Mobile Device Solution for the Department of Defense
On June 8th the DoD released their preliminary discussion of the complexities of mobile communications. It emphasizes the value of instantaneous secure transfers between critical individuals and secure information exchange, pushing for the adoption of secure mobile use techniques. The DoD’s standard often becomes a reference point for other industries. While a more comprehensive Mobile Device plan is in the works, we content ourselves with a discussion of these preliminary statements. Industries utilizing mobile devices in the private sector have lacked the regulatory consistency needed to drive mass adoption of new behavior.
The DoD is not the first institution to grapple with the difficulties of the ‘bring you own device’ (BYOD) to work culture. Many companies provide their employees work-specific devices in order to maintain compliance with industry specific regulations only to have those same employees avert security policies by using their personal device because it is easier and consolidated. The financial industry requires a paper trail for mobile interactions, yet requiring their employees to use e-mail or recorded phone conversations disrupts how they want to do busienss. Doctors, in the interest of efficient communication, will text un-encrypted information; unaware such behavior is considered a violation of healthcare information regulations despite the fact they may be saving lives. Industries have to be mindful of the friction between regulatory compliance and the function the device is designed to provide.
Mobile Device Solution for the Department of Defense: Two Requirements
Two requirements are made of the mobile device: first that it that it perform a much needed function (which it undoubtedly does) and, second, that it does so securely. Currently, mirroring their private sector counterparts, “unconstrained piloting” of devices and apps takes place by an increasing number of DoD employees, with uncoordinated successes and failures in both communication and security. Failures in security and function are numerous and generally untracked, differing greatly from carrier to carrier, phone to phone and app to app, an issue which the DoD succinctly sums as “(a) lack of security and interoperability across products.”
The Mobile Device Strategy document outlines critical issues that will need to be overcome in the implementation of a department-wide solution. Similar to what many enterprises have realized, the DoD understands that Mobile Lifecycle Management (MLM) and Mobile Device Management (MDM) alone are not enough. While both solutions, provided by players such as Boxtone, Maas360, Good, Emptoris and Mobile Iron are necessary components of an overall security strategy and architecture, attention has to be given to apps and desired functionality of devices.
So far DoD is focused on high level descriptions of the areas that need to be addressed: wireless infrastructure, mobile applications and the mobile device itself, with a view of physical as well as data security.
- Wireless Infrastructure: The DoD has had a near 50% reduction in their allocated spectrum since the early 1990′s, requiring a more effective and efficient use of the remaining spectrum. They are interested in partnering with Universities to research and develop solutions to these issues.
- Mobile Device: “Although the use of commercial mobile devices is more cost-effective than developing customized devices, most do not come equipped out-of-the-box with the security controls, access protocols, and necessary security features required by DoD.” The concern continues with the lack of product control and the proliferation of mobile devices that all pose different security threats and require different security architectures.
- Mobile Applications: “The chief appeal of DoD mobile apps is low-cost, often faster development and delivery of simple but useful function. The DoD must streamline the approval processes for commercial mobile devices to enable timely deployment and use of this constantly evolving technology.” The document expands on the mobile app solution, suggesting a “mobile application certification process”.
While the implementation plan is yet to come, it’s time to start asking a few questions. Will application solutions be single or multi-platform? Multi-platform device solutions, while convenient if properly executed, greatly multiply the complexities. Apple’s iOS has a particularly long app approval process. But the Android operating system updates follow a circuitous route through device manufacturers, carriers, then finally to the devices. Will these processes be fast enough to satisfy the security and time-sensitivity requirements for institutions such as the DoD? What about for other industries like healthcare, financial services, law enforcement, and others? As mentioned previously a balance must be struck between mitigating security risks and providing the end user with a functional phone: users trend toward maximizing the utility of the device, at the cost of compliance.
Mobile Device Solution for the Department of Defense: Simple, Native and Great UI/UX
Solutions must be simple; app interfaces need to be as “native” as possible in look and feel, provide a comfortable user experience, while still providing consistent functionality across platforms; and before apps are made that provide redundant functions, options to provide both work and play appropriate capabilities in one app must be explored. The app update process must also be regulated in an efficient manner, avoiding the delays caused in the commercial realm by carrier’s review process of mobile operating system updates. Given how similarly this document reads to some of the compliance documents, there probably needs to be a common regulatory framework.
By the way if you are a patriotic mobile security startup, an individual champion of secure mobility, or an industry expert we’d love to connect. Reach out, we should be talking and supporting each other.
Secure messaging with Gryphn’s app:
“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security‘