Tips for moving BlackBerrys along with e-mail to the cloud

As government agencies move e-mail to cloud-based systems, one of the bigger challenges is linking mobile devices, especially BlackBerry smart phones.
The Environmental Protection Agency grappled with moving BlackBerry users to the cloud as the agency transitioned 25,000 employee mailboxes -- including about 4,500 BlackBerry phones -- to Microsoft Office 365 for Government, said Lynn Singleton, director of environment services for Lockheed Martin.
EPA officials brought in Lockheed Martin in September 2012 to assist in the migration of e-mail along with other mail-related components such as calendars, rooms and resources, groups, mail and databases.  The move from a 15-year old enterprise Lotus Notes e-mail system to Office 365 is expected to save the EPA approximately $12 million over the four-year contract period.
“The challenge with BlackBerrys is that [users] might be out in areas where there is no service,” Singleton said. To prepare for the transition, IT administrators have to remotely connect with the BlackBerry phones so the devices can be “wiped and cleaned.” Then the BlackBerry user gets new activation codes, which lets them download a new e-mail operating system. Sometimes this process can be interrupted if the cell phone signal is weak, causing a failure in the download, Singleton noted.
As with the transition of e-mail, Lockheed Martin performed a series of pilot tests with the BlackBerry users prior to the main migration over the Presidents’ Day weekend in February. “We migrated around 1,000 Blackberry users through our series of pilots,” Singleton explained. During the migration weekend, the Lockheed Martin team moved the remaining 3,500.

Often, it is not a simple matter of replacing BlackBerry devices to work with a new e-mail system.  The goal of many agencies is to provide a platform for users to collaborate and share knowledge and documents, as the General Services Administration discovered in its transition of 17,000 employees to Google Apps for Government. GSA officials had to rethink their entire mobile strategy for how to connect people when they are on the go.  
Agency managers should view BlackBerry users as a unique case, Singleton advised. Often they are senior managers who are used to having connectivity. Some users might have more critical needs than others, such as emergency response personnel, he said. A transition team needs to have a plan to first move users whose connectivity to the organization’s messaging and collaboration system is critical.
Lockheed Martin incorporated these BlackBerry users into the help desk, Singleton said.  “So when we rolled out [the migration to the cloud] there was special treatment to bring them up to speed quickly or remediate [problems] quickly.”

A checklist for keeping mobile apps secure

There are more mobile applications on the market than ever due to the increased cellular network broadband speed and the processing power of Android, iOS and other mobile operating systems. And as the devices spread, so does government risk.
In fact, mobile apps rule the network in government, with 35 percent of new federal and state applications and 45 percent of new local applications expected to be mobile this year. As such, mobile application security will be where the rubber meets the road. 
Mobile applications enable new threats to both enterprise and to the device itself. For instance, mobile devices move data from safe networks to untrusted, dangerous ones – effortlessly. By constantly changing wireless networks, such as Wi-Fi, Bluetooth, Global System for Mobile Communications (GSM), and Code Division Multiple Access (CDMA) networks, a safe environment can easily become a danger zone.
Moreover, hackers can hijack sessions through sniffing and tampering, which enables an unauthorized person to access stored data, passwords, cookies and VPN credentials. It also gives the hacker the same full privileges as the device’s owner and, in some cases, can provide the keys to the enterprise. 
While most client-server applications run on a local-area network or a corporate wide-area network, mobile apps run outside the corporate network, accessing services across the public Internet. This broad range of access to mobile applications causes potential security vulnerabilities, especially if applications aren't architected properly.

One of the principal elements of secure design for mobile applications is making sure that the client, the actual device itself, or the browser application, does very little processing; in effect, making it a dumb device.
Another best practice for mobile applications involves encrypting traffic to the backend server by using Secure Sockets Layer encryption. But SSL alone isn't enough because of the nature of mobile device connections. Many smart phones will automatically connect to available, open Wi-Fi networks to which they have connected before. This makes it easy for the network to connect to a rogue device that is acting as an SSL proxy, decrypting and re-encrypting traffic and recording everything that passes through. Hence, the network falls prey to a “man in the middle” attack.
Application development should also be evaluated when securing mobile applications. All too often, the only thing identifying an incoming access request as a legitimate mobile application is a developer key. When the requests come in, there's no way to identify the user. Developer keys are often used by organizations that allow outside applications to access their data through a published Application Programming Interface (API). This is just one of many security elements that will need to be addressed when trying to secure mobile applications.
A partial list of necessary measures that an agency must take to make the mobile application more secure includes:

• Ensure that the registration and activation process is robust.
• Enable user authentication – use strong passcodes and implement account lockout.
• Ensure that two-factor authentication is enabled.
• Avoid storing sensitive data on the device.
• Enable permanent deletion of user data.
• Avoid insecurely transmitting sensitive user data over WiFi networks.
• Ensure that the most robust version of SSL is correctly implemented and enforced.
• Ensure that the application will be able to prevent Web framing, hijacking and related attacks.
• Address platform security risks, including keychain on iPhone (option to store passwords).
• Maintain security of the backend APIs (services) and the platform (server).
• Ensure secure distribution and provisioning of mobile applications.

The bottom line is to be vigilant in all areas of mobile application security, to include vulnerabilities and to conduct necessary research before outlining a mobile defense strategy. Seek professional help from certified vendors where needed. As government agencies advance in their use of information technology, they cannot expect their security departments to be full of experts in every area, especially in this new era of mobility.

One of the principal elements of secure design for mobile applications is making sure that the client, the actual device itself, or the browser application, does very little processing; in effect, making it a dumb device.
Another best practice for mobile applications involves encrypting traffic to the backend server by using Secure Sockets Layer encryption. But SSL alone isn't enough because of the nature of mobile device connections. Many smart phones will automatically connect to available, open Wi-Fi networks to which they have connected before. This makes it easy for the network to connect to a rogue device that is acting as an SSL proxy, decrypting and re-encrypting traffic and recording everything that passes through. Hence, the network falls prey to a “man in the middle” attack.
Application development should also be evaluated when securing mobile applications. All too often, the only thing identifying an incoming access request as a legitimate mobile application is a developer key. When the requests come in, there's no way to identify the user. Developer keys are often used by organizations that allow outside applications to access their data through a published Application Programming Interface (API). This is just one of many security elements that will need to be addressed when trying to secure mobile applications.
A partial list of necessary measures that an agency must take to make the mobile application more secure includes:

6 steps to secure mobile access

The growing use of mobile devices creates new challenges in authenticating the identity of government workers accessing online resources. A new cloud-based offering is intended to provide multi-factor mobile authentication as a service (MAaaS) for agencies.

The heart of the solution is the IdentityX authentication platform from Daon Solutions, hosted on the cloud provided by CGI Federal Inc., which earlier this year received FedRAMP approval.
Because the remote device is an untrusted platform it is used only for collection and delivery of data, and authentication takes place on the IdentityX server. Exchange of data between devices and the cloud is accelerated and secured by Akamai Technologies Inc.’s content delivery services. Agencies can customize access control policies to require up to six factors of user authentication, depending on the sensitivity of the resources being accessed.
The system also supports X.509 digital certificates derived from Common Access Cards or Personal Identity Verification cards to authenticate the mobile device. These secondary CAC or PIV certificates are bound to the device when it is enrolled in the service.
When accessing a government system, the user navigates to the system’s portal on the browser of the mobile device, which can be a smart phone, tablet or laptop. The steps to authentication:
1. The user begins the log-in process on the government site with a user name and password. At this point the hardware device can be authenticated using the X.509 certificate.
2. The request is passed to the IdentityX server in the CGI cloud, which contains agency access policies for the application. Based on these policies, the server sends a request to the device for the appropriate additional authentication factors. These factors can include:

• PIN
• Signature
• GPS location
• Fingerprint
• Palm print
• Facial image
• Speech recognition

3. Using the camera, microphone or other features of the device, the user sends the factors to the IdentityX server.
4. To reduce latency, the Akamai content delivery service encrypts and transmits data and responses between its edge servers and the CGI cloud.
5. IdentityX authenticates the response against data stored in the system. If it matches, the device is redirected to the system portal to complete log-in.
6. Once identity is verified, authorization to access resources is granted by the agency based on local access policies.
Mobile authentication as a service, or MAaaS, is available now and CGI is in discussion with several agencies.

IEEE wants mobile devices to be more repairable

In the early days of computers, if systems engineers wanted to fix something, that’s exactly what they did. They looked through the manual of operating specifications, broke out the soldering iron and fixed a connection on a circuit board or other component — although they probably didn’t have to break it out, as it was probably still on the workbench from the last time.
With mobile devices, the commonly accepted way to “fix” them is to replace them. The market research firm IDC has predicted that vendors will ship more than 1.7 billion mobile phones in 2013, and that number will only grow. In fact, the number of mobile phones is expected to exceed the number of people in the world by next year.
Considering the disposal rate of old phones, the environmental impact is staggering, especially considering that used phones are not always recycled or donated.
The Institute of Electrical and Electronics Engineers wants to address this issue, effectively by adding “repair” to the environmental mantra, “Reduce, reuse, recycle.”
According to Kyle Wiens, IEEE member and CEO of iFixit, developers could make a huge difference with some basic changes. “Regardless of size, there are numerous design features that manufacturers can use to improve the repairability of their products,” Wiens said. “Simple things like utilizing [accessible] cases, using screws rather than adhesives, and providing easy access to parts that are most likely to break, like screens, greatly improve the repairability of cell phones and significantly extend their life.” He urged designers to build in sustainable features, “not only to make them last longer but to help promote a more sustainable and environmentally friendly future.”
By taking steps to make mobile devices more repairable, manufacturers could not only have a positive impact on the environment -- but also on their corporate images. But will they do it? My guess is probably not, since the upgrade cycle of mobile devices seems to be a big part of profits.
On the other hand, agency admins already worried about securely managing a growing number of mobile devices, might find “disposable” phones a blessing. Devices that are easily taken apart and put back together with a screw driver might make them easy for a hacker to modify, creating an entirely new front of cybersecurity worries. So manufacturers of mobile devices will have to keep this in mind when creating any user-serviceable areas. It shouldn't prevent the IEEE's dream from taking form entirely, but it will likely slow the pace of improvements.
And the idea of making phones that last longer is still a good one. The Federal Communications Commission recently proposed that users should be able to switch carriers without getting a new phone. That would save people money, but it would also help the environment, since it would prevent (or at least delay) a lot of phones from being thrown out.

How to use Excel for on-the-spot analytics

At Microsoft’s recent U.S. Public Sector Federal Executive Forum, Ted Malone, federal platform specialist for Microsoft, demonstrated how the Excel spreadsheet application along with add-ons such as PowerPivot and GeoFlow could be used to gather data from disparate sources and combine it with geo location and mapping capabilities to deliver timely information to emergency response teams.
Malone drew a scenario of how weather forecast information about potential rainfall in low-lying coastal areas during Hurricane Sandy — which affected the entire U.S. eastern seaboard in October 2012 — could be combined with demographic census data and used to evacuate elderly people (70 years and older) from those lying-lowing areas in the path of the storm.
The demonstration involved pulling U.S. Geological Survey flood information, Census Bureau text-based demographic information and weather forecasting data generated by the National Oceanic Atmospheric Administration. After pulling this information from disparate databases and visually displaying it, Malone overlaid mapping and geographical data to visually show a map of population density and identify people over 70 in at-risk areas.
“What we are trying to show is that big data analytics [requires] many steps,” pulling different types of data from multiple sources, Malone said. Microsoft’s view is that users need a familiar, ubiquitous tool that provides compelling visualization, he said.
The following slides provide an example of how Excel and its add-on components can aid users deriving meaningful insight from their data.

Data mashups
Data is brought together from multiple sources in PowerPivot, a data mashup and exploration tool that comes packaged with Excel 2013 and is available as a free download for Excel 2010. The demographic data is from the Census Bureau, stored in a series of text files and processed by Apache Hadoop/Hive. The age group information is stored in Microsoft SQL Server in a relational table, and the relationships are drawn between the Hadoop data and SQL Server data in PowerPivot. The rainfall data is geocoded information from NOAA and is also stored in SQL Server. The state’s Federal Information Processing System code data lives in the Microsoft Azure Data Marketplace and is used to provide flood plain data and geolocate the Census data.
 

Visual view
This population density visualization of Census data uses Bing maps and GeoFlow, a free add-in for Excel 2013 that lets users plot geographic and temporal data visually, analyze that data in 3D and create interactive tours to share the data with others.


At risk areas
Age demographic data is overlaid on the population density data, focusing on the elderly population. Next, rainfall prediction data and  flood plain information (the blue circles) are added to the map to show the elderly population living in low-lying areas with high rainfall. This visualization represents the “at risk” areas where emergency management officials will likely need to deploy assistance for evacuations.

Educational games are getting contagious

Do you think you have what it takes to stop a plague in its tracks? The Centers for Disease Control and Prevention has released an iPad app called “Solve the Outbreak”  that lets players take on the role of a disease detective sent by the CDC to take control of an outbreak scenario.
In real life, new outbreaks happen every day, and the CDC sends out its investigators to determine the causes, so treatment can be initiated. The game rates how well players handle the fictitious situation and is designed to help the public learn about what the CDC does on a daily basis.
The CDC’s interest in games doesn’t include just making its own. The agency has also taken an interest in Plague, Inc. -- a tablet game where players try to create and spread a deadly disease -- and have even asked the game’s creator to speak at the CDC offices.
Using games and mobile apps to help educate the public about government activities has become increasingly popular, such as “America’s Army,” which has even been made into interactive books and comic books.
At the Massachusetts Institute of Technology, researchers are using a “Tron”-like game to find ways of improving network security. Muzzy Lane Software has a game designed to teach people how government works.And the European Space Agency is using a game to help improve its software for controlling robotic space flights.
Would-be disease detectives can download the app at the iTunes store and maybe save us from a plague or two.

Better than a password? Write with your finger.

A big part of any bring your own device strategy involves letting users access secure work data and apps from their personal mobile devices, something that often proves to be easier said than done.
As we have learned, over a third of mobile users don’t even use a simple password to protect their devices. They certainly wouldn’t want to have to memorize a long complex string of letters, numbers and special characters just to get access to it. Many network administrators have decided to use some sort of secure container for work-related activity, but users are still left with the hard-to-remember password. And passwords have the innate problem that someone looking over your shoulder can probably replicate it. Gaining access by “shoulder surfing” someone entering his password is an even greater potential problem on mobile devices, which are usually out in public where anyone can see what’s being typed.
At this point the IT department is looking for a compromise between increased security and usability. But why not have both? Secure Gesture from mobile security solutions firm Fixmo is not only easy to set up and use, but it is actually more secure than passwords.
Secure Gesture, which is powered by Lockheed Martin’s Mandrake Secure Gesture technology, replaces the password with a touch-screen gesture that the user creates, which could be signing their initials, drawing a symbol or anything the user can think of. It works with Apple iOS and Android devices.

A user can train the software in the unique gesture in under a minute. A series of tests ensures that the software recognizes the gesture and that the user performs the gesture consistently. For example, a gesture could consist of the user writing his initials and drawing a line under them from right to left. But if the line is draw from left to right, the log-in fails. Once the gesture is set consistently, the user can use it to enter the Fixmo SafeZone or another third-party secure container.
This protection is more secure than a password because the gesture is nearly impossible for another user to duplicate. Fixmo keeps track of not only the position of the finger as it traces the path but also the speed at which it is done. According to the company it is seven times as secure as a random 14-character alphanumeric password. And of course, it completely nullifies the danger of shoulder surfing.
Secure Gesture's unique biometric authentication could be what government agencies need to keep their work data safe on user-supplied commercial devices. To see it in action, check out this video.