Mobile security is crucial in a workforce where more and more employees communicate and transmit data with handheld devices. Technology research firm Gartner predicts that mobile endpoints will eclipse PCs as the most common Web access tools in 2013, and the worth of the federal cybersecurity market will grow to $65.5 billion between now and 2018.
Soumya Das, the chief marketing officer for security provider SecureAuth, feels that government agencies should adjust their mobile security techniques to match society’s changing Web consumption habits. According to Das, network administrators shouldn’t focus so heavily on locking down mobile endpoints; they should focus on managing the central access control technology efficiently, which would make the mobile devices themselves less important.
“You would think that, ‘Oh, the government would like to tighten the devices and bring in mobile device management to lock down the devices,’” he said. “That’s not what the public sector wants. The public sector really wants to have a platform upon which they can have a secure transaction between the user and the government.”
SecureAuth advocates strong mobile access management as the core of an internal security policy. In this environment, government agencies serve as identity providers who create sign-on IDs for employees. They recommend managing multiple authentication methods over the cloud for better security. That way, if a criminal compromises one method of security authentication, like the X.509 method of certifying an ID’s access, the administrator can shut that method down remotely. He or she can then rely on other authentication methods instead.
Mobile access management doesn’t negate locking down a device that’s obviously compromised, but the two approaches can work together.
“You need to be able to cut off the problem area really quickly,” Das said. “If you, for example, see a device that’s coming in with malware, you need to mix that device out of the system right away or take [out] that protocol cancer that is starting to spread out of that workflow.”
Cloud technology offers the flexibility to manage sophisticated authentication environments, in his opinion, and his colleague Garret Grajek, SecureAuth’s CTO and co-founder, feels that government is well prepared to use cloud technology for this purpose because the federal government’s ex-CIO Vivek Kundra championed its adoption in the past.
“This is one of the cases where the public sector is actually more knowledgeable on this space than the private sector, and especially in the federal sector,” Grajek said.
Grajek and Das offer three steps for governments to take to get a handle on their mobile access environment, but these recommendations apply to network security in general:
- Quantify the enterprise’s resources. An organization’s IT leaders should categorize the types of endpoints employees use to access the network. These categories will include Web servers, cloud resources, mobile and desktop access devices, online and mobile apps, and platforms.
- Classify the access privileges of employees and contractors. Identify the groups that work on the network and what each person is and isn’t allowed to access.
- Research the effects of cybersecurity regulation on the enterprise. Government data sets are subject to various privacy and protection regulations depending on the type, and these still apply when information goes mobile.