271 Information Governance for Mobile Devices .docx
Samsung_FCW GameChanger
1. GameChanger
Game Changing Technologyto MeetAgency Missions
MobilitySurge Raises SecurityStakes
The conversationaroundmobilityandmobile securityhastakenona new sense of urgencyinthe federal IT
community.
Until recently,federal agenciessawmobile technologyasa promisingtool primarilyforimprovingthe
productivityof employeeswhoseworkoftentakesthemonthe road—the so-calledmobile warriors.Today,
agenciesrecognize the federalworkforce hasbecome amobile workforce,withemployeesexpectingaccessto
informationandservicesatanytime,fromanywhere,usinganydevice.
Agenciesare responding.Forexample,the demandforwirelesstechnologyissurgingacrossgovernment.Earlier
thisyear,the General ServicesAdministrationreportedthe federal government’suse of wirelessblanket
purchase agreementsincreasedby500 percentinfiscal 2015.
In August,the Office of ManagementandBudgetdirectedagenciestostreamline mobile solutionprocureme nt
so theycan realize bettercost-savingsandrelatedefficiencies.OMBalsotoldagenciestobeginreportingdataon
mobile serviceusage andpricingtoa centrallymanagedsystemonaquarterlybasisto helpeliminate
unnecessaryinventoryandservices.
Nowthe questioniswhetheragenciesare puttinginplace the appropriate securitymeasures.The Departmentof
HomelandSecurityandGSA recentlylaunchedaninitiativetoscope outthe mobile securitythreatlandscapein
the federal government.The initiative,mandatedbythe CybersecurityActof 2015, includesarequestfor
information,publishedinJuly,andtwoindustrydays,whichwill involve subjectmatterexpertsfromleading
mobile manufacturersandservice providers.
“Mobile devicesandthe broadermobile ecosystemshare manyof the same securitythreatsassociatedwith
traditional desktopandlaptopcomputers,”the RFIstates.“Additionally,the impactof manyof these threatscan
be magnified—andnew threatsare introduced—bythe unique attributesof mobiledevices.”
One of the primaryconcernsisthe continuedpresence of “shadow”mobile IT—thatis,unauthorizedmobile
solutionsbeingusedtoaccessgovernmentnetworks.Industrysurveyshave confirmedwhatagencieshave long
suspected:Employeesare usingtheirpersonal devicestoaccesse-mail andotherservices.If these devicesaren’t
equippedwithadequate securitymeasures,they’re puttinggovernmentnetworksatrisk.
Federal ITmanagersunderstandmobiledevices,whethergovernment-oremployee-owned,are oftenusedfor
dual purposes,withauthorizationorwithout.The bestcourse istoensure the necessarysafeguardsare inplace.
In short,agenciesneedtosee mobilesecuritynotassomethingthatinhibitsproductivity,butasa facilitator.
[[SIDEBAR]]
DEFINING THE MOBILE ECOSYSTEM
In itsrequestforinformation,DHSandGSA ask mobilitymanufacturersandservice-providerstoidentifyhow
theirproducts/services/solutionsaddressthree primarymobile enterprisethreats:
Exploitationof Enterprise MobilityManagement/MobileDevice Managementsystemsorobtaining
administratorcredentials
Exploitationof private enterprise mobile applicationstoresbyobtainingadministratorcredentials
Exploitationof private enterprise mobile applicationstoresbysubvertingapplicationsecurityvetting
procedures
The RFI alsolooksat threatsto the larger mobile ecosystem.Inadditiontomobile enterprisethreats,the
RFI looksat fourotherareas:
Application-basedthreats(e.g.,appsthatgathersensitive information)
2. Operatingsystem/firmware/software threats(e.g.,exploitationof the OSor lower-level device
components)
Physical threats(e.g.,lostorstolendevices)
Network-basedthreats(e.g.,collectionormanipulationof voice anddatacommunicationstoandfroma
device)
DHS, NIST Lead Wayon Mobile Security
The Departmentof HomelandSecurity(DHS) andthe National Instituteof StandardsandTechnology(NIST) both
have multiple effortsunderwaytostrengthenmobile security.Amongotherissues,DHSisfocusedonmobile
applicationsecurity.Aspartof a five-yearcybersecuritybroadagencyannouncement,DHSislookingforindustry
expertstodevelopnew toolstoassistmobile appdevelopers,analystsandsecurityornetworkoperators.
One area of interestiscontinuousvalidationandthreatprotectionformobile applications.“Thisentails
developingthe capabilitytoanticipate and,if needed,reacttofuture threatsand vulnerabilitieswhile
continuouslymonitoringamobile device’ssecurityposture,”the BAA states.Anotherfocusareaisintegrating
securitythroughoutthe mobile applicationlifecycle,whichincludesdevelopingasecurityframeworkformobile
applicationdevelopment.
Separately,DHSisworkingwithNorthropGrummanona biometricsolutionintendedtoeliminatethe needfor
passwordsonmobile devices.The projectwill combinebehavioralsensingandmodelingtechniquesto
authenticate useridentities.
Meanwhile,NIST’sNational CybersecurityCenterof Excellence isworkingonstandardsdesignedtostreamline
mobile authenticationforfirst responders.Thiseffortisaimedatmaintainingsecure accesstocritical resources
withoutobstructinginformation-sharingamongthe variousfirstrespondersona scene.
Many publicsafetyagenciesare investinginmulti-factorauthenticationsystemsasa wayto control access to
sensitiveinformation.However,thiscanbe a problemif first-respondersneedtoaccessmultiplesystemswhile
on the scene,witheachrequiringmulti-factorauthentication.
“Whenrespondingtoan emergency,publicsafetypersonnel require on-demandaccesstodata,”the NISTproject
descriptionstates.“The abilitytoquicklyandsecurelyauthenticate inordertoaccesspublicsafetydataiscritical
to ensuringthatfirstresponderscandeliverpropercare andsupportduringan emergency.”
The goal isto make it possible forall applicationsinagivenenvironmenttorecognize anidentityacceptedbyone
of them,providingsinglesign-onfunctionality.
[[SIDEBAR]]
SIZE UP MOBILITY RISKS
People understandthe securityrisksthatcome withmobility,accordingtoarecentstudyconductedbythe
PonemonInstitute.The survey,whichcoverednearly600 IT and securityexecutivesinthe private andpublic
sectors,foundmobile usersunderstandthe risksandbelieve the risksare growing.
Here are some keydata points:
83% say mobile devicesare susceptible tohacking
70% believe poormobile securityhas likelyresultedina data breach
33% say their organizationis “vigilant” inprotectingsensitive data from unauthorizedaccess
30% say their organizationspecifieswhat data can be storedon a personal device
3. In addressingthe ongoingbalance of access and security,mobile deviceshave found theirplace.
For more information,please visit: samsung.com/government
Mobile DevicesDrive Productivity
In addressingthe ongoingbalance of accessandsecurity,mobile deviceshave foundtheirplace.
Federal agenciesface adelicate balance whenitcomestomanagingtheirnetworkof mobiledevices.
Theymust provide fieldworkersandanyone usingamobile device withsufficientaccessinorderto do
theirjobsand meetmissionrequirements.Theymustalsoensure the devicesare sufficientlysecure—
whichisa significantchallenge consideringthe potentiallysensitive nature of dataagencyworkersmay
be accessingand the constantlyevolvingthreatlandscape.
Balancingthe needforsecuritywhile maintainingproductivityisachallenge,butthe toolsare there to
helpease the process.“There are technologiesthathardenthe device andprovide the necessary
certificationsall the wayfromthe hardware tothe applicationlayer—the partof device the usersees—
while keepingsimplicityof device use,”saysJohnnyOvercast,directorof governmentsalesforSamsung
ElectronicsAmerica.“We provide defense grade securitywhileatthe same time maintainingusability.”
The impact of not equippingthe workforce withmobile devicescanalmostoutweighthe potential
securityrisks,dependingonthe use cases.Studiescorroborate thatequippingaworkforce withmobile
devicesincreasesproductivityandworkersatisfaction.A recentstudyconductbythe Mobile Work
Exchange surveyed300 governmentemployeesfromanumberof differentfederalagencies.The survey
found95 percentof the respondentsbelieve usingmobile deviceshasimprovedtheirwork
performance.Some of the notable surveyfindingsinclude:
76 percentindicate usingmobile deviceshasincreasedtheirproductivity
61 percentbelieve usingmobiledevicesimprovescommunication
47 percentbelieve usingmobiledevicesimprovescollaboration
62 percentbelieve usingmobiledevicesimproveshelpsimprove customerservice
58 percentfeel theiragencycouldmake betteruse of mobiledevices
“Governmentagenciesare takingadvantage of these technologies,”saysOvercast.“Theycan have
confidence inthe level of security,butalsoexecute theirmissionmore efficientlywithline of business
solutions.”
While deployingmobiledevicesforuse infederal agencyscenariosisalwaysabalancingact,the current
level of securityprovidedbycommercialsolutionslike Samsungprovidessecure access,while continuing
to enable productivityimprovements.“Itdoesn’tsacrifice usability,whetheritstactical militaryorlaw
enforcementormobilizingenterpriseapps,”he says.“The workforce canuse these devicestoincrease
productivityandefficiency.”
Studieshave evenshownthatnotprovidingaccesstomobile devicescanhave a negative effecton
workerproductivity.Accordingtoa recentGallupsurvey,eachdisengagedordisconnectedemployee
costs an organizationabout$3,400 for every$10,000 inannual salary.
Anotherstudybythe EconomistIntelligenceUnit(EIU) revealedademonstrable connectionbetweena
mobile enabledworkforce andincreasedemployee engagement.The EIUsurveyed1,865 workersfrom
across the globe andfoundorganizationsrankedasmobile “pioneers”saw a16 percentboostin
productivity.Thatstatistichasconcrete impact.Ina 40-hour work week,a16 percentincrease in
4. productivitytranslatesto6.4 hours perweek.That’s41 workingdaysor effectivelyeightweeksof
increasedproductivityfromeveryemployee.
SECURITY FROM THE GROUNDUP
Mobile securitywill alwaysbe anissue,butsecuritytechnologieshave keptpace withthe evolving
landscape of cyberthreats.The SamsungKnox architecture isdesignedtoprovide securityatall levels.
Securityfunctionsare builtintothe hardware andthe device software.
“SamsungKnox securesall the wayfromthe hardware or fromwhendevice turnson—the boot
process—all the wayupthroughthe applicationlayer,”saysOvercast.BootTime Inspectionensuresthe
integrityof all bootingcomponentsistestedeverytime someoneactivatesthe device.RunTime
Protectionpreventsmalicioususersfrommakinganycode changestothe kernel andensuresthe
integrityof datastoredon the device.
The securityfunctionsof the SamsungKnox architecture are builtaroundfive principles:
Software integrity
Leastprivilege
Data storage protection
Networkprotection
Data isolation
In fact,SamsungKnox was giventhe most“Strong”ratingsof anymobile securityplatforminthe April
2016 Gartner researchreport,“Mobile Device Security:A Comparisonof Platforms.”AlsoSamsung’s
federal customerbase includesthe DoD,intelligence agencies,andall levelsof law enforcement,from
federal tostate and local.Sointhe balancingact of continuingtoenable the federal workforcewith
mobile devices,the securityposture issolidandthe productivityenhancementsare proven.
For more information,please visit: samsung.com/government