Going Mobile: Handling Devices in the Public Sector

Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK

Principal, nControl, LLCAdjunct Professor

• Presentation Overview– Mobile Computing Overview

• Mobile Device Overview• Security Guidance• Bring Your Own Device (BYOD)• Mobile Applications (Social Media, etc.)

– Case Studies• Fairfax County Public School (FCPS)

Going Mobile

• General Overview– Why should you care about mobile devices?

Going Mobile

Source: thesocialskinny

• What is Mobile Computing?– (Relatively) New Business Model

• Taking remote computing (laptops) to the next level• Includes Smartphones & Tablets• OEMs, Content & (Connectivity) Service Providers

– Causing the Blur of Business & Personal Use• Personal content / access on business device• Business content / access on personal device• Personal use has driven business use

Going Mobile

• Mobile Computing– Pros

• Enhanced Productivity• Enables Remote Work• Potential Cost Savings• Enhanced Worker / Customer Satisfaction

– Cons• Security, Legal & Privacy Issues Abound• Blurred Ownership for BYOD• Immature Technology• Lack of Strategy, Tactics & Policies

Going Mobile

• Security Guidance– To Go or Not To Go Mobile

• Go– Customers Are Asking / Begging for It!– Budget & Executive Support

• Do Not Go– To Be Cool / Bleeding Edge– Save Money

» Mobile technology is usually an enhancement/added functionality– Without a Strategy, Tactics & Policies

Going Mobile

Going Mobile• Data Breaches & Security Incidents

– Average Cost: $7.2 million– http://www.networkworld.com/news/2011/030811-

ponemon-data-breach.html

– Leading Cause: Negligence, 41%; Hacks, 31%– http://www.networkworld.com/news/2011/030811-

ponemon-data-breach.html

– Responsible Party: Vendors, 39%– http://www.theiia.org/chapters/index.cfm/view.news_detail/

cid/197/newsid/13809

– Increased Frequency: 2010-2011, 58%– http://www.out-law.com/en/articles/2011/october/personal-

data-breaches-on-the-increase-in-private-sector-reports-ico/

Going Mobile

Source: Symantec

Going Mobile

• Security Guidance– Mobile Device Digital Forensics

• Policy– City of Ontario, CA v. Quon

• Vendor / Counsel Due Diligence

– Physical Security• Screen Filters

Going Mobile

Going Mobile

Outdated Thinking: 75% of companies have not addressed smartphone security*(60% cite security as biggest mobility obstacle*)

IT is Organizing:Ad hoc deployment giving way to centralized policies that include all endpoints (Server, PC, Laptop and Mobile)

Mobile/wireless IT spending likely to exceed IT budget growth in many organizations: 12.5% avg. growth rate (Source: Gartner)

Increasing Mobile Device Threats: Mobile virus variants have doubled

every 6 months since 2004 (235 mobile virus variants in H1’06)

(Source: Symantec Security Response)

Enterprise Faith: 80% of companies are

allowing corporate data on devices, yet

continue to not secure the data*

Fastest Growing Device Segment: Smartphone growth = 77%Other mobiles = 27%Mobiles out ship PC’s 5:1 in 2006(Source: Canalys for H1’05 to H1’06, IDC & Gartner)

Source: Symantec

• BYOD– Affects all with devices and access to your network

• Employees / Contractors / Vendors

– Strategy First, Policy Second, Technology Third• Deployment

– Who can and who cannot use BYOD?– Devices & applications supported?– Data wipes?– Replace procured devices (BlackBerries)?– Reimbursements?– Functionality?

• Acceptable Use– Jailbreaking?– Back-ups?– Indemnity?

Going Mobile

Source: Good Technologies

Source: Fiberlink

Going Mobile

Going Mobile

Source: Cisco

Source: Fiberlink

• BYOD– Strategy First, Policy Second, Technology Third

• Technical Details– Mobile Device Management (MDM)– Mobile Application Management (MAM)– Enterprise App Stores– Data-boxing / Sandboxing

Going Mobile

Source: CIO

Source: Dell

Source: Airwatch

Source: Airwatch

Source: Airwatch

Source: Nokia

• BYOD– Money

• Additional Staff (IT Support, Accounting)• 100 Devices Cost $170,000 / Year

– $172 / Month / User for VMware

• What is reimbursable? What is not?– Batteries– Screen Covers– Docking Stations– Carrier Service Plans– Apps– Chargers

Going Mobile

Source: CIO

• BYOD– Productivity

• Mobile Device Users Work More Hours– 240+ Hours Year

• Classify Workers– Executives– (Non) Customer Facing– (Non) Exempt– FTEs / Contractors

Going Mobile

Source: WatchGuard

Source: Fiberlink

Going Mobile

• Mobile Applications– Strategy First, Technology Second

• Strategy– Centralized / De-centralized Departmental Deployments– End-User: Internal, External or Both– Development: Internal, External or Both– Mobile Device Platform(s)– Administration & Management

• Technologies– Social Media– Custom Apps– Commercial Off the Shelf (COTS) Apps– Modified Apps

Going Mobile

Going Mobile

Going Mobile

Source: Mobile Enterprise

Source: Mobile Enterprise

Source: Mobile Enterprise

Seven Mobile App Development Tips

• Keep it simple — Don’t overdo it. The app should mean one thing when you publicize it. Multiple functions may require a separate app or system.

• Be open to ideas — Engage other departments in the design and functionality of the app.

• Know your audience — The Internet is accessed more frequently via mobile solutions by people below the poverty line (due to the low initial price point). You’re involving a new group and need to plan your outreach accordingly.

• Make it relevant — Know what functions and issues are of concern to the community and make your app more than just a problem reporting program.

• Location, location, location — If your app doesn’t have a spatial component to it and you don’t have an ability to extract GIS information from the app, you’re more than missing the boat — you don’t know where the water is.

• Data integration — Make sure the mobile app can feed into your existing work order or dispatch systems. You don’t want to waste staff time trying to bridge systems.

• Cross-platform support — Don’t leave two-thirds of your public unable to interact with their local government easily because you decide to only develop

Going Mobile

Source: GovTech

Going Mobile• Mobile AppDev Vendor Due Diligence

– Certifications, Attestations & Best Practices• SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402• ISO 27001 / 2• ISO 27036• ISO 9000• Capability Maturity Model Integration, CMMi• Building Security In Maturity Model, BSIMM

• Case Study: FCPS– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps

Going Mobile

• Case Study: FCPS– Background

–Push BYOD to 180k Students, 23k Staff– Drivers

–Cost– Technologies

– iOS, Android, BlackBerry Devices–WiFi via WPA2-Enterprise–XpressConnect WLAN

Going Mobile

• Case Study: FCPS– Limitations

–COPPA-based Regulations–Limited Staff & Budget

– Risks–Lost Devices–Malware Infestations–COPPA Violations

Going Mobile

• Case Study: FCPS– Lessons Learned

–(Assumed) Choose Your Battles–(Assumed) Policy First

– Nest Steps–(Assumed) Malware Detection–(Assumed) White Listing of Apps

Going Mobile

Going Mobile• Presentation Take Aways

– Mobile is here to stay.–With New Bells & Whistles (Big Data, etc.)

– Paradigm Shift Towards Empowerment– Strategy & Due Diligence Are VERY Important

–Must Consider the Ecosystem–Probably Not Cost Effective, Yet Productive

• Questions?• Contact

– Email: steve@ncontrol-llc.com– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey