The US Department of Defense (DoD) will begin implementing amongst “small populations” its future enterprise-wide model for securing mobile devices, applications and networks.
The DoD has given a rough outline of how it may eventually secure desirable commercial mobile devices, and also provide a template for controlling the “unconstrained” mobile piloting already occurring in pockets.
The pilots that have occurred have shown some success, DoD’s CIO, Teri Takai outlined in a new strategy document, but they have “also resulted in the lack of security and interoperability across products”.
The document canvasses the mismatch between DoD processes and requirements and those that make commercial practices more desirable.
While commercial devices and application development processes hold promise for the DoD, the organisation is, in many ways, not equipped to adopt it, Takai notes.
Today, for example, the DoD’s certification process for new apps does not support the timely release of new apps, constraining the device’s effectiveness. On the other hand, none of the commercial devices meet DoD standards 'out of the box'.
The DoD is looking to implement application signing to ensure the integrity of apps loaded on to devices while supporting faster development cycles with a “common mobile application development framework”, aimed at secure development and testing for a multi-platform environment.
The framework may offer guidance on how to use commercial SDKs, testing criteria, how to port applications to supported platforms, and how to sign apps with the right key.
The overall aim is to prepare the DoD’s network and information infrastructure, policies and web application processes in such a way that they enable mobile devices to “untether” its forces while keeping their data, connections and devices secure.
Other mismatches between a deploying mobile at an enterprise-wide level and the pilots that have occurred include “bandwidth limitations” caused by current methods of securing tactical communications. Takai notes the DoD will need to invest in its networks consistently with existing commercial networks that comply with the IEEE’s 802.11 WLAN standards and 3GPP LTE-based 4G. Continued investment in VPN technologies will also be critical.
Another mismatch occurs around how DoD should enable apps and devices to securely interface between its own networks and commercial ones, as well as communicate over short range networks like Bluetooth. PKI and mobile device management (MDM) services are considered essential to ramping up mobility.
The DoD is looking at over-the-air patching and device configuration, federated identity/device management, and enterprise essentials such as device access control, encryption, remote wiping, routine backups, regular device scans and malware detection.
Results from the targeted trials will be used to build a business case that may support scaling out mobile devices to the wider enterprise, according to the report.