Mobile security lessons from Treasury
- 27 May, 2014 09:26
The Treasury CIO Peter Alexander.
Managing a fleet of iPhones that used containerisation to separate The Treasury data from employees’ personal information has been a journey of mistakes and lessons for CIO Peter Alexander.
Speaking at Gartner’s IT infrastructure operations and data centre summit in Sydney recently, Alexander told delegates that the government organisation moved from an ageing fleet of BlackBerries after the Australian Signals Directorate (ASD) approved the iOS operating system for use by government departments, which use protected networks in March 2013.
“We, like every other government agency, were on BlackBerries. BlackBerry had a really nice solution that was awesome for its time – unfortunately its time ended four years ago [in 2010] and we should have replaced it but we didn’t,” he said.
This was because in 2010 there was “nothing else at the time” and the only devices that were rated for protected content within federal government agencies were BlackBerries, Alexander said.
After the ASD approved mobile device management (MDM) vendor Good Technology to protect iPhones and iPads used by government employees, The Treasury was able to start providing government issued iPhones to staff members.
“Good run a containerisation model that separates government data. We moved them [users] into the corporate owned personally enabled [COPE] model. Rather than bring your own device [BYOD], we gave people iPhones and allowed them to have their own iTunes account and iOS apps,” said Alexander.
The Treasury installed its own apps, including Good MDM, on the iPhones so that it could control sensitive data.
According to Alexander, the Good MDM was “working really well”, but it started running into some issues with ASD’s smartphone security requirements.
“ASD’s guidance said that we had to [securely] harden the iPhone to use protective content. We were running Good without hardening the iPhone because we felt that the container was good enough,” he said.
However, The Treasury ran into a smartphone security issue that Alexander referred to as the “onion theory".
The theory likens a smartphone’s security to peeling back an onion. For example, if the phone’s hardware is weak, anything on it such as the operating system (OS) can be compromised.
“We had to harden the iPhones and once you do that, you don’t need an [MDM] container anymore,” Alexander said.
The Treasury moved from Good Technology to AirWatch’s MDM solution in May 2013.
According to Alexander, it chose AirWatch because the vendor could secure all of the iPhone’s data without using a container.
In addition, the IT department could use Apple’s native mail service to sync people’s email from their iPhone to an iPad.
“Imagine the use case if your senior executive has been using their iPhone all day and then switches to their iPad to sync mail. If they had 500 emails to sync, it almost invariably crashes. It’s not the end of the world as you can restart the phone. When you have intolerant executives, that doesn't work well.”
Alexander said The Treasury spent $50,000 on Good licences and software.
However, Alexander said it is not “wasting” the Good licences as it has offered them to a couple of smaller federal government agencies that run unclassified networks.
“We learnt a lot from the Good project. The mobile security guide we wrote for the ASD said that if you have an unclassified network – and a lot of agencies do – Good [Technology] is not a bad solution for you. If you are running a protected network you could use [Good] but you are taking on some additional risks,” he said.
However, Alexander said that AirWatch's MDM solution was not perfect as The Treasury has a “really painful issue with backups".
He explained that this is because iPhones and iPads use a backup service called iCloud.
“iCloud is fantastic – unless you are running a government protected network where we don’t want staff to use iCloud,” he said.
“That is because iCloud backs up content from applications along with [security] certificates. For active sync to work, the certificate that we use in The Treasury has the user name and password on it so we don’t want that backed up in iCloud.”
Alexander added that he is working through the backup issue with AirWatch.
Turning to the Federal Budget 2014, Alexander said that even The Treasury was not immune to government agency cuts.
“We hit a funding peak in March 2011 when we had 1053 staff. We’re down to 890 staff and we have another 15 per cent [reduction] to go over the next two years,” he said.
“We have had a 30 per cent cut [in staff numbers] over the last four years. It makes you think a lot about the way you do things and how you operate. We have taken an alternative approach where people have said `How can we be innovative and spend our money better?’”
For example, Alexander recently told CIO Australia that it is planning to build virtual desktops for mobile staff and make that standard across the organisation.
A tender is being finalised at the moment, with Alexander also testing technology from Citrix and VMware.
The virtual desktops will first be rolled out to 50 mobile workers and then the whole organisation. Alexander will supply a mix of devices to staff and then allow for BYOD.
Follow Hamish Barwick on Twitter: @HamishBarwick