Bill Harrod, Federal CTO at mobility management software maker MobileIron, is looking for changes in Federal bring-your-own-device (BYOD) policies – along with continued drives toward digital transformation – to help sustain and make more secure the turn to widespread telework by government and industry in the COVID-19 pandemic, and beyond.
Harrod – who has led cyber security operations for more than 30 years in the government and private sector including long stints at the Federal Bureau of Investigation and CA technologies – spoke with MeriTalk several weeks into the pandemic about those policy requirements, and their potential payoffs now and down the road into whatever the new normal brings.
MeriTalk: How is the COVID-19 pandemic different than other scenarios in the continuity of operations playbook, and what has the Federal government done so far to meet it?
Harrod: Unlike natural disasters that we’ve experienced before – such as Hurricane Katrina – the current situation is nationwide and global, rather than regional. And it happened so quickly that Federal agencies had limited time to prepare and to react. Now that it’s lasted this long, it’s become different than hurricanes or tornadoes that are that are regional, and whose impact can be measured in days or weeks.
What we saw in government was an almost overnight and total shift to telework and work-from-home mandates. Policy memos from the Office of Management and Budget (OMB) (OMB M20-15 and OMB M20-18 have enabled telework for employees and contractors, many of which were not authorized to work from home before that.
But the practical result now is that many employees and contractors are working from personal devices. They’re not working from agency-issued laptops or desktops, or even smart devices in many cases. The government’s facing significant issues around access control and traditional network-based virtual private networks (VPN). And we are seeing a big increase in personally owned mobile devices, smartphones, tablets, and Mac OS devices connecting to Federal agencies. Many agencies initially experienced such a flood of network connection requests that their VPNs and endpoint security solutions could not scale to accommodate, and they did not have the capacity to manage. While most agencies have since resolved the capacity issue, it is not clear they have resolved the security and access management concerns.
MeriTalk: What can Federal agencies do now to address the security aspects of that?
Harrod: I think it comes down to three things. The first is to accelerate digital transformation, and this is something that can be done even while we’re in the midst of the pandemic. Second, adopt policies around a freedom to choose your device. There are already a number of policies that are sitting out there waiting for approval. And then the third thing is to enhance enterprise and application resilience and stronger authentication.
We’ve talked a long time in cybersecurity about improving authentication – killing the password – and we need to make that change. We need to move to stronger and yet more user-friendly authentication, including behavioral attributes, and we need to look at conditional authorization. We need to leverage derived credentials – we’ve had derived credential policies in place for a long time – but often we are not leveraging those credentials from the modern endpoint.
We really need to finalize and adopt BYOD policies. The technology is in place, and there are lots of commercial best practices about how to how to manage and use those modern endpoints. Agencies just need to solidify their BYOD policies to enable the remote workforce, and to be able to make good decisions about how they manage and protect them. We need to provide policy enforced secure access from an any device, anytime, with the device itself being a policy enforcement point to ensure compliance.
Then make that endpoint a part of the zero trust architecture. That’s a part of the digital transformation as well – really moving to adopt that zero trust architecture, and tying together the identity of that device with the identity of the user and their derived credential, and binding all of that together to be a part of the authorization and access control decisions.
MeriTalk: What are some of the pending policy pieces on BYOD?
Harrod: One is ACD 470.6 from the Energy Department, and it talks about how to use mobile devices in classified environments. There’s a similar parallel policy on the Defense Department side that I’m not sure has been released yet.
And there’s agency-by-agency or department-by-department policies that need to be finalized around how do we leverage BYOD. The pandemic has relaxed or unfettered a lot of things that were just bound up before, either because of internal constraints or budgetary constraints.
There was a lot of disagreement about mobile devices and government furnished devices versus BYOD. There are ways to secure and manage personally owned devices, and I think we’re now seeing that that some of those restraints have come off. People are using them because they need to in order to be able to work from home. And so we need to help government catch up with how to manage and control the device, the network the device is connected to, and the app that is being used to access government data and resources.
MeriTalk: What do you think the Federal government should be doing now to prepare for a return to more normal conditions several months from now? And how does zero trust figure into it?
Harrod: Some people I talk to are saying they can’t wait for things to return to normal, the way they were before the pandemic. But in many ways, I don’t think we’re going to return to the way things were before the crisis started, at least not for a long time.
The percentage of government employees and contractors who were allowed to telework at the end of February was somewhere below 50 percent for many agencies, and for some closer to 10-20 percent. Now many are at 80 or 90 percent or higher.
So we’re not going to put that toothpaste back in the tube. I don’t think you’re ever going to revert to having as small a number of people able to telework, at least for things like weather- related crises and special events. So we need to get some of the policies in place to reflect that – the BYOD policy, and policies about how people securely authenticate and access the Federal government.
The to-do list for agencies over the next several months? I think policy is one, and digital transformation is another, along with putting a plan in place to adopt a zero trust architecture. Everything from micro segmentation and management of the new modern endpoint, to assured identity and attribute-based access and controls. I think for the first time we’re really in a place where we can leverage attribute-based access control, which is something we’ve talked about in government for a long, long time.
And then the other thing is to prepare and defend that expanded threat surface. Mobile threats are something that we’re seeing a lot of right now. We’ve seen attacks on some of the operating systems and email systems. And there are a lot more phishing attempts targeting mobile devices either through email or through web links. It’s often harder for the user to detect or to see the things that might be an indicator when they’re working on a traditional desktop or laptop. So mobile threat defense detection and remediation is a big piece of what agencies and the government can do in the next several months.
MeriTalk: What can MobileIron do for the Federal government to help them get to that better state?
Harrod: The catalyst that the COVID-19 crisis has brought about is that agencies need to support a broader set of devices. They need to increase security and protection as they go through digital transformation, and even as they connect to more cloud-based resources and applications. They need to enhance multi-factor authentication and provide a more robust encrypted tunnel for apps and for the device. And then they need to detect and remediate attacks and phishing attempts on the mobile device with a mobile threat defense solution.
The National Institute of Standards and Technology (NIST) in the draft 800-124 policy talks about having a unified platform for unified endpoint management, for application management and vetting, and for mobile threat defense.
At MobileIron, we’ve been doing a few different things.
For example, we’ve been working with a West Coast health care provider that needs to expand the number of devices for their staff to be able to connect to their healthcare systems. But there was no budget, they didn’t have the procurements in place, and there was no paperwork. So we made an offer to allow people to leverage our solutions for a limited time without paying for them upfront. It’s essentially a free implementation to deploy the needed capabilities, to be able to control and the manage the device, control the apps and content on the device so that they can trust the data. We’ll deal with the paperwork and the procurements as we begin to return to a sense of normalcy.
Another example is a big school system in the southwestern U.S. They had to go to a distance learning model, but there was a real gap for underprivileged families to be able to access the internet. So we worked with one of our partners, and have taken a number of Android devices and put some security controls around them so that they can essentially only operate as a hotspot in a tethered mode, so that the students can connect their laptops to those tethered hotspots and be able to leverage them to be able to get access to the distance learning.
It’s all about helping agencies be able to manage in what will be the new normal. It really comes down to managing all sorts of devices, protecting them, providing better security, and leveraging the mobile threat defense piece.