Recently, when I was watching ESPN, it played a humorous bit involving NFL insider Adam Schefter’s kitchen shaking as if experiencing an earthquake, only instead it was just the cumulative rattling and vibrating from his 5 or 6 cell phones on the table. Of course the engineer in me immediately noted the impracticality of someone needing so many smart phones; however, this was not always the case in the early days of mobile computing. I met plenty of IT folks during the late 90’s who carried multiple cell phones and multiple pagers, since this was before true “smart” technology put a miniature computer in people’s pocket. Fast forward to today’s world of ubiquitous smart phones, and one would think the need for carrying more than mobile phone would be very limited, but that’s not always the case, especially within the federal government. Many folks still have both a personal and a work phone for various reasons, not the least of which is the separation of confidential work data from your Candy Crush high score. However mobile security has come a long way these past few years, and various technologies like containerization allow a personal phone to be securely used for work purposes. As a result, many enterprises are saving money by implementing BYOD policies.
Bring Your Own Device (BYOD) allows employees to use their personal smart phones for work purposes, thus saving the cost of purchasing and maintaining a separate work phone for each mobile worker. Hardware and software have progressed to the point where IT can set policies to secure the data on mobile devices by controlling where it resides and how it can be used. However a major sticking point is concerning the authentication of a user’s identity, which is the verification that the user is who they say they are. Establishing true identity verification from mobile devices has always been a challenge. However, the federal government already has a solution for other devices, as PIV and CAC smart cards work great for traditional physical and logical access points across the federal network. The problem with using these smart cards on phones is the form factor, as using some type of sled or other physical card reader on a mobile device is so physically restrictive as to render it useless, and workers simply reject these solutions. So how can federal agencies securely implement user authentication on mobile devices in order to finally realize the benefits of BYOD? The answer can be found within a new standard called derived credentials.
In his February 23 blog, “What is a Derived Credential Anyway?,” Jonathan Benson provides a great explanation of how derived credentials work, as well as how Centrify’s Enterprise Mobile Management (EMM) implements them. In short, a digital credential is derived from a valid smart card and placed onto a mobile phone, thus essentially creating a virtual smart card on that device.Derived credentials allow smart card required applications to be accessed from mobile devices, including both internal and external SaaS applications. This allows user authentication on mobile devices to adhere to federal HSPD-12 standards, and solves a major roadblock to the implementation of BYOD within the federal government.
Mainly due to the aforementioned security concerns, federal agencies have been very slow to adopt BYOD policies, and instead are spending lots of money each month on government furnished equipment (GFE), and often the only applications available on them are e-mail and instant messaging. These GFE phones generally cost somewhere between $40 and $60 a month per user. Centrify’s EMM can be implemented for a fraction of this cost, thus saving even a small organization thousands of dollars per month, while additionally providing secure access to corporate applications so that users become more productive on their mobile devices. As the 2012 Whitehouse.gov document “Bring Your Own Device” stated, “The business case for implementing BYOD programs vary from agency to agency, but often involve the following drivers: to reduce costs, increase program productivity and effectiveness, adapt to a changing workforce, and improve user experience.” Federal CISOs and security managers have wanted to implement BYOD for these same reasons, but historically have been hindered by their inability to comply with HSPD-12 and other security regulations, and therefore have not been able to do so. However with derived credentials and Centrify’s Enterprise Mobile Management, BYOD has finally become a viable option for the federal government.
Learn more on how to secure BYOD within your enterprise here.