New tech gadgets are coming into the marketplace making many people drool. The newest ones usually receive the most 'cool points' from friends and other employees. These shiny new tech devices are working their way into the federal workspace with the belief that 'Johnny' will be more productive. John Zyskowski of Federal Computer Week offers several suggestions to ease the secure introduction into the workplace in the article at: http://fcw.com/Articles/2011/09/26/FEAT-mobile-consumerization-plans.aspx.
This article unfairly points at Information Technology folks being a speed bump for hip users in their quest to become more productive with these new devices. The first suggestion is for IT to "deal with it" and allow hip young users and the big bosses to start using theses devices the same way these folks use the same devices at home. Wow, kind of sets a negative tone...
The second suggestion is to "standardize, but not where you think" meaning that the centralized applications and security settings should be configured to work with any device. The author mentions that using devices in 'the cloud' via a virtual connection results in simple screen scrapes where no data resides on the end user device. Sounds pretty simple...
The third suggestion is to "let users break out the plastic" meaning users contribute to the costs of using the device in a "bring-your-own-device" to work program. End users share the costs with the agency so the user and the agency both chip in. Nice, but might bring on some issues with where data is stored and access issues.
The fourth suggestion is to "cover all the security bases" which would require that specific requirements are met on the user device including encryption, remote management to wipe the configuration of a lost device, user passwords, patch management, identity management and two-factor authentication. This is smart and should be incorporated into the management of all devices.
The final suggestion is for IT workers to develop the applications to enable these cool folks to use the devices. The author recognizes that most applications were developed for standard computers so he suggests that the applications be converted to web enabled applications to enable them to be compliant with the HTML5 standard predicted to be ready in a couple years.
The suggestions are good, however, many are not practical. First, Vivek Kundra, the recently separated first federal CIO, started several initiatives last year including the effort to consolidate data centers. This consolidation is smart, but this effort is the cause of great efforts to ensure the consolidations do not halt the productivity of federal employees sitting at desks right now. It's not simple to relocate circuits and servers and redirect clients.
Second, the federal budgets are not growing. The public is led to believe that federal agencies are "fat" now with an abundance of equipment and services. I'm afraid that isn't true at the agency where I work. Devices get old and need to be replaced, maintenance contracts need to be renewed, backup devices need to be updated and documentation needs to be updated. Turns into a lot of money going to these not-so-sexy or shiny purchases. Furthermore, in order to implement applications and security settings with devices, additional equipment may need to be purchased, configured, tested and documented in federally mandated security documentation.
Third, the federal government has an obligation to her citizens to prevent data loss. Many devices rely on good faith with the user to establish a VPN connection (i.e. it's not automatic). Some devices won't allow a VPN connection to run, some don't have sophisticated patch management or identity management and most do not allow two-factor authentication. Furthermore, a cloud computing providers study by Ponemon Institute released in April 2011 "do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers".
It is critical that the federal government provide an environment where employees can be productive. It also has an obligation to provide security of the data. It's critical to balance the two even if that means Johnny has to wait to use his shiny new toy.
No comments:
Post a Comment