A More Mobile State and Local Government Workforce Means Mastering Device Security

Nestled on the edge of Lake Erie, the city of Toledo, Ohio, is famous for its museums, its glassmaking prowess and its minor league baseball team. But it’s not famous for data breaches or malware attacks — and the city’s director of information communication technology, David Scherting, would like to keep it that way.

Using mobile technology carries extra risks: Smartphones can be easily lost or stolen, potentially allowing sensitive information about Toledo and its citizens to fall into the wrong hands, or a rogue app could find its way onto a phone and wreak havoc. To address these concerns, the city has deployed mobile device management software from MobileIron on all 620 of its Samsung Galaxy handsets, as well as a few dozen Android tablets.

“Our biggest fears are ransomware and viruses,” Scherting says. “We’re also worried about someone losing a phone. When that happens, we ask employees to tell us right away, so we can use MobileIron to either shut it down or wipe it.”

Like many other local and state ­governments seeking the benefits of increased collaboration and productivity, Toledo is empowering an ever-increasing mobile workforce.

In a 2016 survey of 160 government IT decision-makers by research firm Frost & Sullivan, almost two-thirds said that they allow staff to use smartphones for work purposes, and about half allow tablets. More than 13 percent of the ­surveyed agencies’ users are mobile workers.

But the advantages must be balanced with the need to protect information. A 2017 Ponemon Institute survey of public and private organizations found that, for 51 percent of IT leaders, mobile devices are the primary challenge to effective IT security. As Toledo and other cities prove, IT departments can tackle that obstacle with a combination of technology deployments and well-planned security policies and strategies.

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks!

City Users Tend to Play by the Rules with City Devices

Although Toledo limits the types of apps workers can put on their phones, Scherting says it has not yet used MobileIron to automatically block unauthorized apps, mostly because its users tend to abide by the city’s policies.

“Sometimes people call us up and say, ‘I’d like to add a parking app or Waze,’ which is fine,” he says. “But everyone is really good about the fact that this is a city phone. They know what they can and can’t put on it.”

The city currently audits its phones every few months — in part to make sure users are actually utilizing them — but Scherting says he plans to implement a more formal monthly audit soon.

And while Toledo has joined the mobile revolution, it has not embraced a BYOD policy. In fact, the city actively discourages users from employing personal devices on the job for privacy reasons, says Scherting.

“We’re concerned about the Freedom of Information Act,” he explains. “If you use your personal phone for city business, we have the right to take your phone and look at the data.”

While software such as MobileIron makes it easier to manage a mobile fleet, government IT leaders should also establish clear rules for how those devices are used.

“My advice for anyone doing this is to start out with solid policies and procedures,” Scherting says. “Tracking 600 or 700 mobile devices and managing their passwords can easily turn into a full-time job, and we do not have a full-time person doing this.”

Missouri Seeks Synergies Through Device Standardization

For the state of Missouri, using mobile technology is not merely convenient; a key goal of its September 2015 IT strategy is “empowering the state’s mobile workforce by giving them high-value mobile devices and applications that make them more effective and efficient.”

But for the strategy to work, those devices need to be secure. That’s why Missouri uses VMware’s AirWatch to manage its mobile units, which number around 5,000, says CISO Michael Roling. The state also derives security benefits by deploying only Apple iOS devices.

“By standardizing on iOS, we’ve been able to leverage economies of scale by having just one mobile platform and app store to secure and manage, instead of dozens of different Android platforms and various app stores.”

Roling’s biggest worry is that rogue apps may make their way past Apple’s security vetting and onto a phone. To avoid that, Missouri uses application whitelisting: Workers can download only a limited selection of approved apps from the state’s own app store. And while a handful of users employ their own devices at work, their access is limited to email and calendaring. Everyone else carries a state phone and, sometimes, a personal one as well.

Roling advises other state CISOs to standardize and use mobile device management. “That’s the best way to ensure security and compliance on state-managed devices and mitigate the risk of applications going rogue.”

Indiana Goes BYOD or Bust

Like Toledo, the state of Indiana uses MobileIron to manage its fleet of smartphones. But unlike its Midwestern neighbor, Indiana has embraced BYOD. Approximately 1,500 of the state’s 10,300 phones are personal devices.

The reason? Cost savings, says John Stipe, Indiana’s deputy ­director of IT. “Several years ago, management made a decision that it’s really cheaper for us to allow BYOD than to purchase every device and pay for the services,” he explains. It’s up to each state agency to decide whether it will reimburse employees for the use of their phones.

A key feature of MobileIron is flexibility, Stipe says. IT teams can fine-tune the settings for each agency; if one department needs a more stringent password management policy, it can do that without affecting others.

The state provides ­authorized apps via its own MobileIron app store, but doesn’t prevent users from installing applications through Apple’s App Store. Stipe says he’s not worried about malware because of the App Store’s vetting process. And though users can theoretically bypass Apple’s restrictions and install rogue apps by jailbreaking their phones, MobileIron ensures they can’t get back on the state network.

“One of our policies is that the device OS can’t be compromised in any way, and if it is, we prevent the device from accessing state data,” Stipe says.

But when each user has the freedom to customize settings and install apps, every phone becomes slightly different, making support more challenging. While the state has the ability to lock down each phone and limit what the user can do with it, that’s not a path Indiana has chosen to take.

“A phone is a very personal thing, even if it is owned by the state,” Stipe says. “We want employees to be productive and enjoy carrying their devices and use them for all the things they’re good for. We don’t want them to hate it.”