IT news: CESG publishes guidance on smartphone security

Produced by the CESG, the information assurance arm of government communications agency, GCHQ, the guidance covers the use of smartphones by workers including district nurses, GPs and community health workers.

This is a great example of government and industry collaborating to ensure that all parts of government have the tools and information we need to work more securely in cyber space

Only accessible to those with government secure intranet accounts, the document applies to lower-risk situations rather than classified or restricted data and covers systems management and maintenance, configuration settings, architectural advice, user education and awareness training, and information on common risks to mobile working. It also highlights where a significant risk exists, either where there are no technical or procedural controls to reduce it, or an extensive reliance on procedural mitigation.

A spokesman for CESG said: “This is a great example of government and industry collaborating to ensure that all parts of government have the tools and information we need to work more securely in cyber space. It will help many parts of the public sector work more efficiently and effectively - saving money for the taxpayer.”

The guidance is available for products from Apple, Microsoft, Nokia and Research In Motion (RIM), covering the majority of the smartphone market, but the CESG spokesman said this does not imply formal endorsement or certification of any of these platforms, but gives organisations the options to chose whichever platform best suits their business needs.

In the publication, the CESG also points out that the BlackBerry Enterprise Solution from RIM is currently the only smartphone system to have been formally evaluated and approved to protect material classified up to and including ‘restricted’ data.

Welcoming the guidance, Stephen Bates of RIM, said: “BlackBerry is proud to remain the only smartphone solution approved for the communication of classified information in UK government.

Patients have a right to expect that their personal information and medical history will be treated with extremely high levels of security

“Because of the security of our platform, BlackBerry smartphones have been deployed widely in the public sector and we have helped enable public sector organisations to deliver more efficient and effective services.

“We commend CESG for taking pro-active steps to promote a responsible way to enjoy the benefits smartphones can provide.”

One NHS organisation to have rolled out smartphones to its staff is Birmingham and Solihull Mental Health Foundation Trust. Its director of ICT, James Longmore, said: “Patients have a right to expect that their personal information and medical history will be treated with extremely high levels of security. The BlackBerry platform allows us to deliver information securely to our clinicians who are often highly mobile. It also allows us to deploy applications and documents to the hand-held in a very efficient and scalable manner.”

But industry experts at Tenable Network Security say that, while BlackBerry currently has the lion’s share of the market, competition will soon increase.

Chief executive, Ron Gula, told HES: “When it comes to mobile security, all smartphones and tablets share a common set of challenges: they carry lots of data, they are often riding around in someone’s pocket where they can be easily misplaced, they transfer data over a network that can be intercepted, and they run applications that may or may not be well written. Placing important data on a mobile device where it’s easy to lose or steal offers the same problem as uncontrolled laptops - only worse.

Placing important data on a mobile device where it’s easy to lose or steal offers the same problem as uncontrolled laptops - only worse

“This is the case regardless of the mobile platform. There is a common perception that BlackBerry is more secure than Android or Apple platforms. The reality is that BlackBerry does have more enterprise features and controls such as remote kill, email retention, guaranteed message delivery with application and encryption controls.  However, while this is important, a lot of it is just details, and we’ll probably see some leapfrogging between the various vendors as they get bitten and react.

“With all mobile devices we have a situation where information is everywhere, getting auto-synched, distributed, cached, and downloaded – along with applications being downloaded on to them by the metric jillion, written by who knows whom? The technology is often new and rapidly changing, so the potential for spyware is huge and all smart devices will continue to be a constant security concern now and in the future.

The IT network management environment is only going to become more complex and challenging, both internally and externally – so businesses must ensure they can see what’s happening at every moment before something happens that they weren’t expecting

“Smart devices entering the workplace represent a combination of opportunity and threat, so organisations must understand the bigger picture of where information rests and flows within the network. The IT network management environment is only going to become more complex and challenging, both internally and externally – so businesses must ensure they can see what’s happening at every moment before something happens that they weren’t expecting.”