I agree to Idea Must include Security at the Core of this Dialogue
Voting Disabled

13 votes

I disagree to Idea Must include Security at the Core of this Dialogue

Rank20

Idea#48

This idea is active.
Ideas for the Mobility Strategy »

Must include Security at the Core of this Dialogue

Even in early draft form, a document like this that has the power to transform Government must address security at a fundamental level. If security is left to be bolted on by individual agency procurements, we'll end up increasing risks and costs.

There should be some high level direction that the introduction of mobile must not increase the risks, and that a common set of standards (not products) across broad groups must be used. This direction would be used to provide for security depth (i.e. encryption, mdm, meap, tcb) at the core of the dialogue.

That would be inline with the CloudFirst and BYOD efforts underway in agencies across the board, and make it easier to implement agency procurements in a safe and efficient manner.

Submitted by Tom 2 years ago

Comments (6)

  1. Agreed. Standards must also be clear. For example, is FIPS 140-2 compliance required? If so, does it mean the algorithm itself (AES256), or the specific implementation by the vendor on a specific device? Does the specific implementation need to be VALIDATED, or just the algoirithm itself?

    2 years ago
    1 Agreed
    0 Disagreed
  2. While I think it's easy to 'agree' with this in premise, I can't disagree with it strongly enough.

    I'll give you two examples why I think it's superfluous and a red herring;

    (1) Agencies don't truly care about security today as evidenced by their continued use of outdated versions of IE. I don't just mean they're "behind on cool features" I mean they're actively using platforms that Microsoft has stated they will start automatically upgrading for the average citizen because they're so bad.

    (2) I've also been told that FIPS 140-2 requires things like an 8 character passcode, yet I know agencies that only require 4 digits.

    Requiring security in this fashion is doomed to get ignored or lock the Gov into the stone-ages.

    However, I'm not completely against the theory and what I would propose are principles such as;

    (1) Mobile devices must be 'trackable' and 'remote wipe' (two things I'd bet aren't in FIPS or FISMA).

    (2) Any user planning on taking a mobile device out of the country is required to register the duration, otherwise an instant wipe will occur

    (3) ...

    2 years ago
    0 Agreed
    1 Disagreed
  3. Plenty of Govt computer security standards exist, the biggest FISMA-derived being NIST's and the mostly-same) DoD's IA Controls. These are well tested, used often, within the system (itself a decade long process to obtain), and pretty much required. The DoD mandates these be used on their devices... problem is the popular devices of today cannot be (easily) secured. They are weak in so many fundamental ways.

    (I work in the cyber-defense arena, have achieved certification for many systems, and am quite afraid of the huge risks today's security-deficient consumer computers/smartphones/tablets/iPads bring to our now-pretty-secure networks. There are solutions (just wiki Secure End Nodes) but not much in the mainstream today.

    2 years ago
    0 Agreed
    0 Disagreed
  4. Mobile devices create additional security risks. Some consumer-focused device platforms may not have the security and management capabilities for all applications.

    2 years ago
    0 Agreed
    0 Disagreed
  5. Mobile services develop a device agnostic secure mobile platform. Integrate security requirements and capabilities (sandbox, virtualization, TPM, strong auth, etc) from the beginning, so the mobile service you consume will safeguard data regardless of the access platform (BYOD, GFE, CFE, etc)

    2 years ago
    0 Agreed
    0 Disagreed
  6. Regarding security, although the discussion tends to be around device management, and while this is certainly a top priority, I would like to elevate the discussion to encompass a Mobile Security Services Management framework and architecture. Device management is a critical component but only a subset to end-to-end mobility security management. Device management is important as it will hopefully start to shed light on the true scope of the mobility management and security issues – it is not just about turning on and turning off bits on a mobile device, but it is about vpn, email, security, document sharing, identity management, virtualization of commercial OS platforms, locked down app stores, etc…

    2 years ago
    0 Agreed
    0 Disagreed

Vote Activity Show

(latest 20 votes)

Events

  1. The idea was posted
    2 years ago