BYOD in secure environments: a defence perspective

Members of the UK Council for Electronic Business focus on Secure Collaboration and seek to understand and ‘position’ the evolution of Bring Your Own Device (BYOD) for their organisations. A Mobile Computing Vision paper from the MOD makes reference to BYOD, and here UKCeB members Jez Nash and Andrew Rix of HP present MOD DCB an overview with a defence focus.

Bring Your Own Device (BYOD) is the use of a personal device in the work environment, and particularly its use to access the enterprise. The concept becomes blurred when personal devices are used for work-related tasks but do not form part of the enterprise. Consumers of technology have become increasingly reliant on mobile devices to assist them in their daily lives and are seeking to introduce their ‘highly connected’ state into their working lives. The challenge of maintaining security when creating access for personal devices is now being addressed by commercial organisations as the consequence of not doing so is a dilution of a company’s ability to maintain control over its information.

The increasing level of personal interaction with ever-present mobile devices is only set to continue with the proliferation of context-aware applications and the expanding range of device types and form factors. The inconvenience of carrying and managing multiple devices of a similar type will enhance the desire of employees to converge work and personal devices. This is evidenced in the commercial world by more and more companies now choosing to support BYOD at some level. BYOD implementations within the commercial sector vary from the basic use of personal phones through to full integration of a suite of devices with wide-ranging access to the enterprise. The latter has been made possible through the evolving technologies of virtualisation and multi-tiered security, which enable personal and work activities to be compartmentalised on a single device. Such technologies, together with the development of Enterprise Mobile Management capabilities, enable appropriate levels of device governance, while affording access to enterprise commodities such as office automation tools, collaborative working environments and business applications.

diagramSo is it possible to introduce BYOD within defence? The answer is yes, but the route for doing so is likely to be progressive, starting with Choose Your Own Device (CYOD). This is where the enterprise supports a limited device selection (potentially on a single mobile operating system). This would enable a degree of convergence by offering controlled access to a range of enterprise services.

Both user experience and choice could be expanded over time by extending the operating systems and range of devices supported. The transition from CYOD to BYOD would probably depend upon a risk balance decision that considers the business and operational drivers against and the appetite to embrace advances in technology that could mitigate the perceived security risks with allowing a device of unknown provenance (and potentially limited end point security) to connect to the enterprise. The MOD also recognises there are non-technical considerations to factor in, such as Duty of Care and Health and Safety matters. The accompanying diagram presents an illustrative MOD perspective.

To participate in activities relating to Secure Collaboration across Team Defence, including BYOD, contact the UKCeB at www.ukceb.org

IdAM: Identity and Access Management in Team Defence

FingerprintThe UK Council for Electronic Business is actively pursuing joint work in federated Identity and Access Management across Team Defence. Here, Carl Billson of UKCeB explains the context, benefits and opportunities associated with IdAM.

‘On the Internet, nobody knows you’re a dog’ is the caption from an iconic magazine cartoon from 20 years ago, featuring a dog, seated a computer, making this remark to his canine friend. We value the competitive advantage from working digitally. Realising that means we need to be confident that the online representation of a person is tied directly to their real-world identity.

A Ministry of Defence strategy paper from 2010 ‘Defence Identity and Access Management Strategy 2010 – A sub-strategy of the MOD Information Strategy’ (known as MODIS 2009) describes Identity and Access Management (IdAM) as an ‘integrated set of policies, processes, standards and technologies that creates and manages digital identities and associated access privileges’. It adds that credentials such as smart cards and security tokens are used as part of establishing identities for controlled access to resources.   

The MOD vision in this paper is for a federated IdAM capability that provides trust in identity across the MOD and its partners throughout operational, support and business areas.  An example of what this means in practice is Single Sign-On to IT systems both within an organisation and its partner organisations. 

Within the MOD, the CIO takes a lead for IdAM and is a contributor to the pan-Government policies where IdAM is integral to achieving greater levels of ‘joined-up’ Citizen IT. There are equivalent programmes in other governments, such as FICAM (Federal Identity, Credential and Access Management) in the US. 

One key part of all these programmes is creating a digital credential, the equivalent of the ID card we use for physical access. One technology that is used in this area is PKI. Digital PKI certificates provide a mechanism for an individual to authenticate in an assured manner. Trust in these certificates can be extended to other organisations through ‘trust hubs’ such as the US Federal Bridge and the Certipath commercial bridge.

Many governments and large corporations are investing in this technology. Some of them have joined together in the Transglobal Secure Collaboration Program  (TSCP) to form a ‘government-industry partnership concerned with mitigating risks related to compliance, complexity, cost and IT inherent in large-scale and collaborative programmes that span national jurisdictions’. TSCP has published specifications and guidance that addresses a second challenge: providing information to a system so that it can control the scope of access that a user is permitted. This work addresses the complex requirements of export control and intellectual property protection through the exchange of identity assertions that describe user access privileges.

UKCeB has an ongoing series of IdAM workshops where members are involved in issues such as scenarios, policies, architectures and engagement of Small and Medium-sized Enterprises. UKCeB and the MOD have joint work planned for 2013. If you wish to learn from, contribute to and benefit from these activities around IdAM, please contact the UKCeB via its website.