British Experts Evaluate Protection Needs for Public- Sector Mobility
BYOD security looms large for policy makers.
U.K. government entities at various levels are looking into bring-your-own-device policies for their purposes. And while their mandates differ, they all have one factor in common—a need for the right level of security. To help groups at the most open classification levels make the right choices, a U.K. security agency has released a series of guidance documents that outlines what decision makers should consider.
Bring-your-own-device (BYOD)/mobility guidance became a particular focus of attention over the past year to 18 months for the U.K. government security community. In October 2013, CESG released its End User Devices Security and Configuration Guidance that contained overarching information to enable the U.K. public sector to better understand the factors involved in meeting their business requirements. The organization also put out guidance for 11 platforms last year and subsequently has updated the various documents in 2014. The guidance explains specific platforms’ strengths and limitations. For example, authors describe data-at-rest protection, outlining different considerations for laptops (for which encrypting data at rest probably is a good idea) versus desktops (for which it likely is less necessary). Experts update the guidance as necessary when new versions of operating systems, new systems and new features are released. Beyond configuration or per-device advice, the documents also explain broader considerations, such as how devices will interact with an enterprise network. The CESG’s points go to the overall nature of security.
Staff involved in the compilation and release of the guidance say it differs from suggestions released in the past in that it focuses on more than providing instructions on appropriate security and security settings. Rather, the documents aim to find the balance between usability and security to enable people to deliver the jobs assigned to them. Decision makers must find the minimum set of security rules for each device that will make it appropriate for use.
The CESG is a highly sensitive British organization serving as the National Technical Authority for advice and services to protect the U.K.’s information technology systems. It does not set, mandate or ban any particular approach to the use of technology or security. It tries to assist the public sector with working out its security needs and provides advice on security properties in given technologies as well as how to configure technologies to meet the needs. The CESG plays an advisory role to its partners in the U.K. government, working closely with those across the public sector who set strategy and policy around technology. In particular, the CESG works with the Government Digital Service, part of the cabinet office.
An official with the CESG says “It’s important to be quite clear—the guidance we’re talking about is not an endorsement of or a ban around BYOD. It’s a separate angle on the discussion, if you will.” The question of management is a different matter. Names of technical CESG sources are withheld for sensitivity reasons. The role of the CESG is not to promote a policy nor a technology. The group helps organizations determine their security needs and whether they can be met by a BYOD strategy.
The U.K. government, as with the U.S. government, has no overarching BYOD or mobility policy. The technology and the idea in general still are emerging. Further complicating matters is the complexity of government itself. The United Kingdom’s central government has ministerial controls and large departments, but, again similar to the United States, local authorities run many government services. No central control operates over those more regionalized decisions, and various policies have to work together to deliver services.
Even figuring out exactly what constitutes BYOD can present a challenge. The term refers to an ownership model in which employees, in this case of the government, use their own technology to perform work functions. “The real security question we need to think about is one of control,” a CESG official says. “It doesn’t really matter who owns the device from a security perspective. It’s about who has responsibility for the device and makes sure it’s doing the right things with security.” Who has that responsibility can vary from an individual to many people within an enterprise. In the end, though, someone has to take the responsibility for keeping information safe and secure. CESG input aims to make sure those individuals have the resources they need to make the right decisions.
CESG officials have no preferences on what systems people choose to employ as long as they make wise selections for their security. The organization does not rank, or put into a league or table, technologies from most to least secure not only because it does not advocate certain solutions, but also because the way in which groups approach security depends on their situations. They need to select the right implementation for their specific scenarios.
Having a broad view over many technological options should remain important for the foreseeable future, as many experts agree that an overarching mobility regulation is unlikely to emerge in the United Kingdom soon. Choices will be led by the individual organizations. What they need is information that allows them to understand risks so they choose wisely. That means taking into account more than simply security when considering a wide-scale adoption of a policy such as BYOD. Other factors such as how to perform effective discovery of information if a Freedom of Information Act request is received or how to support an enterprise also play a role in determining the right approach to an organization’s mobility. So, many issues, including some that can be tricky according to CESG, must be addressed before widespread adoption.
Though the considerations in the mobility debate are numerous, the discussion is necessary for the almost inevitable way business will be conducted moving forward. “I think BYOD is really important not just for what it is itself,” a CESG official explains. “This isn’t just a technology problem. I see BYOD as people really telling us their user needs are not being met through traditional government approaches to information technology.” The issue goes beyond devices to employees demanding more capability. “To some point, BYOD is a bit of an emotional issue,” the official continues. “To me, the real power of BYOD is helping us to address, even really making us think of, those factors of usability. That’s one of the most important things as I see it.”
Instead of a focus on which devices people can use for what, the solution to the mobility debate lies in putting the right overall technologies and policies into the hands of workers, the official says. People want technology at least as good as they have at home. BYOD is one way to achieve that, but others also exist. “We’re not ruling out any approach really,” the official states.
The CESG has no aspirations for its guidance achieving widespread implementation of BYOD. Particularly as a security organization, it only wants to ensure the transparency of information for proper decision making.
A CESG official says that the agency and the U.K. government are driven by wanting people to use “great technology” that meets their needs. The official emphasizes the importance of use and viability, because “It’s no good being secure if it doesn’t work. I wouldn’t want to see everyone use the same device policy because it means we’re creating a one-size-fits-all solution. If we’re going to support government to work effectively, we’re going to support a diversity of platforms … some of those will possibly be BYOD for some functions.”
However, because various levels of government must collaborate to deliver public services, they must share information. “We need to be able to share information securely and be able to look over that information securely,” an official explains. “We need to have confidence in how our partners will look after information. So that’s an additional complexity.”
In April 2014, the U.K. government released a new classification scheme of official, secret and top secret. Official information is a broad category applicable across the nations that fall under the United Kingdom. It basically denotes that information belongs to the government, not to individuals, and as such it requires appropriate security around it. The CESG’s platforms discussion focuses on the official realm and not on classifications intended more for national security purposes.
Within the designation of official, a diversity of information sensitivity exists. Security principles are integral to ensuring the right implementation of storing and sharing in this space. Some pieces of information have almost no sensitivity, such as statements to the press. In other cases, personal details about private citizens may need to be exchanged, requiring certain protections. A CESG official expects BYOD to become viable in areas that require minimal security but not adopted around more secure information.
Organizations will determine what level of protection is appropriate for their requirements. While the CESG guidance is not intended for the secret and top secret levels, leaders might find that risks at other levels make their data inappropriate for BYOD scenarios.
CESG experts try to use commercial best practices for security. Through the private sector’s efforts, government can find the strengths and limitations of technologies. Many platforms have multiple configuration options to consider before deployment. Some have acceptable levels of risk while others do not. The CESG guidance assists with navigating through the choices to help the public sector achieve the full value of commercial offerings.
All of the CESG’s guidance is available online, meaning that people interested in researching mobility security inside or outside of the United Kingdom can access the information, understand what CESG experts have released, then agree or disagree with the platform recommendations. “That can lead to useful discussions,” an official says. “I think the principles that underpin this are very useful. We’ve had discussion with peers in other countries.”
In the end, CESG officials want organizations to work through the recommended security principles, determine their own needs and understand whether BYOD or other solutions meet those security requirements. That way, people make an informed decision based on solid analysis rather than an emotional decision about whether BYOD is a good or bad idea.