As mobile devices proliferate, efficiency and employees are the winners. But security remains the top priority in the federal environment. Here’s how GovCon companies are bringing these sometimes competing needs together.
Listen to many of those who know the federal mobility environment, and the old expression “closing the barn door after the horse is gone” comes to mind: Mobility is off and running.
In this wide-open world, where’s the place for the kinds of security restrictions government work demands? Walking that border is the challenge for GovCon leaders.
It’s what Symantec’s John Bordwine, public sector chief technology officer, calls the “core mobility conundrum—how to protect sensitive information in a mobilized infrastructure, without impeding the cost and efficiency benefits of a mobilized population.”
In just a year, the questions around mobility in the federal environment have taken a dramatic turn—it’s no longer about what devices or networks to use. It’s about how to best use the proliferation of devices and applications that are already there.
“Security tops the list in mobile discussions within the federal technology community—and for good reason,” said Deloitte’s Tech Trends 2012 report, released in June and written by Brad Eskind, federal technology practice leader. “In the past, agencies largely addressed security by limiting functionality in voice, data, and applications.”
That’s no longer an option. On May 23rd, the Digital Government Strategy released by the White House and Steven VanRoekel, federal chief information officer, laid down a mobile approach whose guiding principal is openness and interoperability—an anywhere, anytime, any device philosophy and a shared, government-wide platform approach. Anything that slows down or restricts access, from non-searchable PDFs to device-dependent apps, gets the boot.
And agencies had to work fast—some benchmarks were within a month of the release of the policy.
“This market is changing so much faster than any market I think any of us have ever seen before,” said Ken Kartsen, vice president for federal sales at McAfee. “Think about virtualization—we’ve been talking about it for eight years maybe, and it’s just really hitting the pinnacle today. You can say the same for cloud—we’ve been talking about it for years, and it’s really only getting there now. With mobility, never have we seen the proliferation of the number of devices like we’re seeing now, into the billions.”
It’s the Drivers, Not the Devices
What powered this rapid mobile development and adoption? You did. Executives at the top, agency leaders, and employees at all levels like their phones and, increasingly, their tablets. With mobile devices, they work more, they work faster, and they work everywhere. Agencies got the message.
For instance, at the Transportation Security Administration, more than 50,000 of its 60,000 employees work outside of an office, making mobility a natural priority, its chief information officer, Emma Garrison-Alexander, said on Federal News Radio.
Citizens are also driving demand. Accenture’s Digital Citizen Pulse Survey and the Future of Government Operations report found that in the United States and six other countries more than 70 percent of people already interact with their government regularly online to submit and track forms—and half want more online channels.
“The business drivers were already out there pre-May 23rd, and they’ll be out there long after that,” said Ted Davies, president, federal systems, Unisys. In addition to improved productivity and better customer service, another driver is “business process improvement and the ability for mobile devices to streamline existing processes and really shorten cycles—and ultimately reduce costs for organizations.”
Another big shift from a year ago is that the matter of which device, which platform, which app, isn’t as pressing. Today’s answer is often “whatever works”—and this adds complexity to security considerations.
While in the commercial market a battle raged over devices and platforms, it became almost a running punch line that federal Washingtonians were “clinging to their BlackBerrys.” The fondness for BlackBerry wasn’t only because of technological conservatism—Research in Motion has been friendlier about allowing high-security measures on its devices, where Apple, for instance, blocks many modifications, and Android systems can be vulnerable to viruses.
But BlackBerry loyalty is waning, according to a report from the Government Business Council. Since 2009, it says, the 77 percent of federal managers that used BlackBerry phones has gone down by less than half, while iPhone use has nearly tripled, reaching 23 percent. Today, just as in the commercial sector, Android and iOS operating systems compete for the top, with Windows Phone also used, but less widely. The National Oceanic and Atmospheric Administration is switching its device use to Androids and iPhones as its Research in Motion contract runs out. The report also echoed a tendency observed in the commercial world: younger federal managers prefer Android; older managers like iOS.
One clear trend is the tablet is on top: Everyone wants one. In fact, these may replace laptops in the federal world. Microsoft’s new tablet, the Surface, may hasten that process. It is scheduled for release around publication time for this issue of GovConExec. It’s not seen as powerful competition to the iPad, but commenters and bloggers say it does present some differentiators: the iPad is more a “consumption device” and less of a worker bee; the Microsoft option is more like a notebook, with USB input and one version that will support legacy apps. It uses Windows 8, which should be available around the same time as the release of the device. And its security advantages and drawbacks alike should be at least familiar to agencies.
There’s a (Secure?) App for That
Shared platforms and apps for mobility open another door. The call for shared platforms means agencies still express preferences as they contract for platforms and apps, but they’re moving away from the “bespoke” systems that have characterized the field in the past. A recent RFI from the National Institute of Environmental Health Sciences, for instance, asked for apps for iPhone and iPad, but made clear it also wanted options for simple portability to Android and whatever else might emerge.
With agency after agency starting app stores and employee demand high for apps that help them work more quickly and easily, the opportunity is to start improving interoperability and quality over quantity. The National Weather Service, for instance, last year discontinued any in-house app production and is looking to all outside vendors.
“The last piece in this move toward mobilizing is, which applications do I mobilize?” Davies said. “And not only which ones, but how. You’ve got to be careful not to just take something from a desktop or laptop and try to put the same interface and same look and feel on a mobile device. How do you re-engineer the applications so they can take advantage of a different platform and provide better productivity in the workforce?”
Deloitte proposes a “shared-first security approach,” a la FedRAMP, in its Tech Trends 2012. “Agencies should consider adopting a ‘build once, use many times’ philosophy for internal deployments as well. If an app or program has been accepted for use, then it should be available to other federal agencies.”
Networks as a Vital Part of Mobility Security Picture
Another rapid change in the mobility environment: the wireless world upon which mobile devices depend has gotten crowded, fast. “I started working at AT&T in 1984—a time when mobile phones were rare and very expensive,” said Thomas Harvey, senior vice president, AT&T Government Solutions. “Mobility has changed dramatically. Now, our customers want to do everything in a mobile environment that they are used to doing from their desktops.”
AT&T is still well positioned here, with its mobile internet network covering more than 90 percent of the U.S. population, Harvey points out. “We believe mobile network performance will become an important component for federal agencies as they embrace and implement new mobile strategies.
“Federal agencies are exploring mobile device management (MDM) solutions that solve the challenges of managing devices on the agency’s network while ensuring secure use of mobilized information.”
“The biggest challenge posed by the rapid growth in mobility is the integration of real-time communications on mobile devices while enforcing an agency’s security policies,” said Chris Formant, president at Avaya Government Solutions. “This means that enterprises want to evolve to new mobile technologies in a secure fashion without losing the investment in their current platforms that still deliver value.”
For instance, Avaya’s recent acquisition of RADVISION expands its mobility and video capacity, which was already supportive of multiple platforms.
“Another challenge facing government agencies in the mobile environment is how to prioritize data over networks,” said Kevin Kelly, CEO, LGS Innovations, which specializes in mobile networks, particularly 4G networks, using wireless methodology and tools developed by Bell Labs.
“For example, how do commanders make sure they are receiving the information they need quickly when soldiers may be using those same networks for sending emails or downloading videos? LGS’s parent company Alcatel-Lucent has developed the High Leverage Network architecture concept, which enables continuously scalable bandwidth at the lowest cost while simultaneously building in the network intelligence to create and deliver new real-time multimedia services.”
Cisco and others in wireless have found opportunities in making the wired and wireless worlds as seamless and easy as possible to use—so the employee with the tablet needing the latest wireless technology and the one with the desktop using an older network access point don’t have any trouble getting their jobs done, together or separately, wherever they are.
“It doesn’t really matter what access methods you’re coming in on, you still have to follow the same access policy, you still have to be able to manage the policy easily, and you’ve got to be able to make changes fairly quickly,” said Kevin Manwiller, manager of federal security and mobility solutions, Cisco. “From our standpoint, we have to make the wireless component just as easy to manage and just as easy to secure as the wired.”
Previously, the top concern expressed was that “wireless is not secure, so I don’t want to use it,” Manwiller said. “The market and the customers are going to dictate what happens here. And the market and the customers are mandating the use of wireless, and they are demanding the use of tablets, and that’s what’s driving the data owners to put some focus on this.”
“Given the variance among mobile device types, vendors, and operating systems, our greater goal is to reduce cost and complexity through device-independent, information-centric protection,” Bordwine said.
Security Strategies for Multiple Scenarios
The DoD, which once looked askance at mobility out of security concerns, now has a user base of more than a quarter of a million commercial mobile devices and several thousand Apple and Android operating systems. It responded to the government’s call with release of its mobility strategy in June.
“The DoD Mobile Device Strategy takes advantage of existing technology, the ability to use or build custom apps, and a workforce increasingly comfortable with mobile devices,” said Teri Takai, Department of Defense chief information officer, in the introduction to the strategy. “This strategy is not simply about embracing the newest technology—it is about keeping the DoD workforce relevant in an era when information and cyberspace play a critical role in mission success.”
The strategy covers wireless infrastructure, devices, and apps, and it reflects the “anywhere, anytime” spirit that has become the new normal. For instance, a wireless infrastructure is defined as “simply an expansion of the DoD Information Enterprise in support of mobile devices.” A top concern is clearing out network space needed by bandwidth hogs like high-security, high-quality video. The need to “streamline the approval process for commercial mobile devices” is noted as well as the goal to develop secure apps that warfighters and support will want to use.
With the Air Force snapping up iPads (recently, $9 million worth from Executive Technology Inc.) and putting out a request for information on “handheld devices that support music, video, photo and E-books and can be accessed through removable memory cards,” the military is obviously comfortable with the security issues mobility raises.
And the Defense Information Systems Agency, which approved Dell’s version of Android 2.2, is developing a mobile strategy that includes provisions for personnel to use their own devices (but it’s not calling it a BYOD policy). It’s also testing products for a future app store.
Even in a tight budget situation, security isn’t seen as something that can be easily sliced away. The DoD mobility strategy instead keys security levels for mobility to user and uses, offering further flexibility.
Deloitte, in its Tech Trends 2012, cites the Air Force iPad adoption as another way to address security issues, namely through prioritizing use cases: “Rather than wait for security accreditation for a tablet’s functionality, the Air Force applied it to one specific use case—storing and displaying digital flight charts and manuals. Like commercial airlines, the Air Force recognized the potential savings in weight and portability for flight crews by reducing paper. The tablets will be preloaded with the required information, circumventing the requirement that the devices be fully accepted for network access before use. Agencies can better address security issues by knowing what is and is not required by the end user.”
Coming at Security from All Directions
The shaky sense of security in the mobile world has resulted in a proliferation of solutions. As the field settles out, the profound effect mobility is having on security overall gets clearer.
“Among other things, mobile computing has essentially upended the classic fixed-perimeter security model,” Bordwine said. “And without that perimeter, network-connected devices become susceptible to a host of threats, including malware, web- and network-based attacks, and data loss events. This means organizations should focus on protecting the information, as well as the infrastructure.”
“For mobile/wireless networks with their proliferation of end-user devices, it will be critically important to not only know ‘what’ is on the network, but also ‘who,’” Kelly said. “The proliferation of MDM as well as mobile application services (MAS) will help address the ‘what.’ This includes areas such as provisioning, software updates—including new apps—and data wipes if the device is lost or stolen.”
But what about the “who”? “Have they been authenticated? What access should they have to which apps and parts of the network?” Kelly said. That’s where biometrics, passcodes, and location-based (GPS) authentication come in.
The National Institute of Standards and Technology this spring released specifications—“device and system agnostic,” of course—that enable mobile devices to exchange biometric data. Biometric technology has largely and inconveniently been dependent on particular systems that don’t talk to each other, and this is a step toward changing that.
While the data can be protected at the source, a big area of concern is secure document sharing—once a document is downloaded, it can be accessed by anyone who can access the device. Unisys has developed at its center for excellence the U-Drop: Two pieces of the document are stored in two different places, so the complete file can’t be accessed. An authenticated user can pull the pieces back together so the document can be read.
Among Symantec’s recent suite of tools for mobile security is mobile application management (MAM)—“made possible by Symantec’s recent acquisition of Nukona,” Bordwine said. “It helps administrators solve security problems at the application level, when traditional mobile device management isn’t enough.”
BYOD Doesn’t Mean Open Season
One element to consider in mobility security is basic workplace management: “If you don’t know that a device exists, there’s really no way to protect it. At McAfee, we have a solution called enterprise mobility management, EMM, which comprises these capabilities or we partner with other solutions to provide these capabilities,” Kartsen said.
This would preclude the BYOD free-for-all that some worry about. The BYOD trend in the federal workplace might be countered by mobility that gives workers the devices they like, but protects the agency by incorporating security restrictions—such as rules for using Facebook.
The military is thinking along the same lines. General Dynamics, for instance, is creating cyber and information security technologies for Samsung smartphones and tablets that won’t be vulnerable in the same ways commercial devices are.
Kartsen also posits a future scenario similar to the “dumb terminals” of the past: certain mobile devices would need to have higher security and encryption while others might have abilities to view classified information but not allow users to pull down any data.
As security levels rise, so does the competition to meet the challenges. Boeing is just one GovCon firm working on a trusted mobile device for high-level users that can run on different platforms. Verizon is working with Cellcrypt to deliver voice-encrypted mobile calling capabilities to the government.
Managing these multiple security scenarios then becomes an area of opportunity.
“You have to be prepared to provide a security policy for each one of those scenarios,” Manwiller said. “The data owner is going to be responsible for setting that policy. It’s our job as the vendor community to give them a tool that allows them to make changes and control that policy quickly and easily.”
Quickly and easily is key, as threats proliferate as quickly as devices do. “Malicious actors will continue to exploit the vulnerabilities in mobile applications, while emerging technologies like near field communication and mobile commerce introduce additional threat vectors,” Bordwine said.
At Work, At Home, and in the Cloud
Without the push to the cloud, mobility would not have been able to grow so fast in the federal environment. The cloud itself—public, private, or hybrid—can have robust and flexible security capacity, so some are leveraging this, getting more security with less effort.
In addition to its security advantages, the cloud makes more mobility possible, as well as making mobility more productive. Moving email and other services to the cloud has become an opportunity, with the contract battles that go along with competition.
Computer Sciences Corp. recently got an FAA contract for about $90 million to move 80,000 employees’ email and other services to the cloud. It chose to use Microsoft Office 365 rather than the Microsoft Office 365 for Government option—the former allows for a private rather than a multi-tenant cloud. The software-as-a-service Microsoft application delivers on the “anytime, anywhere, any device” promise, but the privacy gives the FAA room for collaboration and the security to move forward on NextGen, an effort to improve air traffic management.
“Our cloud collaboration tools and the upcoming release of Office 15 as a subscription will drive down mobile collaboration costs dramatically,” said Greg Myers, vice president, Microsoft Federal, about what’s ahead at the company and the broader implications for federal employees with the release of Windows 8. After all, telework is something people have been discussing for years—and telework is, essentially, mobility by another name.
“Anyone with a Windows 8 to-go mobile USB image in their pocket can leverage their own home PC or Mac to securely boot and leverage the agency-managed Windows image with no additional desktop licensing costs,” Myers said. “Connect in an encrypted fashion, have full access to collaboration, save documents back to the cloud or to the USB device, and unplug when done: true mobility.”
Desktop virtualization can also hold security advantages: “Some organizations may opt for a data-centric approach to mobile enablement, choosing to limit the data actually resident on the mobile device,” said Deloitte’s Tech Trends 2012. “Relying on virtualized environments allows organizations to provide access without relinquishing control.”
No Slowdown in Sight
“The longer term and more compelling challenge will be the ability of the federal government to match its acquisition cycle with the rapidity of the commercial mobility/wireless marketplace,” Kelly said. “New user devices with ever-increasing capability have life cycles that are less than today’s federal acquisition cycle, which includes key areas such as certifications, contract award cycles, interoperability testing, and new product introduction processes.”
“You can see a day coming where the office worker won’t even need a desktop or a laptop anymore,” Davies says. “You can give them an ultrabook or tablet for a lot of their computing needs, or you can give them a hand-held mobile device. And they can plug in from anywhere because all their data is secure on hosted sites. You’ve got user identification authentication. You’ve got policies in place, and you’ve got a mobile workforce that doesn’t even need a laptop anymore. You can see a day where that’s going to come—not this year. But in the next few years.”
The pace shows no sign of slacking toward that day. In fact, mobility has become a foundational capacity, no longer addressed separately but essential to the enterprise.
“For our industry, it’s almost going to be table stakes, right?” Davies said. “I don’t think you’re going to be a credible systems integrator in any marketplace if you don’t know how to help an agency develop a mobile strategy, enable their organization for mobility, and then take advantage of that investment and capitalize on that. It’s just embedded in everything we’re doing right now.” GCE
Major Players in Mobility
In one way or another, every GovCon company is a mobility player; it’s becoming that ubiquitous. However, those in specific areas in the field today include:
- Security: McAfee, Symantec, Unisys
- Network/Wireless: Cisco, Avaya, HP
- Carriers/Service Providers: ATT, Verizon
- Systems Management: HP, IBM, VMWare
- Platform Vendors: Google, Apple, Microsoft
- Device Manufacturers: Apple, Motorola, Samsung
- Solutions Providers: CACI, CSC, DRC, GDIT, Harris, L-3 Stratis, Lockheed Martin, ManTech, Northrop Grumman, Oceus Networks
- Strategy: Accenture, Booz Allen Hamilton, Deloitte
Stats and Facts
From Accenture’s survey, key findings among U.S. citizens:
- 75 percent routinely use websites and portals to access government services.
- Only 40 percent said they currently use government websites that are available on mobile devices or mobile apps.
- 65 percent would be willing to have emergency broadcast alerts sent electronically or digitally.
In a forecast of mobile data traffic growth in the United States between 2011 and 2016, Cisco reported:
Overall compound annual growth rate: 74 percent
- Smartphones: 110 percent
- Tablets: 91 percent
- Laptops: 34 percent
A December 2011 survey of federal agencies by MeriTalk, sponsored by VMWare and Carahsoft, found:
- 35 percent of federal employees currently use smartphones in their work. The 2013 forecast: 43 percent.
- 7 percent now use tablets. The 2013 forecast: 19 percent.
- 46 percent now use laptops. The 2013 forecast: level at 47 percent.
According to CDW-G’s 2012 Federal Mobility Report:
- 99 percent of federal IT professionals report they have deployed mobile devices to agency workforces.
- 89 percent of federal employees say their mobile devices make them more productive.
- 69 percent of federal employees say mobility will improve service to citizens.
- 62 percent of agencies allow employees to BYOD—and more than 40 percent do.
Boots on the Ground, Mobile Devices in Hand
The greatest need, the highest consequences, the biggest IT hurdles—where mobility faces its biggest challenges—is with the “pointy end of the spear,” on the battlefield. Most devices can’t stand up to the conditions, so ruggedization remains a major concern.
According to VDC Research in its military trends report, top concerns in military mobility present areas of opportunity to serve critical needs:
- Specialized apps, particularly in areas of UV control and fire control, but also in logistics and mobile medics
- Situational awareness applications and integrated GPS
- Expanding wireless networks and building security architecture
- Developing mobile device management systems
- Ruggedized tablets, especially leveraging Android OS