Going mobile: DOD needs to take the next steps on security

Until recently, defense and civilian agencies have approached their mobile device strategy problems by taking an "all devices left behind" stance that has become woefully outdated. Indeed, the growing prevalence of personal device use is forcing agencies to consider how to allow these devices on the network while still keeping it secure.

The change in policy has been slow, but a recent survey of 200 respondents (75 defense and 125 civilian) conducted by SolarWinds and Market Connections illustrates that changes to mobile policy are happening to various degrees. According to the findings:

• 37 percent of Defense Department respondents say their agency allows approved personal devices to access some agency systems.
• 30 percent of DOD respondents say that they can use personal mobile devices to access work email, or will be able to within the next year.
• 73 percent of the same respondents are currently able to access work email using agency-issued mobile devices.

All of this despite the fact that mobile device security remains a top concern. Ninety-six percent of DOD respondents indicated that cybersecurity and IT security are "very important" and a source of focus for leadership within the agency, while 85 percent of civilian respondents made a similar claim. And nearly half (46 percent) of all DOD respondents indicated unauthorized individuals accessing data via mobile devices is a particular challenge.

Interestingly, though, there appears to be a significant gulf between mobile device security in the military and civilian government spaces. While both understand the importance of securing mobile devices, DOD agencies tend to be more prepared for the potential risk. In fact, the survey found that DOD agencies are more likely than civilian agencies to have a formal security plan and training program in place. Similarly, 41 percent of DOD respondents indicated that they are very confident their agency’s security controls can protect agency data, while only 16 percent of civilian agency respondents indicated the same confidence level.

There could be many reasons for the disparity. Perhaps it’s simply the nature of the business: DOD has a lot more proprietary information it needs to protect in the name of national security. It’s also worth noting that DOD, under CIO Terry Halvorsen, has also made cybersecurity a core focus of its mission, even as it attempts to get “mobile devices in the hands of the warfighter anywhere anytime.” Or, maybe it’s simply due to the fact that DOD may have more resources available to apply to mobile device security.

Regardless, now that personal devices have made their way from the shadows to the light, it’s imperative that both DOD and civilian agencies take some simple steps to continue to up their mobile device security game. Recognizing the growing prevalence of mobile devices and taking steps to embrace, rather than fight, their usage is a huge first step. Developing a formal security plan and educating mobile users on how to use – and not to use – personal devices at work is also important.

Underlying all of this should be technology that allows agencies to monitor and respond to potential threats resulting from mobile device use. Integrating additional network tools, such as device trackers or security information and event management software can give network administrators even more insight into and control over their networks and the devices (and users) accessing them.

These types of secure third-party tools protect secure data by locating connected devices by searching IP or MAC address, user, host, node, port or vendor, and detecting rogue devices. Administrators can track device connection and user logon histories, helping to trace problems back to specific devices or individuals. They can also set up watch lists that trigger alerts whenever an unauthorized device accesses the network.

Security information and event management software can work in tandem with user device trackers to help protect networks. This type of software can detect critical log and registry activity and provide automated network responses to perceived security threats.

Solutions such as these can prove instrumental in managing the government’s mobile reality, especially if they are deployed in conjunction with planning and training procedures. The fact is, whether we’re talking about DOD or civilian agencies, it’s no longer realistic or even reasonable to ask employees to keep their mobile devices turned off. Now, it’s about doing whatever can be done to embrace and accept those devices – while keeping them and the networks they run on secure.