Mobile Application Security for Digital Government Services

Today federal agencies are required to adopt mobile technology to improve citizen service.  The growing risks associated with delivering mobile enterprise services to consumers make it critical to address mobile application management and mobile device management. These mobile enterprise services require a comprehensive mobile application and mobile device life cycle management framework consistent with industry standards and trends.  Successful deployment of applications also requires revamping of the identity and access management strategy to enhance security.  This framework must address mobility, services, data, privacy, device sanitization, network modernization, and application deployment (NIST 2012-2015).

Three of the main considerations for CIOs are capabilities, cost, and security. (CIO Council 2012).  CIOs have a variety of decisions to make as most of the risks associated with the adoption of mobile applications for digital government services fall within these considerations.  When users access endpoint devices, networks, networked applications or web applications that required some type of authentication, there must be a strategy in place to address what mechanism(s) will be employed for identity verification and access authorization.   Mobile identity integrates identity and access management with enterprise mobility management.  Mobile identity verification should answer: who are you, where are you connecting from (location), and which device is connecting to the infrastructure.

Risk associated with mobile application deployment include (CIO Council 2012, 2013):

  1. Technical limitation of available products and solutions
  2. Lack of policies (privacy, breach, financial, personal devices, etc.)
  3. Network connectivity and availability
  4. Processes or lack thereof
  5. No Government-wide contract vehicle to purchase devices and data plans
  6. Justification of mobile technology investment
  7. Cost to support increasing number of devices and products
  8. Information sensitivity must be determined
  9. Limited authentication and encryption options
  10. Validation process speed
  11. PIV Authentication (NIST 2012-2015)
  12. No standard for derived credentials (FIPS 2013).
  13. Lack of consistent configuration guidance

These risks factors should be addressed during the planning phase of the mobile application life cycle.  Additionally, the following recommended best practices for mobile application implementation will ensure a successful deployment.  Listed below are a few recommended practices (Garcia 2012).

  • Build in protection and address risk at the beginning of the life cycle
  • Secure the infrastructure where mobile applications reside
  • Continually assesses and identify potentially exploitable flaws
  • Implement policies (password, device such as lock, privacy, wireless, etc.)
  • Disable functionality (Wi-Fi, camera, Global Positioning System (GPS) to access location-based services (LBS), Bluetooth, Siri, App Store, etc.)
  • Utilize containers that are FIPS 140-2 compliant (isolates data from rest of the device)
  • Do not permit processing of classified information
  • Require authentication to the device and container
  • Establish best practices, training and risk awareness

In conclusion a successful mobile application deployment framework will (Garcia 2012):

  1. Establish an agency-wide application development approach
  2. Take advantage of all the benefits of mobile devices
  3. Reinforce mobile security

 

References:

CIO Council (2012), GOVERNMENT USE OF MOBILE TECHNOLOGY:  Barriers, Opportunities, and Gap Analysis, Retrieved from:  https://cio.gov/wp-content/uploads/downloads/2012/12/Government_Mobile_Technology_Barriers_Opportunities_and_Gaps.pdf

CIO Council (2013), Adoption of Commercial Mobile Applications within the Federal Government: Digital Government Strategy Milestone 5.4, Retrieved from: https://cio.gov/wp-content/uploads/downloads/2013/05/Commercial-Mobile-Application-Adoption-DGS-Milestone-5.4.pdf

Garcia, Jorge (2016), Moving Beyond the Basics:  Key Considerations for Successful Adoption of Mobile Platform, Retrieved from: http://www.vnsgmagazine.nl/ExecutiveDiner/7_SuccessfulAdoption.pdf

Souppaya, Murugiah and Scarfone, Karen (2012), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise (Draft), Retrieved from: http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

Hildegard Ferraiolo, Hildegard, Feldman, Larry, and Witte, Greg (2014), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-157.pdf

Steve Quirolgico, Steve, Voas, Jeffrey, Karygiannis, Tom (2015), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-163 Revision 1 (Draft) (2015), Vetting the Security of Mobile Applications, Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf

Computer Security Division Information Technology Laboratory (2013), Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors. (Introduction of PIV-derived credential), Retrieved from: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf