Facilitating secure mobile working
eolas explores the security solutions being delivered in order to facilitate the increasing prevalence of mobile working and impending implementation of GDPR with Vodafone’s John Clancy and Dr Csaba Kiss Kalló.
The growth of remote and mobile working has brought undoubted benefits to the public sector both in terms of increased productivity and reduced costs. This has been enabled by access to smart mobile devices as well as the development of cloud computing. This in turn has brought about a heightened focus on security.
A further issue driving the security agenda among public sector organisations, according to Vodafone Head of Government Sales, John Clancy, is the advent of the EU General Data Protection Regulation (GDPR), which comes into force next spring.
GDPR requires public sector bodies to appoint data protection officers. “All agencies have to appoint a data protection officer”, says Clancy. “There is a common myth that public bodies are exempt but Article 37 specifically covers them and states that they are covered unless otherwise exempted. The data protection officer and the business must ensure all necessary controls, policies and protocols are in place to protect data.”
That means ensuring mobile devices are secured as well.
“Most agencies should have their data protection officers appointed by now”, Clancy adds. “That person will be looking to see what infrastructure they have in place. In relation to mobility they need to look at mobile devices from end-to-end. What happens when someone gets a phone, are they issued with the policy for its use and so on, are they asked to sign the policy? It’s up to them to ensure that the policy remains up to date and GDPR compliant. They can go to the Office of Government CIO for support with this and private sector organisations like Samsung, Apple or Vodafone are ready to help as well.”
The fact that mobile devices can move out of the safe corporate area and connect from anywhere makes them vulnerable according to Vodafone’s Head of Product Portfolio – Connectivity, Mobility and Security – Dr Csaba Kiss Kalló. “They are very often used for private as well as corporate purposes by employees so there are all sorts of applications installed on mobile devices that IT departments often don’t know about. This is actually a major issue because many IT departments hugely underestimate the number of IT applications that are being used by their staff. It means they’re more exposed to vulnerabilities,” he says.
One of the most important steps in putting a mobile security plan or strategy in place is identifying what it is you want to protect. “Organisations have to understand what their most critical assets are and devise a plan to protect them”, says Dr Kiss Kalló. “They also have to know where they are; are they on mobile devices, on the network, or in the cloud? That’s the starting point.”
He stresses that it is not just about technology. “It starts with the people in the organisation and they have to be educated about mobile security risks. The top management also has to acknowledge the importance of having a security strategy. There must be proper interworking between departments where each one has its own security plan in place but they work together cohesively to implement the overall strategy. The final part is technology. Organisations have to work with their technology partners to look at all layers of technology and put in place a protective shield to cover them. Data has to be protected wherever it is stored – on the network, in a datacentre or in the cloud.”
John Clancy points to a number of different technology elements which can make up a protective shield. The first is what is known as containerisation. This involves the creation of a partition in the device’s memory allowing personal and sensitive corporate data to be stored in different places. “If the device is lost or compromised the encrypted corporate data can be wiped preventing it from getting out to the public realm.”
The second element is a service like Vodafone’s Secure Device Manager which allows for multiple devices to be managed remotely. “It’s an over the air app which can lock down the device and wipe it if necessary. You can also use it to do things like turn off the camera in certain geographic areas.”
The third is the use of virtual private networks to create secure data paths between the mobile devices in the field and the organisation. “A lot of public service bodies now only send data over encrypted data paths”, Clancy notes.
The implementation of such a plan can be made much easier by working with service providers says Dr Kiss Kalló. “We can configure multiple devices for groups of employees with the same profiles. We can set data usage limits and rules, traffic limits, countries where the device can and can’t be used, and prevent them from being used to access malicious sites. We take away the complexity for customers. When a customer employee gets a new device, they don’t have to enter their Gmail address or any other information or load any apps to configure the device; it works straight out of the box.”
This is particularly useful for organisations without dedicated IT departments. “Organisations don’t have the knowledge and capability to configure and manage multiple devices”, Dr Kiss Kalló adds. “This is effectively an injection of knowledge and expertise from Vodafone that we offer to our customers.”
Clancy points to the wider benefits of having robust mobile security strategies in place. “Citizens want to know that the data they share with public bodies for any reason will be safe and secure”, he says. “They need to be confident that their data is protected and won’t get into the public domain. There are also benefits for public sector workers. It will enable them to work remotely by making sure the data on the device is protected and still allowing them to use WiFi and broadband at home and so on. This is a big advantage and it will help drive productivity and cost savings for the public service.”
Looking to the future, Clancy says that public bodies need to be aware of emerging technologies like the Internet of Things (IoT) and the new risks they can represent. IoT networks can be made up of hundreds or thousands of small sensors or other devices which use SIM cards to connect to the internet. If these devices are not properly secured they can represent a very attractive back door route for hackers.
“IoT is an immature technology at the moment but it is evolving rapidly”, Clancy concludes. “Vodafone is about to launch its NB-IoT (narrow band internet of things) network which will enable customers to connect low power, very long battery life devices, over licensed spectrum which offers superior security levels to existing proprietary networks. This will be very important to public bodies in future as they embrace this new technology in areas such as smart cities and so on.”
For further information or to arrange an enterprise mobility and security consultation with a member of John’s team, please contact john.clancy@vodafone.com