7 Steps to Secure Mobile DevicesInitiative Shows Personal Devices Can Securely Connect to Network
"We had done all of our planning assuming that the majority of that population of identified users that we started out with would definitely want to continue over and continue their connection," Starkey says in an interview with GovInfoSecurity.com Executive Editor Eric Chabrow (transcript below). "I was surprised that we cut that number in half. We didn't really plan for the cases where people were just kind of dabbling around the edges and just kind of playing and trying to set up a connection, but really didn't have a sustainable need to keep it going into the future."
Starkey last fall spearheaded the effort to secure devices in order to prevent the government network from becoming compromised (see State Battles Data Leakage). "Only devices that have been pre-approved and where the owner of the device has agreed to seven different security controls would be allowed on the state network," she says.
Those seven security controls are:
- Strong password;
- Password history;
- Password that expires;
- Inactivity time out;
- Lock out after seven failed attempts to log on;
- Remote wipe if device is compromised or failure to log on after seven failed tries; and
- Encryption, if the device is capable of employing it.
Starkey has been Delaware's state CSO for the past six years. She earned two computer science degrees, a master of science from Rochester Institute of Technology and a bachelor of science from James Madison University.
Mobile Device InitiativeERIC CHABROW: For those who haven't heard our first conversation last December, please take a few moments to describe this initiative?
ELAYNE STARKEY: We have been taking a look at the whole issue of personally owned mobile devices attaching to the state network for some time now, and last fall we moved forward with an initiative to basically lock down that process so that only devices that had been pre-approved and where the owner of the device has agreed to seven different security controls would be allowed on the state network. We went from about 700 devices that had been previously connected with essentially unfettered access to the state network down to the mid-300s now in terms of those that have gone through the process. The users have acknowledged the responsibility they have that's tied to the connection to the state network, and agreed and accepted to our security controls.
CHABROW: What are those security controls?
STARKEY: The seven security controls are strong password, a password history or a remember feature, passwords that expire, inactivity time-out, a lock-out after seven failed attempts, the ability to remote wipe lost or stolen devices and encryption if the device is capable of encryption.
Employee NotificationCHABROW: Can you walk us through the process of how employees were notified about this program and the steps taken to secure these mobile devices actually putting on these controls?
STARKEY: We basically alerted all of the users when we were able to. There were some devices, like personally owned BlackBerries, that the internal mechanisms and the logging mechanism is such we couldn't do targeted communication, but when we could we sent out targeted communication to all of those users that might be impacted by it. We let them know about the new policy, the reason behind the new policy, which is kind of an important part of the whole communication plan, and let them know that we're just not trying to be difficult, we're just not trying to impose rules but we're working to secure and to prevent data leakage and data loss out of the state network.
They were then given the opportunity to go to an online form and complete the form requesting access and get their manager's approval for that access so that we know that there is a true business need for that connection. Then they would digitally sign and acknowledge the agreement to those seven security controls that I just mentioned. If they didn't go through that process, then they were advised well in advance of the cut-off date when they would no longer be able to access the state network. Surprisingly, we had a number of folks that read through the communication, thought about the security and said, "I kind of did this as a convenience but I thought I'd try to just test it out, but I really don't have a sustainable business need to do this going forward." And as I said earlier, our numbers dropped in half in terms of the number of devices that are connecting.
CHABROW: To make it clear, there were personal devices that were accessing the state network before this program went into effect?
STARKEY: There were. Yes, that's the piece that was keeping me up at night basically. It was kind of an oversight on our part more or less. We had not locked that down as tightly as we should have. In the beginning, it was not such an issue, but as the smartphones and the smart devices became more and more popular, we found that in our log files a number of devices that were accessing the state network were continuing to grow.
State-issued DevicesCHABROW: How does this have an impact on state-issued devices?
STARKEY: That's a very interesting question and lots of conversations are going on about that. We have been a BlackBerry shop here for six or seven years. We very much enjoy the BlackBerry, the BES environment. The BlackBerry Enterprise System has served us very, very well. The devices have been great. The security controls are top of the line in my opinion. We've enjoyed that environment here for many years, but they're kind of falling out of favor with our customers. Those customers now prefer Droids and iPhones and other devices. We still have a fair number of BlackBerry users out there, both personally owned and state-owned, but our state-owned device count is pretty well stabilizing if not decreasing slightly. Users still have the option; our Blackberries are still the state-standard, so for state-purchased devices that's the device that we support across the enterprise. We still get a fair number of support issues and calls on that. If it's a personally owned device, that's kind of where we draw the line. We will certainly provide support to help them get connected to the state-network, but we're not staffed properly. We're just not resourced to be able to support the myriad of different devices that are out there. Our support options are limited to just the BlackBerry.
CHABROW: The people who are taking advantage of this program, are they all kinds of workers or a specific class of workers?
STARKEY: I don't think there's a specific class. It's very popular across cabinet secretaries, in the governor's office, legislatures, division directors, usually people with management responsibility or just a need for that 24/7 connectivity. It may not even be a manager. It may be someone in our health and social services or transportation departments that just literally needs to be connected and wired 24/7.
The TransitionCHABROW: Let's talk about that. Maybe you could use yourself as an example. I believe you gave up your state BlackBerry in favor of your iPhone.
STARKEY: I did. I'm about three months into it. I'm no longer carrying two devices on my hip. I'm just carrying the iPhone.
CHABROW: Talk about the mix between the work environment and the personal environment in a sense of using one device. Do you see what you're doing may be representative of what other people are doing?
STARKEY: It's been very convenient for me. It's real easy on the iPhone to pull in either your personal inbox mailbox as well as your work. Now I can keep them separate if I need to, or I can change the display so that they're coming in and it appears as if they're just kind of intertwined. It's similar to what's going on in our world anyway. Who goes home at five o'clock and doesn't think about work anymore? It's just a change in the workforce and the way we operate. We are 24/7 by nature and we have to find ways to balance the home life and work life, and this is one way that I think is effective in helping us do that.
CHABROW: You're finding it very useful?
STARKEY: Yes, very much so. I had a little trouble in the beginning. I've been a big fan of BlackBerries for a long time and there are just certain things about the BlackBerry that makes it better suited for enterprise work environment. There are a few things I had to give up but overall they have not been showstoppers.
CHABROW: What were the kinds of things you had to give up?
STARKEY: User-interface things more than anything, like some cut-and-paste features that I used to enjoy on the BlackBerry. I did have a little trouble getting used to the touch screen believe it or not. Some people either love or hate them it seems like. I did kind of like the keyboards, the little mini-keyboard, on the BlackBerry, but after a couple of weeks you get used to those things.
CHABROW: Are state employees limited to a number of devices? Could someone have an iPad, an iPhone or a Droid to participate in this program or are they limited to just one?
STARKEY: They aren't limited. We don't impose a limit. In fact, I think a number of our judges have both iPads and some type of mobile, so either a Droid or an iPhone.
CHABROW: Since you implemented this program, anything surprise you about it?
STARKEY: I guess probably the biggest surprise is what I mentioned earlier. We had done all of our planning assuming that the majority of that population of identified users that we started out with would definitely want to continue over and continue their connection. I was surprised that we cut that number in half. We didn't really plan for the cases where people were just kind of dabbling around the edges and just kind of playing and trying to set up a connection, but really didn't have a sustainable need to keep it going into the future.
Opting OutCHABROW: What were some of the reasons you heard that they decided not to opt for this program?
STARKEY: Everything from ... just playing around with it and connected once and really didn't need the connections to significant privacy concerns about, "I've got my kid's pictures, I've got my private personal information on this. I really don't want the state to be able to remotely wipe this device if there's a problem. I really just want to keep my two worlds a little bit more separate than that." We've had lots of conversations about the acceptable use policy and where the governance starts and stops on our policy, lots of clarification. I have spent many, many hours on the phone and e-mail clarifying our state acceptable use policy is intended to cover the state data and state transactions only. It does not cover the personal use of the device.
CHABROW: Are there any, really legitimate, privacy concerns state employees should have about their own personal information on their devices?
STARKEY: No, we're not in the practice of monitoring or eavesdropping. That's just an area that we don't want to get into and technically we cannot get into. If they're concerned about other eyes seeing that data, then it's an unfounded concern.
CHABROW: If you fail the log-in seven executive times, does it wipe out the data?
STARKEY: It does.
CHABROW: I just know that so often I forget a password.
CHABROW: Was that another concern that people expressed?
STARKEY: It is, but it turned out to be not a big issue. I thought our numbers would be high and they're really not. They are very, very small, early in the deployment of course, but we have not had to remote wipe for any type of security violation at this point. The seven failed attempts, typically when they get to the third or fourth, they're stopping and taking a breath and they may even be getting on the phone with someone, either their provider or with us to make sure that they don't get to that seventh failed attempt.
State SubsidizationCHABROW: Is the state subsidizing at all employees who use their own device to access the state computer network?
STARKEY: We are. We're piloting a program in my department, the Department of Technology and Information, where employees will get reimbursed for their usage. If they give up their work device or work BlackBerry basically, and have a business need to continue the access to the state network, they could be reimbursed $30, up to $40 if they have a voice plan ... or their Internet usage for the device used. They still pay for the device itself, we simply reimburse for the ongoing monthly charges.
CHABROW: Which would be something you would normally pay if you were using a BlackBerry?
STARKEY: Correct, and it would be more than that. There's actually a net gain; those are the numbers that we're working on right now where there's interest from the governor's office, taking a look at the results of our pilot and possibly considering statewide.
CHABROW: You said there are fewer people accessing using their own devices, but will this perhaps change the way some employees look at their own jobs? Or maybe they will be a little more active because they can now use their own devices, or maybe qualify for a state BlackBerry?
STARKEY: I think so, but I think the flip side of that is it's possible too that there is a feeling that if I used to have unfettered access to the state network and now I have to jump through a couple hoops to continue that access, I'm just not going to go to the trouble. I'm just not going to continue to be maybe as diligent about keeping up with my e-mail in the evening hours. I'll wait until eight the next morning.
CHABROW: I guess for some people that may be a better thing to do anyway. Are you pleased that you went ahead with this initiative?
STARKEY: [I] couldn't be more pleased. I'm sleeping a little bit better at night. This isn't a perfect solution by any stretch, but it's a far better place than we were this time six months ago, before we began the lock-down process. I recognize that there are still some issues that need to be cleaned up, but we have closed a very significant vulnerability in my mind here in Delaware.
CHABROW: How is this governance sense? Who is responsible for this program? Is this your office or do you have people assigned to it?
STARKEY: The whole initiative was sponsored from my office. We have worked closely with a number of our other internal teams [that] have been part of the roll-out process. Obviously, our telecommunications, the technical folks were very engaged and our change management team was responsible for all of the communications to the customers, so it's been a great team effort.
How the Process WorksCHABROW: Physically, what goes on when someone says, "Yes, I want my device to be secured?" Do you take the device or how does that work?
STARKEY: No, we don't need to physically touch the device. They simply go to the website where the form is, get the form [and] the approval process going. Once the form is approved then we can configure that device remotely, push the seven security controls out to their device and then the next time they connect, all of the new security controls are in place.
CHABROW: What did it take to develop this system which you just described?
STARKEY: Not much at all. It's part of our standard work-request system. We use it for all of our tickets, our service desk tickets. It's simply just another type of work request that we've added to that system.
Interest from Other StatesCHABROW: Are other states, government agencies or any kind of organizations expressing interest in what you're doing there?
STARKEY: I received a lot of help before we embarked, before we made any final decisions on what we wanted to do. We did kind of an informal survey of the other states. I received a lot of good information on what other states were doing or not doing. The state of Montana was great help to us. In fact, we modeled our request form after the form that they were using in Montana. A number of states have been in touch with me since we deployed. [They] wanted to sit on the sidelines and see what we did and the problems we ran into so that they could move forward. In my meetings with the other state chief security officers I received a lot of questions and a lot of requests for the package that we've put together here in Delaware.
CHABROW: Are BlackBerries yet able to access this?
STARKEY: Personally-owned BlackBerries. We went live with that block about two weeks ago. That completes kind of our final phase of the lockdown. We had to deal with the BlackBerries a little differently because what was made of on the device is a little different from the other devices, and also as I mentioned earlier, we couldn't do a targeted communication plan to those users. We pulled them, did them separately and we actually ran into a small hiccup. It was more on our side on the documentation. We needed to be a little bit clearer on the documentation. We pulled it back for a few days and then went back with a block and it's been up for about a week and a half now with no issues.
CHABROW: Is there a cost associated with this?
STARKEY: No. I can't think of any direct cost, other than some of the reimbursement costs that we mentioned earlier. In the end, that's really a net savings if they're turning in a personally or state-owned BlackBerry.