By Barb Rembiesa
Many users have incorporated smartphones and tablets into their daily lives, and are blending activities such as Web browsing, games and mobile payments with business uses such as corporate email. As a result, the federal government and the private sector are confronting how to fully embrace mobile devices in their environments.
IT asset management has now evolved to not only account for company-owned IT assets, but also to ensure that the proper security—both physical and cyber—is implemented and accounted for on all mobile devices entering and exiting the work environment, whether company-issued or employee-owned. Mobile asset management (MAM) is the key element in managing a mobile environment that must ensure the security of data and information in conjunction with physical security practices.
Enterprise mobility brings productivity great promise, but at what price? The bring-your-own-device (BYOD) trend brings with it a variety of devices, operating systems, access points and applications that are forcing IT to re-examine the traditional defense-in-depth security model that served it well while managing PCs and laptops. MAM must be in step with IT security in defining this new mobile security model. It must take into consideration: controls across iOS, Android, BlackBerry and Windows 8 devices; and strategies for securing devices and squashing threats.
Many variations of data retention and transmission coexist in today’s IT environment:
· Direct in-house data access via a closed network using IT asset management (ITAM) practices, accounting for all endpoint devices that are connected to the network;
· Remote access by company-provided endpoint devices that can access data only through preconfigured portals in the security framework, enabling the remote user to connect to the environment;
· Remote access to the company’s environment with nonprovided company assets via the Internet, with separate access to select areas of the data environment;
· Inside or remote access to company data via user-owned mobile devices, such as iPhones, iPads, tablets, other smartphones, memory sticks and external storage devices
The U.S. government has implemented policy and standards that define the security and accountability of the IT environments for both the private and public sectors. The Office of Management and Budget has been charged with governing the guidelines.
The Federal Information Security Management Act of 2002 (FISMA) and the associated National Institute of Standards and Technology (NIST) standards are driving all federal agencies and government contractors to adopt a security risk-management approach for their IT environments. Specific IT controls from NIST’s Special Publication 800-53 have become the “holy grail” for federal agencies, and NIST’s Special Publication 800-37 document drives a risk-based approach to the prioritization of work to be performed, modeled on the principles of confidentiality, integrity and availability.
FISMA compliance and the underlying NIST documentation require MAM to either lead or support the following:
- Inventory the environment.
- Categorize both fixed assets and mobile devices.
- Define minimum security controls.
- Establish an ongoing risk-assessment process.
- Develop system security plans for fixed assets and mobile assets.
- Conduct regular certification and accreditation of the systems.
- Provide ongoing monitoring of the IT environment.
The goal of FISMA is to verify through an annual audit that agencies and contractors can respond to changes in the IT architecture—both foreseen and unforeseen—in an efficient, consistent and prioritized manner based on asset information and information risk.
To protect against malicious or accidental network intrusion, detection devices are required throughout the network. A multilayer security approach is recommended, with routers and firewalls that protect the perimeter of the corporate network. MAM is required to function in conjunction with the IT security group and maintain firewall and router access lists to segment the network and allow certain traffic parameters.
Security is required to perform content scanning of various types of traffic in the segments and implement content filtering in accordance with corporate internal network usage and security policies. Antivirus software is also deployed on the endpoint and server environments. These applications are managed by the ITAM organization and ensure that software security is maintained. FISMA standards will shift agencies to real-time threat monitoring of the IT infrastructure.
