Governments Face Data Security Risks With Smartphones

As state and local governments deploy smartphones and other mobile devices
to improve responsiveness and boost productivity, they introduce new points
of data security risk beyond the traditional network perimeter.

Though viruses and other malicious code targeting mobile devices are not
as prevalent as malware aimed at desktop environments, most organizations
consider mobile malware to be a high threat. Mobile security products such
as ESET Mobile Antivirus, McAfee Mobile Security for Enterprise, PGP Mobile,
Symantec Mobile Security Suite and Trend Micro Mobile Security guard against
viruses, worms, Trojans and other threats through data encryption, user authentication,
malware scanning, feature lock, remote data wipe and firewalling.

The Walled Garden

With users often relying on their own personal devices to access government
resources, organizations are drafting or amending policies to address the
use of personally owned and government-owned smartphones.

"Make sure any policy regarding personal phones being used for government
purposes reflects overall information security policies and that no classified
data is transferred to these phones without proper technology controls,"
recommends Alan Goode, founder and managing director of Goode Intelligence.
He adds that there are control mechanisms that protect sensitive data when
users synchronize their mobile devices.

The state of Delaware is revising its security policy to allow workers who
follow very specific guidelines to use their personally owned devices for
work purposes, says Elayne Starkey, the state's chief security officer.
Workers who want to merge their work and personal worlds on a single device
are driving the change.

While device consolidation is convenient for users, it presents distinct
challenges for securing citizen data, Starkey notes. "That is the bad
news," she says. "However, there are technical ways around the
problem."

For Delaware, this starts with specifying the type of personal device that
users can employ (a BlackBerry) and exactly what communications they can use
their personal device to support (synchronizing work e-mail and calendars
to their personal phone). Delaware currently has about 150 workers who access
state e-mail and schedules from their personal phones.

Starkey takes a comprehensive approach to securing the data, wherever it
resides. Measures to protect mobile data include strong passwords, password
expiration, lockout after a predetermined number of failed login attempts,
encryption, inactivity time-out and remote wiping.

In Nebraska, a state law bans the use of state equipment for personal business,
but broad adoption of mobile technology prompted lawmakers to re-examine the
law to determine if anything in it might forbid the use of personally owned
devices for state business.

The answer was no, so the state has begun a small pilot that allows a handful
of state workers to use their personal devices to access e-mail and sync calendars
and contact lists, says CIO Brenda Decker.

Users sign a contract agreeing that if the device is lost or stolen, the
handheld is erased. The signed agreement is essential because it gives the
state the authority to request that the carrier remotely erase data.

"These are the rules of the road, and everyone has to agree to follow
them," says Decker, adding that it's the user who owns the contract
with the carrier. That presents some interesting questions about the carrier's
ability to tap into data that might include state information. "We are
stepping into this slowly, and putting in as many safeguards as you can imagine,"
she says.