Obama administration aims for bottom-up approach to creating global standards for protection of IT and critical infrastructure.
When Apple iPads first came out in 2010, members of the Suquamish Tribe in Washington state were eager to get their hands on them. The tribe has a state-of-the-art casino and more than 800 computing devices distributed among its 300 government employees, but at the time of the iPad’s debut, it had no way to track tablets that were lost or stolen. A few months after distributing iPads to the Tribal Council and other Suquamish executives, the inevitable happened: Someone left one of the devices in an unlocked car, and returned to find that it had vanished.
Fortunately, the iPad was protected by a passcode, so the odds of a thief getting any valuable information off it were minimal, says Tom Bettenhausen, IT director for the Suquamish Tribe. But the incident was a wake-up call that the tribe needed to get a handle on mobile device management.
The Suquamish had been using Absolute Software’s Computrace to track its notebook computers for years. So when Absolute released its mobile device management solution, Absolute Manage for Mobile Devices, the tribe was among the first to implement it.
“The geolocation service built into Absolute Manage comes in very handy for tracking lost and stolen devices,” Bettenhausen says. “It also allows us to remotely manage the devices, deploy apps or content to them, or wipe them clean if necessary.”
As mobile devices proliferate, government organizations — from the Suquamish Tribe to the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and massive operations such as the Veterans Affairs Department (VA) — are finding that mobile device management solutions are critical to securing and managing them. Being able to track down missing devices is a feature that many agencies find indispensible.
The ATF has deployed nearly 4,000 mobile devices to the field — roughly 2,400 iPhones, 1,400 RIM BlackBerrys and a few hundred iPads, says CIO Rick Holgate. Eventually, though, they’ll all be government-issued iPhones or iPads, he says, and the agency will use AirWatch to remotely manage them.
Holgate says the ATF looked at several MDM products when it conducted an iPad pilot program in 2011, but decided to go with AirWatch because it came closest to replicating the enterprise-level management capabilities of the BlackBerry.
Those capabilities proved particularly useful after an ATF agent accidentally left his iPad in the seat pocket of a flight to Minneapolis in 2012. The agency tracked the device to the home of an airline employee, then used AirWatch’s remote-wipe capabilities to clean the tablet of any potentially sensitive data, Holgate says. The agency worked with local police to obtain a warrant to search the employee’s home, where they found the tablet as well as numerous other mobile devices the woman had collected.
“We’re able to manage the configurations of each device, apply security policies, and remotely wipe a device if we lose physical control over it,” he says. “We’ve come to use some of AirWatch’s other capabilities as well, such as its secure email gateway and its mobile application store. We can deliver messages, calendars and contacts to our users securely, and standardize on the apps they can use.”
Current smartphones and tablets present different challenges from the notebooks and BlackBerry devices agencies have used for years, says Donald J. Kachman, director of mobile security assurance for the VA’s Office of Enterprise Systems.
The VA’s Office of Information and Technology oversees more than 20,000 smartphones and tablets using several mobile operating systems — BlackBerry, iOS, Android and Windows. Some are government furnished and carry persistent data, which is wrapped in encryption and kept separate from the operating system, in compliance with the guidelines of the Federal Information Processing Standards (FIPS), Kachman says. Other devices may be owned by department users and employ a VPN connection and virtual desktop software to access office applications and data stored in VA’s private cloud.
For BlackBerrys, the VA uses RIM’s BlackBerry Enterprise Server application. For other devices, it uses AirWatch. But even the best MDM solution can’t do everything the VA needs on every device, such as automatically pushing out OS updates, Kachman says.
“We’d love to be able to push a button in the MDM to activate and update devices on their own,” he says. “But some mobile OSs won’t let us do that at present. There’s still a lot of work to do before we can make mobile devices as fully manageable and secure as desktops or notebooks. That’s why we need to educate the leadership, management, end users and IT staff about what MDM can and cannot do.”
Holgate says that tools for encrypting data at rest, scanning for malware, or managing configurations for mobile devices just aren’t as mature as they are for desktops and notebooks. And with new versions of mobile operating systems introduced at a rapid pace, it’s difficult for the government to keep up. While some versions of Android have been validated as meeting the FIPS 140-2 standard, iOS 6 is still under review.
Another challenge is supporting devices in the field, Bettenhausen says. “Even though the reservation is relatively small, managing incidents becomes more difficult,” he says. “If people are nearby, we ask them to bring the device in so we can get our hands on it.”
While mobile device management solutions are still maturing, they’ve advanced far enough so that organizations now feel comfortable deploying them.
For the Suquamish, it’s full steam ahead. Since its initial foray into iPads, the tribe has deployed about 70 of the devices (most to the reservation’s high school as part of a program to replace textbooks)and no more tablets have gone missing, Bettenhausen says.
But if they do, he’ll know where to look first.