Risk
10/26/2011
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen iPads A Special Problem For Fed Agencies

Mobile devices will inevitably go missing, as a recent theft at the VA shows. So security and device management work continues.

14 Most Popular Government Mobile Apps
Slideshow: 14 Most Popular Government Mobile Apps
(click image for larger view and for slideshow)
No sooner than a few weeks after the Department of Veterans Affairs opened up its networks to iPads, the agency reports the first stolen iPad. Not that VA CIO Roger Baker wasn't expecting this to happen.

According to a report first released as part of a monthly cybersecurity report posted on the VA's website, an iPad2 was likely stolen out of one of the VA's IT offices in Washington, D.C., in early September, before the agency ever authorized iPads for broader use. The iPad hadn't been configured for employee use, wasn't storing personally identifiable information, and had its data service canceled as soon as the agency discovered it was missing. However, the device's theft speaks to larger security concerns as iPads become more prevalent on federal agencies' networks.

That day is rapidly approaching. The VA became one of the first agencies to authorize iPads on its networks earlier this month. While Baker estimated on a call with reporters Wednesday that fewer than 500 iOS devices (including iPads and iPhones) currently have access to VA networks, he expects the number of iPads to quickly grow to a thousand and eventually tens of thousands. Other agencies, including the Department of Transportation and the Department of Homeland Security, are also piloting the devices.

"It's very clear from the public demand and the clinician demand that there's a real use for them in areas that would make a clear business case," Baker said.

[Learn about the government's new "future-ready" approach to IT in U.S. CIO VanRoekel Outlines What's Next For Fed Tech.]

While Apple devices aren't currently compliant with the key federal encryption standard, Federal Information Processing Standard 140-2, the VA will require encrypted applications, including email, which is one of the first applications supported on iOS devices inside VA. The agency is also developing an iPad version of the VA's Computerized Patient Record application that will support encryption. "Since the device doesn't support encryption, we are enforcing encryption at the application level," Baker said.

The VA is also piloting mobile device management software to manage mobile device security by locking down configuration settings, controlling what apps can be installed on devices, and by remotely wiping devices if they go missing or stolen.

In a request for information issued October 20, the VA indicated that it was looking for mobile device management software that could control up to 100,000 tablets, including iPads, Androids, and Windows devices. The VA is looking for a suite of features, including reporting, automated enforcement of enterprise rules via actions like device locking or wiping, ability to offer an enterprise application store, ability to view a device's GPS history, and white and blacklisting of apps.

Finally, VA will track instances of iTunes installed on laptops and desktops inside VA. "We're going to watch every [computer] where iTunes is loaded and make sure it's specifically approved for an iPad user," he said. In other words, he said, security with tablets isn't just about the tablet itself, but also about the devices that support that tablet, such as a PC loaded with iTunes.

The VA's monthly security report indicated that police are combing through camera footage at the scene of the crime for any clues on the iPad2's theft. The iPad was one of 21 desktops and laptops that went missing or were stolen in September. All of those computers were either encrypted or stored no sensitive or personally identifiable information.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FlavoredAir
50%
50%
FlavoredAir,
User Rank: Apprentice
11/1/2011 | 9:04:21 AM
re: Stolen iPads A Special Problem For Fed Agencies
You must not have been a math major in college. The iPads that the government are buying are not top-of-the-line 64gig 3G units. They're buying 16gig units, some of which have 3G and some of which have just wifi. The base price of an iPad 16gig with wifi only is $499 - and that's NOT including the federal discount that they get (~10% off, sometimes more if bought in higher numbers).

The cost of securing these devices - on a per device basis - is far cheaper than securing any Windows computer. The sheer amount of money spent on software and hardware to protect a desktop or laptop within the government is astronomical in comparison to what's spent on a similar level of securing an iPad.

And how do I know this? I'm someone who has overseen a federal deployment of iPads just a few months ago at another HHS agency.

If you're going to bloviate, at least do it with facts, not speculation posing as fact.
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/31/2011 | 6:10:57 PM
re: Stolen iPads A Special Problem For Fed Agencies
As someone whose phone slipped out of his pocket in a cab once (I was able to get it back thankfully) I feel like I can relate somewhat to someone losing a device or having it stolen. I think rather than trying to stop people from using popular devices, it may be a better strategy to focus on device management and protecting the data on the device itself through encryption, data masking, etc if it is sensitive.
Brian Prince, InformationWeek contributor
ajones320
50%
50%
ajones320,
User Rank: Apprentice
10/28/2011 | 1:07:04 AM
re: Stolen iPads A Special Problem For Fed Agencies
Why do the feds use excessively overpriced hardware in the first place? I know that it doesn't matter if a 2000$ or 500$ laptop gets lost with sensitive data on it, but how about buying a cheap 500$ Windows laptop and spending 1000$ on securing it...still cheaper than a friggin iPad.
John Douglas
50%
50%
John Douglas,
User Rank: Apprentice
10/27/2011 | 9:28:50 PM
re: Stolen iPads A Special Problem For Fed Agencies
At some public restrooms where anyone, including government employees, are allowed to use the keys, they chain them to big boards. Or spoons to the pen at the front desk. Maybe if we encase the iPad in an PC terminal, no one will walk off with it.
Bob Forsberg
50%
50%
Bob Forsberg,
User Rank: Apprentice
10/27/2011 | 8:05:12 PM
re: Stolen iPads A Special Problem For Fed Agencies
Anyone who has worked for or used Government facilities and services realizes the rank and file employees are not the sharpest tacks in the box or the most honest.

Placing large ID/serial numbers or a persons name and phone number on these items would keep theft of iPads at a minimum. Apple provides that service for free. You just need to ask when purchased.

Using readily available consumers products is a great idea for government agencies. It minimizes $20 pencils, $400 hammers and $2,800 toilets.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
10/27/2011 | 4:26:50 PM
re: Stolen iPads A Special Problem For Fed Agencies
Maybe the issue here is that there are just some Tech sectors -- Gov't for instance -- that should not be allowed to embrace consumerization.

Tom LaSusa
InformationWeek
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.