Unfortunately, with this significant increase in mobile devices, they have become the target of the largest number of threats. However, the reality is that mobile devices are really just another end-point – another point of access to data and applications. Therefore, IT departments should not be worrying about the security of the device, but focus on protecting the data.
Although device security should be considered, given that the mobile phenomenon has largely been because of the user experience, we need to make sure we do not over-engineer the device-centric security aspects that can potentially compromise its benefits.
These are some of the key takeaways from a recent FedPulse interview with Ashok Sankar, Sr. Director – Product Strategy and Management at Raytheon, who shared several insights on extending virtualization to secure data. Below is the full interview.
FedPulse: Tell us about Raytheon Cyber Products.
Sankar: Raytheon Cyber Products is a wholly owned subsidiary of Raytheon Company, which focuses on delivering Commercial-Off-The-Shelf (COTS) solutions that solve cyber security challenges in the government and commercial markets.
The uniqueness of Raytheon Cyber Products is its pedigree of information assurance in the Defense and Intelligence communities, which enabled the company to understand and solve complex challenges in cyberspace from a unique perspective. Currently the pillars of the organization include cross-domain information assurance, insider threat protection, visual analytics and mobile security.
FedPulse: You recently authored an article for InformationWeek Government that highlighted the importance of protecting the data, rather than the mobile devices themselves. Tell us a bit more about this?
Sankar: Everyone knows that mobile devices have taken the professional world by storm – the disruption has been quick across commercial and government entities alike and corporate and agency IT departments are trying to keep pace with the demand. Now, with the introduction of any new technology comes concerns of security; in the case of mobile devices it is all the more a concern since they have become the target of the largest number of threats.
What is interesting is that technologies have been proposed and adopted with these devices in mind – Mobile Data Management (MDM), Data Loss Protection (DLP), encryption, secure containers, hypervisors, and what not – all aimed at protecting the data and apps on the devices. So all attempts are mostly device-centric. Maybe it is the allure of these new devices. But if you step back and look at it; it is really just another end-point – another point of access to data and applications. So our thought is that instead of worrying about the security of the device, why not focus on protecting the data, which is the issue in the first place.
We are not saying that device security is not needed, but given that the mobile phenomenon has largely been because of the user experience, we need to make sure we do not over-engineer the device-centric security aspects that can potentially compromise its benefits. So why not secure the data and apps in the enterprise or in the cloud instead of insisting that they reside locally on the device? Virtualization and secure redisplay technologies can do that and yet deliver an uncompromising user experience. This is the basic postulation in the article, which has received a lot of positive comments.
FedPulse: What more can federal agencies be doing to protect their data – especially as they embark on BYOD initiatives?
Sankar: We think federal agencies are already taking a hard look at this. Protection profiles for mobile, the NSA Mobility Capability Package, efforts by the Mobile Technology Tiger Team and other initiatives are all commendable progress in the right direction.
Agencies have a vast amount of data and this collection is only going to increase – and not all data is created equal. So it is important, we believe, to classify data and have a strategy around its purpose, who needs it and where. This is not an easy task but critical nevertheless, as part of their overall data management initiatives.
Pragmatically, we think mobile virtualization is an enabler of BYOD initiatives and can make it real. While technology can solve the security and data assurance issues, agencies will have to overcome policy and legal hurdles – this seems the biggest challenge right now. With our approach, the native mobile apps are virtualized in the back-end; we call this Virtual Mobile Infrastructure (VMI). Redisplaying the apps does not compromise the user experience but ensures that data does not physically reside on the device – so the policy issues around device-centric data security and management become much easier to deal with. Since the legal and policy issues are about the management of corporate information on a personal device anyway, the discussion and implementation now gets much more realistic and easier to manage.
Today, solutions such as secure containers are being employed at agencies but many feel that they are not enough to secure sensitive or classified data – agencies really do not want data on a mobile device. That is where a solution such as our VMI comes in since it provides the additional level of assurance that data is secure and will not be lost or stolen from an end-point.
FedPulse: With the rise of mobility happening, it seems that hackers are getting more sophisticated. Is it possible for agencies to stay one-step-ahead of the bad guys?
Sankar: Staying a step ahead of the bad guys is what the whole security industry has always been trying to do! There is no question that threats are becoming more sophisticated and it is fair to say that with more technologies, there are more attack avenues and vectors.
Security is a process and not a one-time fix. When new technologies such as mobile devices are brought in, agencies need to understand what that means to their security posture and how it affects their risk management initiatives. As end points start to proliferate, it is important to ask what types of data need to be accessed, why, where and by whom.
There are many usage scenarios where agencies see the need for access to sensitive and classified data from mobile devices but they need to ensure the additional levels of protection against leakage, loss and theft. To start with, a good rule of thumb would be if you don’t want data lost or stolen from an end-point, could you stay away from placing it there in the first place?
A holistic approach to network security, employee training, adopting the risk management framework, and constant monitoring are some of the best practices that have been recommended by security experts and are very relevant.
FedPulse: Anything else to add?
Sankar: We think these are unprecedented times in government when it comes to IT – the convergence of different technology paradigms are providing opportunities for fresh thinking and innovative ways to make employees more productive and extend services. While the mobility paradigm has improved agency employee productivity significantly, with 90 percent or more of them going mobile, it can be a disaster if proper measures are not adopted quickly. But the trick here is to get the right solution based on the usage scenario.
We have spoken with key mobility leaders in government and we are excited to hear that the VMI approach is along the same lines as their thinking. We are in the process of discussing pilot deployments with a couple of them and look forward to successfully demonstrating the solution’s value in real-world deployments.
Additionally, given our pedigree in information assurance in the cross-domain/multi-level security space, we will be extending this to that environment very soon.
We would like to thank Ashok Sankar for taking the time to speak with us. To learn more about Raytheon and its cyber security solutions, click here.