Secure The Data, Not The Device

Secure The Data, Not The DeviceThe phones are coming, the tablets are coming! What can we do? Our network is being overrun and there’s nothing we can do about it.  When will the insanity stop?????

You may be getting this feeling as more people bring smart phones and tablets to work.  What was once a citadel of security and order has now become a free for all as new devices emerge everyday and threaten the nice controlled world of IT.  What has become a nightmare for some companies has become an opportunity to quickly innovate for others.

The movement of BYOD (bring your own device) to work has now reached the US Federal Government. In January 2012, Federal CIO Steven VanRoekel announced the launch of a mobile road map for the federal government. “We have a real opportunity to bring to bear mobile technology in federal government that changes the paradigm,” VanRoekel said. “The mobile strategy is a multipronged approach that is aimed at driving efficiency across the federal government, enhancing citizen-government interactions, and untethering federal employees from their desks.”

In years past, the federal government only purchased certain devices or customized hardware that met very strict criteria; Blackberries are commonly the device of choice.  This was fine when technology changed slowly, but today no one can afford to stick with the same things for 5 years – not even 3 years. The issue with the government was always security and the secure access of government data.  When it comes to security, what works for desktops and laptops doesn’t necessarily apply to smart phones and tablets. There are simply too many types of devices, and they’re more easily stolen or misplaced.

Rather than worrying about securing the device, federal CIOs are worrying about securing the data.  This is a good strategy for any CIO.  The federal CIOs plan to use a combination of thin-clients, virtualization on devices to separate business data from personal data, and data encryption.  They will also use mobile device management to wipe the data from a device if needed.

The key to all of this is to protect the data and not the device.  Smart phones, tablets and even laptops are commodities today.  The devices are easily replaceable, but what they contain is not.  Since so many employees operate outside an office, one goal of the US national mobility strategy is to make sure this mobile workforce is productive.  The fastest and cheapest way to do that is to let government employees BYOD.  As long as the devices meet certain standards for security and the information they access can be secured, this makes sense. 

The mobility road map also relies heavily on cloud computing.  VanRoekel said that going forward everything must be done with an eye to the cloud. “We have a Cloud First policy, so when agencies are building solutions, they need to consider cloud first,” he said.  The new Federal Risk and Authorization Management Program (FedRAMP) program is designed to provide agencies “a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”

The US federal government is on the right path.  Using commercially available products and services makes it easier and less costly to meet the government’s goals.  Governments everywhere are trying to provide better services to its citizens at a lower cost.  That also includes its own workforce.  Having fast access to information is what makes any business go and governments are no different.  Taking advantage of the latest in technology to do this doesn’t mean that everything is like the wild west.  Giving people choice of how they consume information and on what device can still be done safely.

The key is the data.  When government employees and citizens access sensitive information, it must be encrypted and available only to those people who should have access to it.  When information sits in a database, the database should encrypt it.  When someone accesses information on a website, the browser must use HTTPS at a minimum and some form of authentication to ensure privacy of communication.  When someone accesses a document, it should have a persistent security policy on it that guarantees that only authorized parties can access the information inside.

The US government is looking at ways to cut costs, make its employees more productive through newer technologies and provide better services to its citizens.  Cloud computing and mobility are two key pieces of that strategy.  Locking down the data that is on those devices completes the puzzle.  Worry about who has access to the data, not the device.

 

Photo credit Iman

Comments 1

Leave a Reply

Your email address will not be published. Required fields are marked *