5 Mobile Security Lessons From the Department of Defense

Several years ago, the National Security Agency wasted millions on a circuit-switched approach to mobile security strategy. With help from the Department of Defense, the NSA is doing things differently now. Enterprise CIOs can learn a few things from the effort, too.

Try this thought experiment. You want to provide smartphones, iPads and other mobile technologies to your workforce, but you’re understandably concerned about security. For the sake of argument, let’s also say you have virtually unlimited resources. How would you go about implementing secure mobile technology for your people?

Given that money is no object—bear with me on this point—you’d probably develop a hardened security communications capability that will provide impenetrable voice and data communications for devices that support the technology. True, your people will only be able to use devices that contain this proprietary technology, but at least you’ll be able to sleep easy knowing that hackers can’t compromise your sensitive communications.

Seems like a no-brainer, but there are three deal-killing flaws with this approach.

  1. It will likely take years to develop the necessary security technology, by which time the underlying communications infrastructure will be obsolete.
  2. Your employees will find the devices clunky and limited, and they’ll do what they can to go behind your back and bring their own devices to work, thus bypassing your expensive security apparatus.
  3. You’ll no doubt use up the purported unlimited budget—which, in the real world, is never even close to unlimited.

Hypothetical MBA business case exercise? Unfortunately, no. This all-too-real scenario is an example of U.S. tax dollars at work. Several years ago, the National Security Agency (NSA) wished to develop secure mobile communications for intelligence and defense purposes, so it spent five years and millions of dollars developing the Secure Mobile Environment Portable Electronic Device. SME-PED took a hardware-centric, circuit-switched approach to security, which renders it obsolete in today’s 4G (and beyond) mobile-enabled world.

As a result, it’s now time to replace SME-PED. Back to the money trough for sufficient funds for another five-year development project, right? Not so fast. It appears that the NSA and, notably, the Department of Defense have learned several important mobile security lessons from SME-PED.

The newly released DoD Mobility Strategy Memo lays out an entirely different approach to enabling a mobile workforce. Instead of the traditional “dump money on the problem” route that SME-PED took, this memo details a mobility strategy that focuses more on empowering people than on restricting communications.

Turning to the DOD for Strategic Advice?

The DoD may like an unlikely source for strategic innovation, but there are some important lessons for any organization looking to balance security concerns with the power of mobile communications. Here are five highlights.

1. Focus on software, not hardware.

Even though the DoD’s long-standing policy was to leverage hardware-based encryption technologies, the DoD Mobility Strategy centers entirely on software-based security. As a result, the devices themselves are purely commercial off the shelf (COTS). This fulfills the desires of DoD personnel and also helps future-proof the strategy, as the DoD must allow for the frenetic pace of technology development in the mobile space.

In fact, the DoD met with Apple in 2010 and, according to a conversation with an Army general, asked for a few hardware tweaks to the iPhone. Apple steadfastly declined. Why? Not because it’s an arrogant market leader, but because of the economic reality—even the largest order the DoD might place would only account for a day or two of iPhone production. It’s just not worth the trouble for Apple to customize its hardware for even the largest customer.

2. Encourage interoperability.

The DoD Mobility Strategy calls for “composable” solutions. In other words, the agency is expecting and encouraging interoperability across mobile apps, as well as among mobile, cloud and traditional on-premise apps.

While traditional thinking is that closed technology is inherently more secure, today’s approach is to embrace openness and develop secure approaches that work in open, dynamic environments. As a result, if the answer to the question “Is there an app for that?” is Yes, then there should be a way to securely use the new app within the appropriate security context.

3. Consider all end users.

The new strategy focuses on needs of different constituencies. SME-PED, on the other hand, was essentially a one-size-fits-all solution. It may have been worth the trouble for certain command-and-control communications, but it was overkill for the everyday business of the DoD. In contrast, today’s mobility strategy expressly calls out the different needs of executive users (battlefield commanders), tactical users (warfighters) and enterprise users (everyone else). Clearly, someone whose job is to pay bills for the DoD has very different security concerns than a strike fighter pilot.

4. Think globally, act locally.

The new mobility strategy handles governance and management differently as well. Taking a page out of Service Oriented Architecture governance best practice, the DoD Mobility Strategy calls for centralized management of secure devices and distributed enforcement of security policies.

On the one hand, the DoD requires the ability to remotely wipe and disable lost devices, an example of a key centralized management capability. On the other hand, it’s also counting on its extensive user base to understand and implement mobile security policies in the field. As a result, training and human management are central elements of the new strategy.

5. Don’t treat everyone the same.

The DoD now requires “just enough” security. There’s no sense providing top secret-level security to users who only have secret clearances. DoD personnel without clearances at all still require a measure of security, but there’s no sense spending the same kind of money to secure routine, unclassified communications as the agency must spend securing classified communications.

Mobile Security Calls on People to Pitch In

Perhaps the most interesting aspect of the DoD Mobility Strategy is that it emphasizes both technology and people. Gone are the days when security depended on a single set of hardened technology solutions, with people simply expected to use the technology properly.

Today’s mobile environment is too diverse and dynamic to support such a black-and-white approach to security. Instead, it falls to the users of mobile technology to understand the role their gear plays in achieving the broad-based goals of the organization. As a result, the new mobility strategy represents a dramatic cultural shift for an organization used to relying on military precision and rigid technologies.

For private sector organizations struggling with their own mobility strategies, there are important lessons here. A militaristic approach to mobile security is impractical at best—and dangerously ineffective at worst. Instead, the only way to take advantage of increasingly flexible and dynamic technologies is to put in place equally flexible and dynamic security policies and infrastructure.

Security won’t be perfect. Then again, it never is perfect. The DoD Mobility Strategy illustrates how even the most security-conscious organization can balance security concerns with the agility requirements of an increasingly empowered workforce.

Jason Bloomberg is the president of ZapThink, a Dovel Technologies company. ZapThink is a service-oriented architecture (SOA) advisory and analysis firm. Bloomberg focuses on enterprise architecture, SOA and cloud computing. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Source: http://www.cio.com