7 Controls for Mobile Devices Accessing NetworksDelaware CISO Gives Up State BlackBerry for Personal iPhone
Until last fall, Delaware had allowed state employees to use their own mobile devices to access government servers with few restrictions.
"That was the piece that was keeping me up at night," the Delaware state chief information security officer told me the other day. "It was kind of an oversight on our part, more or less. We had not locked that down as tightly as we should have. In the beginning, it was not such an issue, but as the smart phones, the smart devices became more and more popular, we found that in our log files, the number of devices accessing the state network were continuing to grow."
It's similar to what's going in our world anyway. Who goes home at 5 o'clock and doesn't think about work anymore?
Starkey sleeps more soundly these days, having the best of two, potentially conflicting situations: allowing use of personal devices to access state networks and safeguarding those networks.
Delaware, as we reported last fall (see Wipe Out: Data Vanish on Smart Phones), rolled out a program to place limits on smart phones accessing the state network, and nearly three quarters of a year later, Starkey deems the initiative a great success.
Simply, employees who want to use their own devices must agree to have seven controls placed on their mobile phones. Those controls are:
- Strong password.
- Password history.
- Password that expires.
- Inactivity time out.
- Lock out after seven failed attempts to log on.
- Remote wipe if device is compromised or failure to log on after seven failed tries.
- Encryption, if devices is capable of employing it.
I'd be kind of jittery using my personal Droid under those conditions. Between my clumsy fingers and bad memory, I figure I would be one of those users who would try, and fail, seven times to log on, resulting in all the data on my phone being wiped clean. But perhaps I worry too much. "We never had a remote wipe for a security violation," Starkey reports.
Still, a number of users opted not to accept the new controls for other reasons, and no longer can use their devices to access state networks. In many instances, Starkey said, those employees just didn't use their devices to access state networks often enough so placing limits on them didn't make sense.
Starkey, though, decided to forego her state-issued BlackBerry about three months ago and has since uses her new iPhone to gain entrÃ©e to the state system. Why carry two devices? she asks.
Sure, Starkey misses some features in her old BlackBerry - cut and paste and a mini-keyboard absent on her iPhone. But the iPhone allows her to either separate her work from personal data or combine them, if she chooses, in a single display, sort the way she functions anyway.
"It's similar to what's going in our world anyway. Who goes home at 5 o'clock (and) doesn't think about work anymore?" she rhetorically asks with a chuckle. "We are 24x7 by nature, and we have to find ways to balance the home life and work life. This is one way that's effective in helping us do that."
In a week or so, I'll post my conversation with Starkey, who speaks extensively about the state initiative allowing the use of personal mobile device at work.