BYOD security demands mobile data protection strategy

WASHINGTON -- As federal agencies slowly warm to the emergence of an increasingly mobile workforce, the traditional methods of securing a desktop environment will have to evolve to account for a vast new crop of wireless devices, a senior official with Symantec warned on Wednesday.

Federal CIOs, which have been developing mobility strategies for their agencies and departments at the direction of the White House, need to take an information-centric approach to securing the files and applications on mobile devices, rather than trying to lock down the device itself, Gigi Schumm, Symantec's vice president and general manager for the public sector, said in a presentation here at the FedScoop government IT conference.

The security issues associated with an increasingly mobile workforce are amplified when CIOs consider adopting a "bring-your-own-device," or BYOD, policy, allowing employees to access potentially sensitive work files and applications on their personal device. At the same time, just as in the private sector, federal workers are coming to expect that they should be able to work on their favorite devices, and adopting BYOD policies, as some agencies are considering, could help lower IT acquisition and management costs.

BYOD: What Can We Learn from China? The Consumerization of IT and BYOD Guide

"If agencies allow their users to bring their own devices then they don't have to buy those devices and maintain them for their life," Schumm said, though she noted that "the more important gains are going to be the gains in productivity."

"But there's an elephant in the room, right? That is how are we going to manage and secure all the information across these mobile devices. Because the truth of the matter is despite all of the virtues, widespread mobility does create a larger threat environment for government employees, and for anybody really," she said.

BYOD remains an unsettled area of federal IT policy. In January, Steven VanRoekel, the CIO of the federal government, offered a first glimpse at a comprehensive mobile strategy, and has since been working with the agencies to formulate specific policies on a number of areas, including rules of the road for working with developers, mobile security and BYOD policies.

Those last two, of course, are closely coupled. For starters, the greatest virtue of mobile device, they're small and they travel with their users, also invites loss or theft. For that reason, Schumm urged a security strategy that focuses on access control and identity management, so that even if the device falls into the wrong hands, the risks would be minimized.

"Secondly, they're typically personal devices, which means you've got this potentially hazardous intermingling of personal and public data and applications and policies," she said.

Mobile devices, as a class, are generally more vulnerable to specific types of attacks by virtue of the way they operate, she added.

"Because they are portable, and they don't have a great deal of processing power, they're particularly reliant on network access and cloud services. And so because you don't have a fixed perimeter," Shumm said, "they are more susceptible to a host of threats, including network- based attacks and data-loss events."

For Symantec, the risk profile of a BYOD workforce demands that agencies reorient their approach (often a cultural challenge in the federal government) and acknowledge that they cannot exercise complete control over the device, and focus on identity assurance and locking down access to sensitive files and applications.

Agency CIOs have been understandably reluctant to welcome in a mÒ©lange of new mobile devices into their IT portfolio, just as many of their counterparts in the private have raised similar objections. But Schumm argued that many of the concerns can be satisfactorily addressed if security personnel can implement adequate safeguards that protect the vital information, regardless of what device it lives on.

"Where you really need to go to get to -- fulfill the promise of true bring-your-own-device is ... where the agency doesn't have control over the machine, they haven't bought the machine, but they do have control over the relevant data and applications. So in other words you can manage and secure the applications that are critical to your agency, your mission, and those apps that are personal apps when they're there -- you know, Angry Birds or Words With Friends, you don't need to worry about. But you can control the data flow to make sure that government data stays where it should be in government apps, and it's not shared," Schumm said.

"So this is where the train is heading -- true, complete BYOD. And the new paradigm demands a new security posture which we call information-centric," she added. "So it's not that we're going to move away from device-centric security, but we need to layer an information- centric approach on top of it, and that is security that focuses on protecting the data wherever it moves, and wherever it rests."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about data protection in CIO's Data protection Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place