IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
April 13, 2011

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

CESG issues guidance on secure use of smartphones in Government

Today’s smartphones allow employees to connect back into their corporate networks and work remotely and efficiently, but companies always need to be aware of the security risks involved.

In a timely move, Government cyber security experts at CESG – the UK’s National Technical Authority for Information Assurance at GCHQ – have successfully worked with major smartphone platform providers on how best to secure their products.

The result comes in the form of new guidance for UK Government departments and the wider UK public sector on how best to secure smartphones for remote working.

The guidance applies to lower risk situations covering large tracts of the public sector, but is not applicable for classified data (ie Restricted or above).

Covering the majority of the smartphone market, this latest advice enables the UK public sector to use whichever platform best suits the business need, confident that they understand the security measures they need to employ and the risks associated with each option.

The advice is available for products from Apple, Microsoft, Nokia and Research In Motion (developer of the BlackBerry).

Government and industry working together

Commenting on the guidance notes a spokesperson for CESG explained: “This is a great example of Government and industry collaborating to ensure that all parts of Government have the tools and information we need to work more securely in cyber space. It will help many parts of the public sector work more efficiently and effectively, in turn saving money for the taxpayer.”

Ron Gula, the CEO at Tenable Network Security, has also commented on this latest development in the world of secure communications.

“When it comes to mobile security, all smartphones and tablets share a common set of challenges,” he told SMT Online. “They carry lots of data. They’re often riding around in someone’s pocket where they can be easily misplaced. They transfer data over a network that can be intercepted and they run applications that may or may not be well written.”

As far as Gula’s concerned, placing important data on a mobile device which is easy to lose or may be stolen presents the same security problems as those facing ‘uncontrolled’ laptops, only worse.

“This is the case regardless of the mobile platform,” asserted Gula. “There’s a common perception that BlackBerry is more secure than Android or Apple platforms. The reality is that BlackBerry does have more enterprise features and controls such as remote kill, e-mail retention, guaranteed message deliver with application and encryption controls. However, while this is important, a lot of it is just detail. We’ll probably see some leapfrogging between the various mobile vendors as they get bitten and react.”

Gula told SMT Online that with all mobile devices we have a situation where information is everywhere, getting auto-synched, distributed, cached and downloaded – along with applications being downloaded on to them by the metric ‘jillion’, written by who knows who.

“The technology is often new and rapidly changing,” he urged, “so the potential for spyware is huge. All smart devices will continue to be a constant security concern now and in the future.”

Smart devices entering the workplace represent a combination of opportunity and threat, so organisations must understand the bigger picture of where information rests and flows within the network.

“The IT network management environment is only going to become more complex and challenging both internally and externally,” said Gula, “so businesses must ensure that they can see what’s happening at every moment before something happens that they weren’t expecting.”

Formal evaluation courtesy of CESG

The BlackBerry Enterprise Solution is approved to protect material classified up to and including Restricted and remains the only smartphone system to have been formally evaluated by CESG.

BlackBerry smartphones have enabled public sector organisations including the MoD, much of central Government and more than half of the UK’s police forces, the NHS and local Government organisations to access the services they need (including mission-critical data like patient records, the Police National Computer and other Government databases as well as mobile e-mail and calendar applications).

Stephen Bates, the UK managing director of RIM, said: “BlackBerry is proud to remain the only smartphone solution approved for the communication of classified information in UK Government. Due to the security of our platform, BlackBerry smartphones have been deployed widely in the public sector and we have helped enable organisations in that realm to deliver more efficient and effective services. This is highlighted by our work with the UK’s police service, where we have helped forces save GB pound 112 million.”

Through 2010, BlackBerry was the number one selling smartphone in the UK both on contract and prepaid tariffs. For Bates, this underlines how individuals, not just businesses, are now buying smartphones.

“We commend CESG for taking proactive steps to promote a responsible way of enjoying the benefits smartphones can provide.”

Comments from the customer base

Several customers who benefit from the security credentials of the BlackBerry Enterprise Solution have also commented.

James Longmore (director of ICT with the Birmingham and Solihull Mental Health NHS Foundation Trust) said: “The security of patient identifiable information is of paramount importance to our Trust. Patients have a right to expect that their personal information and medical history will be treated with extremely high levels of security.”

He added: “The BlackBerry platform allows us to deliver information securely to our clinicians who are often highly mobile. It also allows us to deploy applications and documents to the handheld in a very efficient and scalable manner.”

Sergeant Simon Davies – programme manager at South Yorkshire Police – explained: “We carefully guard our information in secure premises. Moving that information to the front line brings its own challenges. Our BlackBerry solution solves our security issues, meaning we can get our data to where it’s needed: the front line.”

PC Marc Amphlett (operational officer for mobile data at Northamptonshire Police) told SMT Online: “We rely heavily on being able to trust the ‘out of the box’ security we receive via the BlackBerry framework. If a device is lost then RIM is able to disable that device quickly and efficiently ensuring that all data remains secure. Without this guarantee of secure information we would not be able to deliver mobile working to our operational staff where they work in the community.”

Maturity, reliability and security

Stephen Chilton, the director of IT services at University Hospitals Birmingham NHS Foundation Trust, commented: “The maturity, reliability and security of BlackBerry gives us the appropriate assurance with respect to our duty to protect patient data and our wider information assets, including those of a commercial and sensitive nature.”

Offering his views of the BlackBerry platform’s security credentials, Nick McQuire – director of enterprise mobility at analyst house IDC – stated: “The exponential growth in the market for mobile technology is expected to continue, so it makes huge sense for UK Government to facilitate the use of smartphones in public sector.”

McQuire continued: “This needs to be accompanied by an awareness among users of the importance of data privacy and secure communications. The BlackBerry platform remains, in my opinion, the leader in this respect, providing the highest levels of assurance without the added cost or complexity of needing to bring third-party software into the equation.”

Security credentials of the BlackBerry platform

  • the BlackBerry solution is the first mobile platform to achieve Common Criteria Certification, setting a benchmark for the market (this is an international certification recognised by 25 countries around the world)
  • the BlackBerry platform is approved by NATO
  • BlackBerry smartphones have been awarded multiple FIPS 140 validations (Federal Information Processing Standard) in the USA and Canada for their embedded encryption technology
  • the BlackBerry solution meets the US Department of Defence requirements for S/MIME (Secure/Multipurpose Internet Mail Extensions) and PKI (Public Key Infrastructure)
  • the BlackBerry solution has been selected by organisations around the world for its robust security features (customers include the FBI, the MoD and over half of all UK police forces
  • the BlackBerry solution is currently used by over one million Government and public sector customers worldwide, including sectors where privacy and security concerns are paramount (such as policing, the military, healthcare and education)

Essential points to note

The risk management advice for each of the four smartphone platforms named above is available via CESG’s IA Policy Portfolio, a website for UK Government IA professionals.

The guidance is only accessible to those with Government Secure Intranet (GSI) accounts.

Note that the publication of this risk management guidance does not imply formal endorsement or certification by CESG of any of the other platforms.

For more information about CESG visit the website (a dedicated link is provided on the right hand panel of this page)

Further information concerning GCHQ is also available online (again, access the dedicated link we’ve provided)

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments