Alabama State Agency Enforces BYOD Security

The Retirement Systems of Alabama is working to balance security and usability when it comes to mobile devices.

by / June 27, 2013

Many state and local government IT departments are embracing BYOD policies to help cut costs and eliminate expensive smartphone contracts. But while saving money is important in maintaining a healthy bottom line, some organizations are finding that allowing employees to bring their own devices to the workplace utilizing a BYOD program is also helping to improve data security.

At the Retirement Systems of Alabama (RSA), Systems Administrator Chris Betzler said the agency started retiring its smartphones a few years ago as employees retired or moved on. In addition, many employees began asking to use their own phones instead of carrying two devices.

Currently a mixture of employee and agency owned devices access the network – those who bring in their own device must meet and adhere to the same security requirements as those devices owned by the RSA, and also agree to the RSA End User Acceptance Policy for mobile users, according to IT Security and Infrastructure Manager Jessica Jones. Also, those who are allowed BYOD access must have a business case and a need for such access, as well as supervisor approval. 

“If we can properly secure the device in addition to meeting compliance initiatives, IT can now offer the ability to those employees who have an approved business need to access their email on their phone,” she said.

To enhance security on personally-owned devices, RSA, which manages public pension funds for state and local employees, implemented a security tool called MobileIron about two months ago. The tool allows IT staff to pinpoint the location of any device on the system that is reported lost or stolen, as long as it is connecting to a data network.

IT staff previously used an app called ActiveSync to transfer and monitor content on state-owned phones. The organization still uses ActiveSync on some devices, but plans on disabling it in the future, requiring the use of MobileIron if employees want email access on their personal smartphones.

Other features of the MobileIron tool include the ability to wipe just the business data off a personal phone and an option for IT to manage the mobile applications that are allowed on a device. 

"Because we're able to enforce multiple security policies on the phone including a password, in the event the phone is lost or stolen, we can try to recover the device, remotely wipe our data, and\or make the phone unusable the next time it polls in,” Jones said. “From a central point of management, we can complete these functions, which protects the best interest of the user and the agency."

The Retirement Systems of Alabama has a support contract for the MobileIron application, which is installed in a virtualized environment.

And the agency’s short-term goal is to move a majority of its mobile device users to the MobileIron tool, including those employees using tablets. 

"Our biggest goal is to keep our member and agency data secure while staying current with technology,” Jones said. “It's a balance of security and usability by allowing users to bring their own devices.  However, it’s our job to always measure the risk and make sure it’s the right decision for the agency."

Editor's note: This story has been revised to include an interview with IT Security and Infrastructure Manager Jessica Jones that correctly reflects the Retirement Systems of Alabama BYOD environment. Web Editor Jessica Mulholland contributed to this story.