability to remotely manage access to secure resources, while limiting the amount of data stored on the device, creates a better foundation for BYOD policies than all-or- nothing remote wipe features,” Youakim says. “You don’t own the device, so you can’t just remotely blow the device away in terms of user content such as photos if the device is lost.”

Virtualisation is seen by some as the long-term future of mobile security, although there are hurdles to overcome.

One approach is to run a virtual device within an app that mimics separate hardware. Known as a Type 2 hypervisor, this approach is commonly used by desktop software such as Parallels or VMWare Fusion to run Microsoft Windows within a window on a Mac desktop. VMware’s Horizon mobility platform deploys a Type 2 hypervisor on Android devices, but it’s still in the pilot phase and can’t be downloaded from the public app store.

[pullquote align="left"]"There’s always one overzealous person who wants to lock these devices down so hard that it defeats the purpose of having them. Mobility is about flexibility and convenience – so you need to keep an open mind."[/pullquote]

Another approach to virtualisation is to run two virtual devices side-by-side on the same handset using a 'bare metal' Type 1 hypervisor which mimics two physical devices. This approach is already common on servers using tools such as Microsoft’s Hyper-V, VMware ESX Server and Citrix’s XenServer. Bare metal hypervisors offer greater security and separation between devices but require hardware support, which limits their deployment on handheld devices.

The people factor. While mobility strategies present technological challenges, it’s important to keep in mind that you’re also dealing with people. Disabling key features in the name of security and the management of personal data are two issues that Evans says highlight the importance of detailed Acceptable Usage Policies (AUPs) to accompany technological security measures.

A mobility AUP must spell out exactly where jurisdiction over work-issued and BYOD devices starts and ends. This includes hardware, as well as voice and mobile data costs, particularly when it comes to excess data charges incurred for work or personal purposes.

Keep in mind that allowing staff to make hardware purchases can mean losing out on the benefits of volume pricing and the flexibility of business telecommunications plans. A BYOD program also should consider whether consumer-grade warranties, service and support are appropriate. Devices in need of repair or replacement could see staff left in the lurch for days or weeks. It may also be necessary to return devices to the manufacturer even if they contain sensitive data.

While security concerns are obviously an important aspect of any government agency’s mobility plans, Rhys Evans says it’s important to make a realistic assessment of their security requirements so as not to unnecessarily limit devices or hinder their usefulness.

“One of the key issues I’ve encountered with mobility projects is that there’s always one overzealous person who wants to lock these devices down so hard that it defeats the purpose of having them,” Evans says. “Mobility is about flexibility and convenience – so you need to keep an open mind." – Adam Turner

This feature initially ran in the November-December 2012 issue of Government Technology Review