Three steps to secure BYOD for police departments
The New South Wales police department last year began a yearlong bring-your-own-device (BYOD) experiment for police officers. As part of a major IT modernization project, the department is permitting select mobile devices to access its central mainframe.
Is that safe?
Opinions vary. Some experts believe that organizations must have a holistic mobility policy that governs the use of mobile devices in the enterprise. Others state that encryption of mobile traffic is essential to protect sensitive data from interception. Both views are correct. Enterprises, especially law enforcement and public safety agencies, must have a policy governing the use of mobile devices. Police officers, inventive in their nature, will embrace BYOD if they believe that it will help them do their jobs and keep them safe.
The increased use of mobile devices with biometric capabilities presents advantages for officers and administrators alike. Mobile fingerprint, face or iris scanners can instantly identify a subject in the field, improving officer safety and police effectiveness. The same scanning capabilities can lock down a device until its owner and authorized user opens it with a biometric.
So, what must a CIO, police chief or sheriff do to be sure sensitive data doesn't end up in a precarious position if a device is lost, stolen or hacked? As table stakes, they should put in place a strong security policy that covers mobile devices, both issued by the agency and any that may be obtained by employees on their own. They must do that just to get in the game. Next, they should make sure that auto-protect and device-erase functionality are enabled on the mobile devices, at the very least. They should also consider using enterprise settings to control security on mobile devices, and encourage employees who may misplace mobile devices to immediately report the loss without fear of adverse action. The loss of a device is a minor inconvenience in comparison to a data breach that occurs because the phone was hacked before it could be wiped.
Many jurisdictions have already addressed these issues. The City of Albuquerque, for example, requires devices that access the city’s network to be password-protected, and include up-to-date anti-malware software and software patches. The city also “reserves the right” to enforce a mobile device management strategy to allow the IT department to configure, secure, monitor and wipe smartphones and tablets. Police department personnel must also be aware of the privacy implications involved in BYOD. A highly publicized court case in 2005 vividly illustrated this issue, when a police officer in Santa Fe, New Mexico, was required to provide the court with access to records of his personal cell phone activity during a DUI arrest. The prosecutor in the case declined to turn over those records, citing privacy concerns. The judge however ruled that the officer was acting as an “arm of the government” and was therefore not protected under the fourth amendment. Consequently the DUI case was dismissed. The lesson is obvious: Officers who bring their own devices to their jobs must give up some level of control and privacy.
But let’s think about the unthinkable: What if a breach takes place? If the agency had prepared for that, then data loss could be minimized, even if an Advanced Persistent Threat found a way in, or an insider decided to compromise a public safety computer system.
So the agency policy first has to focus on information security and not on the device that is used to access it. Most law enforcement agencies treat all information in their custody the same way, and apply security practices to the network using the “everything is critical information” model. I’d argue that if “everything is a priority, then really nothing is a priority.” Therefore, the goal should be to better identify what to protect and separate the most important information from any public network. This is already done in the federal system with classified information systems. In law enforcement, Communities of Interest (COIs) could be establish to segment data in ways that will protect it from unauthorized exposure.
Second, establish a security model and policy that addresses insider threats and not just the persistent attacks that hackers pose to the agency. To prevent data loss or breach, consider establishing Communities Of Interest (COIs) within a law enforcement or public safety agency. That solution means that information is only available to those employees with a need to access or review it as part of their official duties. Public safety agencies must consider adopting a corporate risk management approach that includes continuous diagnostics, monitoring and segmentation of law enforcement data that will prevent a “Snowden moment” involving a police agency.
Third, consider the use of cloud technology to shift the risk of protecting some public safety data to service providers that are well-equipped to protect it in accordance with federal information security policies and service levels written into the contract. Some vendors extend the same type of protection that exists within a private network to data in a public cloud.
The goal in information security in a BYOD environment is not focused on the devices that are used to access the network, but on the data security practices that the agency uses to classify and secure its data.
