Is Secure Mobility an Oxymoron?

Just two weeks ago the U.S. National Institute of Standards and Technology concluded that mobile devices – smartphones and tablets – commonly used to capture, share and access our most sensitive healthcare data are overall not secure enough to keep hackers at bay. They say the most private details of our lives are not safe from easy access by strangers’ eyes despite the security capabilities frequently touted on consumer and enterprise mobile devices: Two-factor authentication, fingerprint scanners, voice recognition, etc. However, this issue is far from exclusive to healthcare.

While privacy concerns in healthcare have been a big issue for a long time, in fact mandated by the HIPAA law in 1996, the service sector is now faced with similar concerns. Utilities, public safety, manufacturing, transportation and even government organizations have quickly moved from paper-and-pen to tablet-based workflows. As they’ve become more mobile in their daily operations, security concerns have quickly risen to the forefront.

Does that mean that secure mobility is an oxymoron? That there’s no real way to safeguard our confidentiality when we extend data access beyond wired desktops or fortified brick walls?

Here’s what I believe: There are indeed many mobile devices being used by field service professionals today that are not capable of meeting the highest security standards required because they are consumer-type tablets and true data security wasn’t considered during design. Some are just not able to accommodate certain security costs within target price points. Other devices simply weren’t intended for heavy data workflows in vertical sectors and they’re now trying to compensate for missing security elements, such as smart card readers. That could explain why NIST’s National Cybersecurity Center of Excellence also issued a separate building-block proposal last month that would more effectively secure mobile devices for all industries via Derived Personal Identity Verification (PIV) credentials.

However, while implementing a comprehensive set of procedures and policies will likely improve the security configurations for these devices, the better alternative for field service organizations is to buy mobile devices that already have security built-in. Think about trying to use sedans to support an HVAC company. You could take out the back seat, leave the trunk partially open and strap supplies on the roof. Or you could buy a truck.

Mobility Information Security for Rugged Tablet PCs

The point is: Threats to data are widespread and non-discriminatory across all industries and all PC form factors. However, it would be irresponsible for anyone to say that no mobile device on the market today is properly equipped in its current state. It’s just easier and more cost effective to defend your data by arming workers with fully secured devices from day one rather than to try to retrofit devices over time that are not really fit for this type of duty regardless. Many rugged tablet PCs are in fact secured specifically with data protection as the priority and would likely satisfy – if not exceed – any standard set by NIST’s forthcoming mobile security guide for healthcare or any other sector.

So, no, secure mobility is not necessarily an oxymoron as long as IT decision makers – whether selecting a mobile device for a law enforcement officer, a forklift operator, a doctor or a DOD employee – undoubtedly understand the level of potential mobile data activity on each device as well as the internal and external points of vulnerability for not only the device itself, but for their organization’s overall IT infrastructure and their industry as a whole.

That means identifying and assigning the most appropriate internal and external security methods for the mobile device, to include the following:

  • Access security : Perhaps the most obvious security measure, access credentialing is most effective with a multi-faceted approach. For highly sensitive data, to include any type of corporate data, require a minimum two-factor authentication criteria to include any or all of the following: Fingerprint sensor, smart card reader, voice recognition, password, PIN, VPN with digital certificate or a USB hardware token .
  • Physical security : People often underestimate the importance of physical device security. Besides protecting an organization from high replacement costs, physical security methods ensure the device isn’t easily stolen. Eyes aren’t always on a mobile device and many field service technicians will leave their tablet in their truck while inside a home for a service call – with the truck unlocked. Make it more difficult for someone to literally walk off with data via lockable vehicle docks, built-in Kensington security lock slots and lockable overnight charging stations .
  • Physical security of the data: Even though the device is physically secure, you’ll want to ensure the data is just as secure with tools such as BitLocker.
  • Software security : Mobile device software is arguably more vulnerable to attack for the simple fact that many users unintentionally use unsecured wireless networks for connectivity. When workers are in the middle of nowhere, they don’t always pay attention to where their wireless signal is coming from; they just know they have one and they can access the data they need now. That means they could be oblivious to attacks too. All the more reason to ensure the following software defense features are built-in to any device deployed for business:
    Trusted Platform Module (TPM) stores cryptographic info such as encryption keys. It doesn’t rely on the OS and isn’t exposed to external software vulnerabilities, making it that much more secure from external software attacks and physical theft
    Mobile Device Management (MDM) allows you to secure, monitor and support mobile devices remotely. If a device does go missing, MDM lets you remotely lock the device or completely erase sensitive data from a distance.
    Anti-theft software
    Pre Boot Authentication so that if the device falls into the wrong hands, they’ll have no access to get your data.
    Absolute Computrace® security can help with recovery of a lost tablet, and even be used to wipe data if necessary.
    Data encryption

And remember: What typically works for a desktop may not be enough for a mobile computing device more apt to easy access by multiple unintended users. Secure your mobile devices from the inside out and you can make even the most rugged mobile tablet PCs more impenetrable than they already appear.

Read NIST's National Cybersecurity Center's Proposal for Secure Mobile Devices