Secure Use of Portable Devices
Portable devices such as laptops, Personal Digital Assistants (PDAs), Blackberries, iPhones, Droids, and other smart phones that now include functions such as Internet and email have become indispensable tools for conducting business in today's highly mobile society. However, they present significant challenges for the protection of classified and other sensitive information. This discussion of portable devices is in three parts:
Government Rules for Use of Wireless Devices
Security measures for portable devices depend, in part, on the classification or sensitivity of the information on these devices. Access via portable devices to classified information on classified networks such as DoD's SIPRNet (Secret Internet Protocol Router Network and JWICS (Joint Worldwide Intelligence Communications System) or the Intelligence Community's Intellipedia is discouraged to the extent possible. It is required, however, for some senior military and civilian officials that have bona fide requirements for 24-hour access to secure electronic or voice communication or otherwise require the capability to process classified information in a mobile environment in order to accomplish their mission.
This requirement to access classified information through a portable device is met by a special type of smartphone, similar to a BlackBerry, that is certified for classified electronic or voice communications up to the TOP SECRET/SCI level. It is called a Secure Mobile Environment Portable Electronic Device, or a SME PED for short. Like any classified information, the SME PED must be kept under physical control or locked in a secure area at all times.
The Department of Defense has a separate sensitive but unclassified network called the NIPRNet, short for Non-classified Internet Protocol Router Network. It is used to support a wide range of sensitive but unclassified military activities. At military installations it also provides military users with a gateway to the public Internet.
Department of Defense policy dated July 2007 requires the encryption of all data that has not been officially approved for public release that "is stored on mobile computing devices such as laptops and personal digital assistants (PDAs), or removable storage media such as thumb drives and compact discs."1 This policy "applies to all DoD components and their supporting commercial contractors that process sensitive DoD information."1 A subsequent Defense Information Systems Agency paper clarified a number of questions about this policy. 2
Virtual Private Network
Many people need a secure channel to their office network when working from home, out in the field on business, or traveling on temporary duty. Organizations that handle sensitive information often have what is called a virtual private network (VPN) that enables secure wireless communication to and from office from anywhere in the world.A VPN works by using the shared public Intranet while creating a secure "tunnel" that is comparable to a dedicated telephone land line. Data sent through this "tunnel" cannot be accessed or modified by anyone who doesn't possess the secret key. Additional common security measures include encrypting the data and multi-factor authentication of users of this system.
A VPN can be accessed remotely from one's home desktop computer or by laptop from a wireless connection. Government regulations require that anyone accessing a government VPN must use a government-owned computer that is used only for government business. The government can then ensure that the computer has the appropriate configuration with all the appropriate security settings.
Other Wireless CommunicationsMany airport waiting areas, hotels, coffee shops, restaurants, pubs, community centers, and other public locations provide wireless access points where it is convenient to send or receive email or surf the Internet. You need to know that providers of this service are not responsible for ensuring the security of this wireless network. Eavesdroppers and hacker hang out around these locations looking for access to any computer that is not protected with a firewall, strong passwords, and encryption.
The various mobile devices can, if so desired, be obtained with encryption capability, and this is recommended. Some publicly available email services support encryption if properly configured. Government organizations and many defense industry businesses require encryption for access to their network, and many security-conscious organizations provide their own communications devices to those personnel who need remote access. This ensures that the devices have appropriate encryption and security software with proper settings.
Many frequent users of portable devices set up a wireless home network. For information about such networks, see Secure Use of Personal Computer.
Related Topics: Risks During Foreign Travel