Margaret Salter, technical director of the NSA's Information Assurance Directorate (IAD) spoke at RSA on Wednesday about NSA's mobile computing pilot and the need for industry to come up with solutions that are more "plug and play." The message I took from this session is the need for industry to develop technologies based on very basic ground rules:
- Consider security;
- Ensure the user interface is easy to use;
- Solutions should support commercial functionality;
- Solutions must be cost effective; and
- Solutions must be easy to develop and should be inter-operable.
While these ground rules seem to be basic common sense they also seem to still present a challenge to the industry. She encouraged vendors to "work together" and come up with a collaborative solution rather than stove-pipe solutions, which lock customers into specific technologies. Part of the NSA's requirement is to integrate products from various vendors so it does not rely on a single vendor for everything, for obvious reasons. Margaret also mentioned that NSA is revamping the NIAP policy and procedures, coming up with more streamlined checklist and test procedures for product certification and acceptance. This is necessary in order for the program to be able to keep pace with the rapid evolution of existing and emerging technologies.
As for the details of the NSA's mobile program pilot, the technologies selected was Android. This ranked highest when compared to some of the other technologies under evaluation, including iOS, based on the requirements available at the time. This meant that it was the "best" solution based on those requirements, but not that it was the most secure.
While Android is in it's early stages of development, and currently is subject to some security flaws, the NSA's team was able to mitigate the risks to an acceptable level without impeding on the mission. While other technologies were more secure, they were sometimes difficult to use, configure, integrate and/or manage. It was refreshing to see that government is relying more heavily on commercial networks and industry to develop a solution to secure voice and data communication services to support classified processing. In today's environment, mobile computing is becoming more of a requirement versus merely a necessity especially when you consider that the mission being supported often involves agents deployed out in the field. The need to share classified information from anywhere at anytime is critical to protecting our critical assets and sensitive information.
UPDATE: Here is the presentation on NSA's mobile security roadmap.