October is National Cyber Security Awareness month, which according to the National Cyber Security Alliance is the annual “collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.” Cybersecurity is a paramount concern for agencies at all levels of government due to the nature of the sensitive data and critical systems they manage.
CDW published Mobile Strategies for Government, a white paper outlining the challenges government agencies face in regards to cybersecurity and mobile devices: “Governments must ensure the security of sensitive data and personal information attached to applications, and mobility complicates this objective. Government data is a favorite target of cybercriminals. Without special attention, mobile devices can be particularly susceptible to being compromised, and the inevitable breaches would undermine citizen confidence in mobile applications.”
One aspect of cybersecurity that continues to invite complexity into secure operating environments is the growing government employee base that interacts with protected agency networks using remote workstations and mobile devices.
Mobile Work Exchange’s State and Local Mobility Map: Road to Mobile Readiness report surveyed 150 state and local government IT managers on what mobile security technologies they have implemented within their agencies. The survey identified several popular elements of mobile security in use by government agencies today including mobile device management (MDM) and multi-factor authentication.
We looked into Onvia’s large database of procurement activity and spending plans from more than 80,000 agencies in the U.S. to find out which mobile security practices are most often mentioned in procurement documents.
Mobile Device Management – A First Step in Mobile Security
Mobile device management, MDM for short, is the industry term for solutions that enable the secure administration of mobile devices that are linked to a single network. According to Onvia’s Project Center, which consists of government bids, RFPs and awards at the federal, state and local level, mobile device management is one of the key elements of mobile security procurement activity. Growth in MDM contracts are directly connected to the growing adoption of BYOD or “bring-your-own-device” policies in the public sector. With declining control over which mobile devices have access to their networks, government agencies are looking for mechanisms to manage those devices remotely so they can keep their data secure, even if they don’t have physical ownership or control of that device. The illustration below highlights which levels of government are most active in procuring MDM solutions – school districts stand out as a particularly noteworthy area in our findings.
The graph above focuses on MDM projects that were large enough to warrant publishing of their own bid or RFP. While our research looked at procurement documents mentioning mobile device management terms in their titles or descriptions, we found that many MDM solutions are listed as one component of larger security projects. Therefore, this graph underreports the total activity around MDM in the public sector and excludes most MDM solutions that are part of larger IT security projects.
Mobile Device Management for School Districts
School districts are the second most common level of government to procure mobile device management solutions, only surpassed by federal agencies. We found an excellent article written by Matt Zalaznick in District Administration, describing why MDM was such an important factor for the nation’s schools. One of the primary drivers of MDM in school districts is the movement toward 1-to-1 teaching programs for students. School districts across the country are using mobile devices as a tool for delivering custom curriculum to students. Some of those devices are owned by the district and some are owned by the students. Sal Constanzo, director of technology resources at the New Albany Floyd County Consolidated School Corporation in Indiana, explained the need for MDM succinctly in the article: “Without a mobile device manager, we’d have everybody doing their own thing.” While many schools have opted for district owned devices to roll out 1-to-1 teaching programs, some districts are embracing BYOD. One recommendation Zalaznick presented in the District Administration article was, “BYOD districts should look for mobile device management programs that establish virtual ‘containers’ to designate how devices are used. These containers, often located in a cloud-type environment, can protect district networks from viruses or other potentially harmful content that are already on the personal devices.”
A recent bid requesting an MDM solution for Orange County Public Schools in Florida helps illustrate the complexity of MDM solutions in school districts that have a mix of district-owned devices, BYOD and multiple school sites that may each be managing mobile differently:
Request for Mobile Device Management Solution With a Proven Track Record
Mobile device management in schools isn’t limited to districts managing their own applications and curriculum – they also need to ensure their software doesn’t negatively impact student-owned devices as well. “Districts have to make sure personal data isn’t damaged or erased, if for instance, the school is loading educational apps for classroom work onto a privately-owned tablet,” said Jonathan Foulkes, Vice President at Kaseya, a provider of mobile device management technology, in the article from District Administration.
Customized curriculum for students delivered via technology offers great promise to education effectiveness, but it continues to present challenges to technology leaders having to manage the rapid growth in district-owned and student-owned mobile devices to enable that change – MDM is one mechanism to help government IT professionals manage that challenge.
BYOD’s Emergence as a Mechanism for Multi-Factor Authentication
One other major element of mobile’s impact on cybersecurity is that of authentication. In order to keep sensitive agency data secure, many government workflows require some form of two-factor or multi-factor authentication before sensitive data can be accessed. Simply defined, multi-factor authentication is “an approach to authentication which requires the presentation of two or more of the three independent authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur.”
Traditionally, multi-factor authentication has been comprised of such methods as typing in a passcode generated by a physical security token, entering a special key card or badge into your computer or verifying your identity with a fingerprint or other biometric method.
Mobile devices play an important role in the evolution of this market because they can satisfy the “possession” factor as they are generally only something the authenticated user has access to. Paired with a standard password, mobile devices can act as the second “factor” in verifying identity, reducing the need for other proprietary technology to satisfy the “possession” requirement of a multi-factor authentication scheme.
We looked in Onvia’s Project Center to find examples of how multi-factor authentication is showing up in government procurement documents in order to answer the question of how agencies are specifying, purchasing and implementing multi-factor authentication in association with mobile devices. In analyzing thousands of IT procurement documents, we found four key ways mobile devices are acting as the second “factor” in multi-factor authentication schemes:
- Text message verification: The end user is required to type in a one-time use code that is sent to them via text at the time of authentication.
- Smartphone push: Most modern mobile platforms allow for push notification capability. For example, when performing a sensitive transaction or login the end user instantly receives a prompt on their mobile phone which they must approve or accept.
- Phone token: Rather than purchasing and providing a physical security token, newer methods allow for personal devices to act as the token itself by providing the end user with a unique code that must be typed in at the point of authentication.
- Mobile signature: This method utilizes the single digital signature located on a SIM card. For example, if there is a document that needs to be signed it’s sent securely to the SIM card and the end user enters a pin code that is then verified by the provider.
Below is an example of a recent project from our database mentioning mobile’s impact on an agency’s multi-factor authentication plan; there were many other examples just like this in our data set that illustrate the connection between mobile and user authentication:
Request for Information: Two-Factor Authentication Solution
Training Your Way to Better Mobile Security
Our research on mobile security trends in the public sector also highlighted the importance of effective training in a mobile security strategy. If mobile users are accessing sensitive data on their devices and are not thoroughly trained on the risks and best practices of doing so, the mobile security plan will break down. Another look at Mobile Work Exchange’s State and Local Mobility Map: Road to Mobile Readiness indicates that mobile-ready agencies are at risk for a security breach due to lack of training:
- 31% of mobile ready agencies have never received general mobility training including how to securely access work email, services and other materials from a mobile device when while working remotely.
- 36% of mobile ready agencies received security-specific training only once a year.
- 18% of mobile ready agencies have never received security-specific training.
With the adoption of BYOD bringing more and more mobile devices into the workplace, some agencies focus on the technology around security management while overlooking the best defense against security breaches: educating employees and mobile users on how to benefit from mobility while still ensuring best practices around data and system security with those devices.
Onvia believes there are significant opportunities for IT vendors to offer mobile security training to government buyers or incorporate comprehensive training into their proposals around mobile security and cybersecurity as a whole.
Ensuring Success in the Mobile Government Security Market
In using the Onvia database and third party research to look into the government mobile security market, one theme stood out: mobile adoption and growth will not slow down anytime soon and having a mobile security strategy is a “can’t say no” situation for many public agencies. For example, via Onvia’s Spending Forecast Center, which looks at agency budgets and capital improvement plans, we were able to identify that beginning in the year 2016 the City of Clermont in Florida has plans to spend $50,000 on a server and mobile device management system as a component of a larger two-year technology improvement plan.
As we’ve illustrated, mobile presents new challenges to agencies in regards to mobile device management, but it also presents new efficiencies to those agencies as a means of adding a second layer of authentication to many existing systems. With a mobile device in nearly every employee’s pocket, embracing the technology, managing the risks and training staff become the requirements for technology departments in agencies across all level of government.
To learn more about mobile government check out our recent blog post Local Governments Going Mobile to Create a Dialog with Citizens and our infographic Your Local Government: There’s an App for That!
For more information on National Cyber Security Awareness Month visit the National Cyber Security Alliance.