"We're thankful that we were able to get out a little bit in front of it," Elayne Starkey, Delaware's chief security officer, says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
In allowing employees to use their own devices, Starkey's department set up seven controls so users can access state computers securely, including requirements for strong passwords, inactivity timeouts and, if necessary, remote wiping for lost and stolen devices [see 7 Steps to Secure Mobile Devices].
Starkey also has seen an upswing in the move to cloud solutions over the last 12 months. Delaware has an architecture review board that looks at every new IT initiative, and Starkey's department was able to get contractual language included in front of all cloud initiative contracts. Her office also reviews the solutions.
With this paradigm shift in technology well on its way, organizations can no longer wait. "For the folks in the security world, it's really easy to stay secure in this space by not allowing the personal devices," Starkey says. "I'm afraid that's not a real practical decision now."
As organizations set up their BYOD [bring-your-own-device] policies, they must ensure that parameters are spelled out, expectations are set and that employees and IT understand what they're getting into. "At this point, the time to sit back and see what's going to happen is over," Starkey says.
In the interview, Starkey discusses the:
- Seven controls Delaware places on employees' mobile devices so they can access state computers with their own smartphones and e-tablets;
- BYOD phenomena that's sweeping business;
- Expected increase in demand by employees to use their own devices at work because of the introduction of the iPad3 [see iPad3 4G Nudges BYOD].
- Urgency for businesses and governments to implement BYOD policies without further delay.
Starkey has been Delaware's state CSO for more than six years. She earned two computer science degrees, a master of science from Rochester Institute of Technology and a bachelor of science from James Madison University.
Delaware's Mobile Device Policy
ERIC CHABROW: I'd like to discuss the way the mobile marketplace is evolving and how that has an impact on IT and IT security. But first, let's remind our listeners about Delaware's nearly year-and-a-half old policy of placing controls on mobile devices that can access the state network. Please take a few moments to remind us of that policy.
ELAYNE STARKEY: About 18 months ago we deployed a BYOD [bring-your-own-device] policy, which allowed our employees the flexibility and convenience of using their personally owned smart phone, rather than carrying around multiple devices on their hips, with the state BlackBerry. Their personal device gave them the option to consolidate to a single device, but along that came some important security controls and their willingness to abide by a minimum of seven security controls, things like strong passwords on the device, password history and inactivity timeouts, and if necessary, remote wiping for lost and stolen devices, encryption and lockout after seven failed attempts. Those are some of the same controls we have enjoyed for years on the state-owned BlackBerries and we wanted to extend those same important security controls to the new BYOD policy. It's been very successful. We've rolled it out almost without incident. Of course, in the beginning, we had a few challenges to get through, but we have a lot of folks giving up the state-owned BlackBerry for the personally owned device option.
Tablet Use Increases
CHABROW: What I find most intriguing about the new Apple iPad isn't the latest bells and whistles, but the rapid evolution of the e-tablet as a replacement for traditional clients, such as laptops and desktops. On my iPad, I've downloaded an app that converts my tablet into a Windows desktop with a full suite of Windows productivity tools when I'm connected to the cloud. Doesn't this potentially present a fundamental change in the way that IT organizations manage and secure their information resources? And this isn't just about BYOD; it could be cheaper to provide employees with iPads than laptops.
STARKEY: Yes to all of those - lots of opportunities for change, lots of challenges that go along with it, especially when you have the security hat on; lots of potential financial savings if you have the controller's hat on. We're watching it very closely. The iPad 3 was exciting to watch the launch. We definitely have a lot of interest. Just in general - the whole tablet space from our customers - the demand is increasing. I read something about the statistics. One prediction came in that by 2016, we're looking at possibly over 235 million mobile Internet devices out there. That's just an incredible number. It's interesting to watch the space as [it] changes. I think that it's very possible that the tablets could eventually displace the traditional desktop PC.
CHABROW: Would that mean more cloud services or that the state itself would take on more responsibilities of having more apps on its servers?
STARKEY: I think so. I think the cloud option, at least looking at what we're seeing right now, we have what we call an architecture review board that reviews every single new IT initiative, and there's been an incredible upswing in the move to cloud solutions just in the last 12 months. We were able to get out in front of that with some contractual language that needs to be a part of that, of all of those contracts, and it also requires a review from my office and from the department in general. We're definitely seeing an increase in interest of sending not only data to the cloud, [but] along with that comes, as you know, a lot of security challenges. ...
CHABROW: You would use more of the cloud services than Delaware's systems itself hosting different applications?
STARKEY: Absolutely - the ones that we consider mission critical. There are many applications that are not suitable for the cloud today, and may not ever be suitable for the cloud. We would continue to host those internally and protect them the way that we do today. But there are many that fall into the category certainly worth considering moving to the cloud.
Mobility and Cloud: Connected Challenges
CHABROW: Among the two biggest challenges IT security experts face today are mobility and the cloud, as we were just discussing. Employing e-tablets as clients is reminiscent of the old computing paradigm where data and processing reside on the servers, drops in the cloud and the client, with the front end to the system, with lower processing power. What goes around comes around. These are sort of connected challenges aren't they - mobility and the cloud?
STARKEY: Oh, without a doubt. They go hand-in-hand, and in fact, the review board that I mentioned earlier, it's interesting to see the applications that are coming in. They're coming in as a single application. I just reviewed one earlier this week that involves the purchase of a number of iPad devices, along with the procurement of a cloud service provider as well. So they're very tightly connected in my opinion.
CHABROW: I guess it goes back to something you mentioned a few moments ago - architecture. The approach to providing services, computing services, to employees and other stake holders, as well as the security of these has to be addressed as one entity.
STARKEY: I agree absolutely. It's no longer kind of a single-threaded vetting process. They've all got to be vetted together.
CHABROW: Do you see the organization itself - when I say the organization, perhaps in your case, the state government - evolving where the idea of the real services that are being provided to citizens and to employees really can't be divorced from the IT services being provided to them?
STARKEY: That's an interesting question. Our vetting process here is called a business case process. A business case summary is what our agencies submit, and it's called that by design. We're looking to understand the business and how IT comes behind it and supports the business requirements. That's something that many of us have been working on for a long time, finding the convergence between business requirements and technology requirements. We're not out there chasing technology for technology's sake - as fun as that can be. But we're here to advance and further the business, and in this case, the business of government. That's kind of what I see as IT's role, to determine and, first of all, seek to understand first what the business requirements are, and then come behind it with the appropriate technology.
Setting up a BYOD Policy
CHABROW: Let's just go back to the beginning of our conversation with BYOD. For organizations looking to set up a BYOD policy, what would you recommend?
STARKEY: I recommend not waiting. At this point, the time to sit back and see what's going to happen is over. I know that it's more secure and for the folks in the security world, it's really easy to stay secure in this space by not allowing the personal devices. I'm afraid that's not a real practical decision now, and we're thankful that we were able to get out a little bit in front of it, in front of the big wave of demand at least. It's important, as BYOD policies are being set up, that the parameters are spelled out, that the expectations are set so that your employees understand what they're getting into and, quite frankly, IT understands what they're getting into as well.