As smartphones, notebooks and ruggedized tablets become the mobile devices of choice for city workers, mobile security grows more complicated for the Philadelphia Office of Innovation and Technology. But CISO Jeffrey Gardosh worries less about multiplying endpoints than he does about the applications running on those devices.
“If we’ve vetted an app and feel confident it’s secure, we can be agnostic about what device it’s on,” he says.
Philadelphia’s focus on application security is right on target, says Patrick Hevesi, research director at Gartner. Applications are the most dangerous territory in the mobile threat landscape, he says, and not just because they could contain malicious code.
“The cases in which malware is built into the application are risks, but most won’t get by the IT team,” Hevesi says. “Potentially more dangerous are unauthorized applications that request permissions from the operating system that can open pathways for attacks and have unpredictable consequences.” Hevesi also warns that, because mobile applications work with segmented and containerized data, traditional security defenses such as anti-virus and anti-malware software may be ineffective.
Instead, he recommends implementing application risk scanning, protections against network-based attacks, enterprise mobility management (EMM), and application- and file-level encryption. Hevesi also encourages use of behavioral anomaly prevention, which detects changes in the ways an app runs, and vulnerability management, which patches flaws in mobile operating systems.
“Build your strategy for the kind of data on the device and then add multiple layers of security — the more the better,” Hevesi says.
As Philadelphia moves away from building its own applications toward customizing off-the-shelf software, security stands beside sustainability and value as a key consideration in any purchasing decision, Gardosh says.
“We make sure we have high confidence that any product we buy meets our security standards, and that we have the manpower and competence on our team to support it,” he says.
As part of that support, IT staff encrypt employee devices — all of which are issued by the city — and establish strong authentication controls to limit access to legitimate users. The team also relies on processes, technologies and user education to mitigate the impact of human error. Gardosh says prioritizing risks to critical systems and data represents another important aspect of Philadelphia’s mobile security strategy. The city blocks mobile access to applications that either process extremely critical data or need to operate behind perimeter firewalls.
Although that level of caution is important, Gardosh warns against taking a reactive approach to mobile security: “Solve the biggest problems, and solve them thoroughly,” he says. “It’s better to do a few critical security steps well than try to cover all the bases at once.”
For Justin Dietrich, CISO of Santa Clara County, Calif., thinking strategically about security starts with devising new safeguards for networks and data centers.
“With mobile devices, the concept of having a perimeter defended by firewalls and other technologies is gone,” he says. “You have to bring protection to the endpoints and to data. We have to understand where every bit and byte is going and why it’s going there.”
Santa Clara County uses VMware’s AirWatch EMM solution to manage both county-issued devices and its bring-your-own-device (BYOD) program.
Employees in the program download AirWatch to their own devices so it can monitor county applications and data on the hardware.
Especially for employees working at sensitive sites, such as hospitals and the courts, Dietrich’s team couples user education with technology to support county policies and mitigate user mistakes. One application scans emails and recognizes strings of digits that could be patient identification numbers; the application then alerts the user that the information may not be appropriate to send. Identifying critical data and systems — and understanding the protections they require — is the most fundamental and sometimes overlooked facet of security, Dietrich says. Much of the county’s information store is open to the public, but databases also house health and welfare records, data from the district attorney’s and sheriff’s offices and personal information for the county’s 18,000 employees.
“You can’t make a security plan and later ask where the data is that you need to protect, especially if it’s going over a telecommunications provider’s network to an employee’s smartphone,” he says. “You have to understand your critical assets and know how regulations govern the data from the start.”
Five years ago, officials in Mecklenburg County, N.C., rejected a proposed BYOD program. Clifford DuPuy, the county’s technical services director, says that even today, that decision helps keep security tight across all 3,000 mobile devices issued by the county.
“We use Office 365, which allows us to block employees from getting work emails on personal devices, giving us more control over our data and how we protect it,” DuPuy says.
Although Hurricane Matthew and a controversial police shooting in Charlotte (Mecklenburg’s county seat) have intensified the focus on security in recent months, DuPuy says the county long ago began bolstering mobile device protections with support from senior leadership.
The county uses an AirWatch EMM solution to customize credentials and permissions to each user as mobile devices are issued. Officials monitor applications and data on the mobile hardware, and encrypt or wipe data on lost or stolen machines. DuPuy says EMM is crucial to Mecklenburg County’s mobile security strategy, but only in conjunction with practices such as hardening devices, sticking to white lists of apps for individual users, and keeping up with emerging security threats and the technologies that can block them. User education also has its place.
Beyond offering basic security and compliance training, the county holds brief microburst sessions to target specific issues and provides short video tutorials and reference guides to employees.
The IT staff even stages mock phishing and social engineering drills to measure how well the training is working.
“Awareness is the first priority in mobile security, or any kind of security,” DuPuy says.