Author: James Poole
In our increasingly digital world, our nation’s information security is just as important as its physical security. With President Obama declaring that cyber threats are “one of the most serious economic and national security challenges we face as a nation,” all areas of government are under increasing pressure to develop a proactive and comprehensive IT defense strategy.
IT security is a multifaceted issue that must be addressed at multiple levels, but one important component of any strategy is to make the right choices in computer hardware. Each device used by government officials, employees and contractors must be capable of protecting the sensitive information it contains. But with so many options on the market, it can be hard to know what to look for.
This becomes an especially important issue as federal buying season — the fourth quarter of the fiscal year, when government IT buyers traditionally make up to a third of their purchases for the entire year — kicks into high gear. This Buying Season, government IT buyers will be investing in next-generation mobile technology such as tablets. A recent TechAmerica survey of federal CIOs declared that mobility “has shifted from a nice-to-have to a stakeholder requirement,” with respondents ranking it as one of their top three priorities for the year.
While mobility can aid in improving efficiency and productivity for professionals throughout all levels of government, broad adoption of mobile devices also comes with inherently higher levels of data security risks as compared to traditional desktop computer environments. It’s no surprise, then, that ranked even higher on the list of federal CIO priorities is cybersecurity. These CIOs reported spending 13 percent of their budgets on security in fiscal 2014, and over the next year, plan to invest even further. Not only must the security measures they develop address a fast-evolving landscape — with new targeted, persistent threats popping up with increasing frequency — but they must also encompass the flood of new tablets and other mobile devices hitting the market each day.
This federal buying season, it’s incumbent upon all government technology purchasers to make security part of their mobility game plan. Here are a few best practices for agencies to keep in mind as they evaluate mobile solutions to be sure they offer the appropriate levels of security for government use.
Look for enterprise-grade devices. Mobile devices such as tablets can be divided into two broad categories — enterprise-grade and consumer-grade. Consumer-grade devices are the ones many of us use each day to play games, watch movies or surf social media. However, because they are designed only with personal use in mind, they generally provide only the most basic levels of data security and are often insufficient for sensitive government data. Enterprise-grade devices, on the other hand, are purpose-built for professional use and designed with security in mind. These tablets, handhelds, laptops and convertibles cannot be found in retail stores but can be easily found on many government contracts.
Trust in TPM. Last year, Debora Plunkett, director of the National Security Agency’s Information Assurance Directorate, announced she was recommending that all government national security IT systems make use of TPM (Trusted Platform Module), a hardware-based system security feature. TPM, which is widely available on enterprise-grade tablets and laptops, is a microcontroller that securely stores encryption keys, passwords or certificates, which are then used to authenticate the device and ensure that the platform remains trustworthy. Although not a silver bullet, TPM helps provide security that can be stronger than that contained in the system BIOS, operating system, or any non-TPM application.
Opt for hardware-based disk encryption: Hardware encryption offers added levels of security above software-based methods. One specification to look for is the Opal standard, developed by the Trusted Computing Group, a not-for-profit organization that also developed the TPM specification. Opal drives are self-contained, stand-alone solid-state drives (SSD) or hard disk drives (HDD) that are available for enterprise-grade mobile devices, and provide an extra layer of security to protect sensitive data and meet regulatory requirements. These drives can work with any operating system and will not have an impact on the performance of systems.
Don’t forget wireless security. IT security strategies need to address not only data secured on the device, but data in motion as well. For WiFi-enabled devices, wireless authentication and encryption each play a role in preventing unauthorized access or damage to mobile devices. Look for devices utilizing the latest authentication and encryption standards. Similarly, if devices connecting over LTE mobile broadband networks are part of your game plan, look for enterprise-grade technology architected to provide a secure, reliable connection.
Remember — MDM matters. Mobile device management solutions are a critical part of any mobility security strategy. These solutions allow IT administrators to monitor and manage devices in real-time, guard against unauthorized device access, remotely wipe or lock devices when lost or stolen, and perform other tasks such as updating applications or virus definitions. In the federal government, programs such as the GSA’s Managed Mobility Program streamline the procurement process for agencies to access these solutions through existing government-wide contracts and purchase agreements. Ensure that any new device you invest in is compatible with best-of-breed MDM solutions.
Provide security authentication with smart cards. Smart cards help to lock down computer networks and prevent hackers from accessing critical data. A smart card is a plastic card containing an embedded computer chip that stores data. They increase data storage capacity, provide encryption, and offer the flexibility to work with several devices so the user does not need to carry multiple cards. Contact smart cards are inserted into a reader on the user’s device, while contactless smart cards are able to communicate via radio waves. Consider incorporating smart cards into your security strategy, and look for mobile devices with smart card readers either integrated into the device or available as an attachment.
Reinforce with durable designs. All of the security features discussed above are available in rugged technology, but it’s important to keep in mind that choosing devices with rugged, durable designs is a security strategy in its own right. Rugged tablets and other devices not only are built to survive drops, impact and moisture, but can also be used in extreme heat or cold — all of which can ward against critical data being lost due to damage to the device. Rugged devices also offer physical security features such cable lock slots which can be used to secure the device in a public area.
In almost any field, the rapidly evolving security environment is creating new sets of challenges and threats each day — and this is particularly true in government. Finding the right solutions starts with making the right choice in hardware. By keeping these tips in mind, government technology buyers can maintain vigilance and keep their workforces both productive and secure.
To read the full article, please click here.
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.