When a government minister says to an incoming CIO, “I want to connect my iPad to the network”, the answer has to be yes, right?
That was the challenge facing Department of Sustainability, Environment, Water, Population and Communities (SEWPaC) CIO Al Blake, who was given just one week to fulfill the request.
“That was a big scary prospect because this was very very new, and anyone in government will know we’ve got a whole pile of security and other regulations and policies that we have to comply with,” Blake told the AusCERT information security conference yesterday.
The minister got his iPad, but only because it was owned, controlled and locked down by the government.
“It worked in that it locked down security…but the real concern was it worked when it was four or eight or 15 people. I was sitting there looking down the barrel of a gun saying, ‘We are never going to be able to contain this to eight or 10 or 15 people, at some point we’re going to have to make it available to everybody’, and we’ve got 2500 people.”
The concern became even more pressing, Blake said, when senior executives had been using their devices for some time.
“We gave out these carefully locked down devices to several senior managers with the normal instructions that these are departmental devices, are not to be used by other people, they’ve got to have password control and so on, and for one of them the screen broke because their daughter dropped it down the stairs watching a movie.
“Now why did we think that wouldn’t happen? Of course it’s going to happen,” Blake said.
“We had a BlackBerry option for the best part of six years and it worked well but my kids never wanted to borrow my BlackBerry.”
Realising the department’s desktop PC approach to testing, updating and patching every single device was soon going to become unsustainable, Blake set about looking for a solution.
“The elephant in the room was BYOD.”
Blake said the Department had a “radical rethink” of how to manage users and what it was it really wanted to protect.
“Do we care about your music collection? No we don’t.
“The thing we needed was that separation of the government data from the personal data. Once we had that separation a whole lot of things we were really worried about disappeared.”
The Department used an out-of-the-box option from secure mobility solutions vendor Good Technology to achieve the separation.
“Because we are using a secure container environment we’re not as bothered about what the device is because our security perimeter is no longer the device,” Blake said.
“This week we had the first person saying, ‘Can I connect my Windows Phone?’, and we thought about it for three minutes and said, ‘Yes’.”
The Department has also been able able to cut back its user agreement from ten pages to one.
“We don’t allow jailbroken devices and we make it very very clear the only applications they can get support for are the ones in the sandbox. If you’re having problems with Angry Birds, talk to your mates.”
Good Technology CTO Nicko van Someren said there were many in the government sector who were still uncomfortable with government issues presented by BYOD, preferring to lock down devices and applications.
He said many early corporate BYOD policies were driven by the CEO being given an iPad for Christmas.
“Now of course everybody gets an iPad for Christmas…It’s hard to call something a proof of concept when you’re rolling it out to the CEO, the CFO, the COO, the CTO, the CMO. That’s not a proof of concept, that’s actually a full scale rollout.”
Van Someren said the challenge was to deliver executives an enterprise-secure user experience that mirrored that offered to consumer users of tablet devices.
“iOS makes it really easy to move data from one application to another, makes it really easy to replicate data or share data from one device user to another, and that’s all great from a consumer use point of view, but it’s a nightmare from a security point of view.
“But this is not a bug, this is a by-design feature … the user experience that that produces is actually a very nice one and users like it. What we want to do is be able to deliver that same user experience and have a seamless movement of information, but provide some controls around it.”
Blake said the Deparment, which now had 350 staff members using BYOD, was planning to add a number of third party applications to the sandbox, and extend the functionality to file synchronisation.
Van Someren said the ability to allow BYOD users to not just open but also amend and share files and applications from third parties was becoming critical.