Surprise: Security not BYOD's biggest hurdle

Security usually tops the list of barriers that is so often cited as impediments to government employees using personal devices in their official capacities. But as it turns out, that is not what is stopping many federal workers from doing business via their iPhones.

The real problem is legal -- at least in the Defense Department, where officials say they continue to grapple most with matters of privacy and the separation of personal and work identities on a single device. Bring-your-own-device "sounds good and you can actually make a business case that you can cut costs of managing your own [devices] by wide adoption with the carriers," Kenneth Bible, Marine Corps CTO, said June 20 at an AFCEA DC event in Washington. "The challenge is not on the technology side, but on the legal side, [in] the privacy issues that are associated with that split-persona device, bringing a personal device and using it with an official persona."

The threat of "spillage," or information making it out of the secure confines it is legally supposed to reside within, means that managers need to have the option to wipe or even totally destroy a device if something goes wrong. If that involves a personal device, many employees are hesitant to hand over such control. Coupled with security concerns that do still exist, it complicates the push toward mobility.

"If we're going to do BYOD, we're going to change your device to the point where we're able to [completely wipe or destroy] it at any time," said Frank Konieczny, Air Force CTO and CIO/A6. "That usually deters most people. Between legal and security, it's really difficult to get to solution space that is acceptable for everybody."

Officials hope that by getting the word out to industry, a meeting of the minds can help produce solutions for affordable, commercially supported BYOD use that meets the multitude of security, privacy, legal and policy requirements. With options arriving on the market that offer more flexible security and policy options, some believe that point is not too far off.

"For a long time the government has been 'special,' and the classified, multi-level security thing has been a 'special problem,' but in a lot of ways the multiple personas and multi-level security is the exact same thing as BYOD," said Patricia Muoio, chief of the National Security Agency's trusted systems research group. "So we're trying to find ways to use technologies originally developed with government issues in mind and demonstrate them in ways to get them to a broader user base, so they become truly commercial."

The officials noted that the more commercially available those options are, the better government agencies are able to take advantage of them with procurements – and the faster they can move and get closer to, if not ahead of, the curve.

That way, "we can actually work in the cycles industry is working in to deliver technologies that are useful," Muoio said. "Fortunately I think technology's pace has moved to a place where it's very reasonable to expect vendors to accommodate assurance technology."