Article written by Jim Hansen, VP of Products, Security, SolarWinds
Earlier this year, the Department of Defense (DoD) released a policy memo stating that DoD personnel—as well as contractors and visitors to DoD facilities—may no longer carry mobile devices in areas specifically designated for “processing, handling, or discussion of classified information.”
For federal IT pros, managing and securing “allowable” personal and government devices is already a challenge. Factor in the additional restrictions and the real possibility that not everyone will follow the rules, mobile-device management and security can seem even more overwhelming.
Luckily, there are steps federal IT pros can take to help get a better handle on managing this seemingly unmanageable Bring Your Own Everything (BYOx) environment, starting with policy creation and implementation, and including software choices and strategic network segmentation.
Agency BYOx Challenges
While there are overarching rules, each government agency has its own unique accompanying rules and regulations that help accomplish its mission.
Some agencies allow personnel to use their own devices, some do not. For those that do, the main challenges tend to be access issues: which devices are allowed to access the government network? Which devices are not.
For agencies that don’t, there is also the challenge of preventing unauthorized use by devices that “sneak through” security checkpoints.
The most effective solutions, therefore, are multi-faceted to ensure that agency networks and data are protected no matter where the threat is coming from. Implementing some of the below best practices to support your government cybersecurity solutions can help ensure complete protection against a BYOx threat.
Three-Step BYOx Security Plan
Step One: Train and Test
A vast majority of security breaches are born from user error. Successful phishing attacks, for example, can be widely prevented through end-user education and effective policy management.
Most agencies do have mobile device management policies, but not every agency requires personnel to take training and pass a policy-based exam. This is highly recommended. Training can be far more effective—and taken more seriously—if agency personnel are tested on how they would respond in certain scenarios. It shouldn’t be treated any differently than a harassment training or a workplace safety training class.
Effective training emphasizes the importance of these policies, as well as their consequences; what actions will personnel face if they don’t comply or blatantly break the rules? In the testing phase, be sure to include scenarios to help solidify personnel understanding of what to do (and not to do) in scenarios that may not be completely obvious.
The more training, and testing, the better.
Step Two: Access Control
Policies have been implemented; personnel have been trained; they’ve been tested. No matter how much the federal IT pro prepares, there is still the potential for unauthorized access. Hence, the second step—Access Control—is a valuable next step to help ensure you have the right controls in place to manage BYOx in accordance with your agency policy.
Identity-based access management is used to ensure only authorized personnel are able to access the agency network using only authorized devices. Add a level of security to this by choosing a solution that requires two-factor authentication. I know, two-factor authentication (2FA) is a pain. But, if my grandmother’s email account can be better protected from unauthorized access, your agency can benefit as well. Consider the extra authentication step for an added layer of security.
Additionally, be sure to create, maintain, and carefully monitor access-control lists to help ensure that users have access to only the networks and resources that are needed for them to do their jobs. This principle of least privilege is a foundational security concept that can help ensure you’re more protected from fraudulent access by non-authorized devices and users who have been potentially compromised on those devices. When establishing these access control lists, include as much information as possible about the users and resources—systems and applications—they are allowed to access. A detailed list could aid in discovering and thwarting fraudulent access from a non-authorized device.
Step Three: Implement the Right Tools
The final step is almost an add-on to Step Two, but worth highlighting from a security perspective.
Mobile phones are far and away today’s biggest BYOx issue for federal IT pros. As a result, access control (Step Two) is of critical importance. That said, ensuring the following basic security-focused tasks are being implemented is a critical piece of the larger security picture:
• Patch management – Countless breaches have occurred as a result of organizations not keeping up to date with the latest patches to their software. Patch management is a simple, and effective, security measure. Choose a product that provides automated patch management to make things even easier and keep your personnel’s devices patched, up to date, and free of vulnerabilities and misconfigurations.
• Threat detection – Users often have no idea their devices have been infected, so it’s up to the federal IT pro to be sure a threat detection system is in place to help ensure that compromised devices do not gain access to agency networks.
• Device management – Even after proper training, not every user will follow the rules. If a user tries to attach an unauthorized device to the network, the quicker the federal IT pro can detect and shut down access, the quicker a potential breach is mitigated.
• Anti-virus software – Every agency should have anti-virus software—it’s probably the most ubiquitous, easiest-to-implement form of security available today.
• Access rights management – Provisioning personnel, deprovisioning personnel, and knowing and managing their access to the critical systems and applications across the agency is necessary to help ensure the right access to resources is granted to the right people.
BYOx is one of biggest challenges facing federal IT pros. Yet, as with any challenge, sticking to the basics and implementing a logical series of IT and end user-based solutions can help reduce risk. Follow the above three steps for a solid start to ensuring tight security in an increasingly BYOx world.