The gateway to DoD applications on personal mobile devices could be a "container"

The ultimate goal of using personal mobile devices to secure access to DoD applications begins with keeping the two interests completely separate, according to a major network provider.

“There is the school of thought that the only way to deal with mobile devices is mobile device management (MDM), in the sense that there is an IT department somewhere taking control of a device and taking it under management,” said Jon Green, director of government solutions for Aruba Networks.

As the military looks to extend access to mobile platforms, the bring-your-own-device (BYOD) strategy stands to help stretch thinning defense acquisition dollars. Military personnel are no different from corporate workers – they want to access their email but don’t want IT being able to see what they’re doing on that phone, he said. “There’s a balance between security and privacy, and I don’t think the traditional MDM solves that very well,” Green said.

One solution, he says, comes through containment. Aruba has proposed a container solution called WorkSpace, which is installed as a single application that becomes the gateway to enterprise applications, he explained.

“Within that container, all of the approved apps that your IT department wants you to run get installed automatically,” he said. “Within that workspace, everything is encrypted, data is protected so that you can’t copy and paste it out of the container. IT can exercise all the control that they want inside the container, but they have no visibility about what’s happening on the rest of the device.”

Users, for example, could run Facebook on their device and it wouldn’t have access to secure data, and vice versa, he explained.

The issue of controlling mobile devices has surged to the forefront in the wake of a blistering review by the Defense Department’s Inspector General of the Army Chief Information Office’s tracking strategy over commercial mobile devices (CMDs) within the service. The Army CIO, according to the report released in late March, failed to implement an effective cybersecurity program for CMDs. The service lost control of more than 14,000 smartphones and tablets, which were largely left untracked, the IG said.

The report underscores the fear of compromising secured defense networks and the need to be able to protect these devices that are out there, Green said. “That becomes really important in a BYOD scenario, as well. If I’m providing a Wi-Fi network, or some kind of gateway on the cellular network for these mobile devices to come in, I need to know they’re there to understand what their posture is so that I can control them.”

In an interesting twist, however, the IG report may actually help DISA attract the funding they’re looking for, Green said. “Somebody needs to be in charge here, and DISA is probably the natural agency to do that,” Green said. “I think having a report like that highlights the need for someone to be in charge.”

According to Terry Sherald, chief of Information Assurance Standards Branch, DISA Field Security Operation, DISA’s role extends past MDM procurement. “DISA will issue Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs) that will define IA controls for mobility systems throughout DoD,” he said.