How HHS is Improving Mobile Security

As federal agencies adopt more mobile devices and ways of operating, government security officials are looking to least-privileged and multi-factor authentication methods of cybersecurity to ensure data protection on mobile phones.

Health and Human Services Office of the Secretary CISO Kamran Khaliq spoke on the unique data protection challenges that come with mobile devices during an FCW virtual event Wednesday. One of these obstacles is the variation of sensors on mobile that collect various information — such as camera, motion, location, acoustic or mechanical data.

Because mobile devices collect all this sensor data that can be shared with different apps and other devices, Khaliq said approaching data security from a “least-privileged” model is critical.

“The intent of that app is to either publish or post or track or monitor something in a business function,” Khaliq said. “If you can minimize the access of that app to only address those particular areas, that would be really the path in terms of managing the least-privileged functions to securely use the apps at the enterprise.”

This model also provides guardrails for mobile device users amid potential dangers of downloading malicious apps or security threats in mobile software development.

“Understanding the purpose of [an] app and using the app, following the least-privileged model, is really going to be the path to ensure that we securely are able to do mobile processing, mobile computing in an enterprise or corporate environment,” Khaliq said.

While instituting least-privileged policies can be a challenge, Khaliq said that mobile device and phone manufacturers have started incorporating more granular limitations on data access to certain apps, enabling users to decide which types of data each app can access.

“This granularity, I think, was greatly needed to limit the function of what the app can access and, in turn, the mobile device management at the enterprise is also consumed and started leveraging a lot of these control functions to limit and protect these mobile devices at the enterprise,” Khaliq said.

As agencies also embrace zero trust architecture and approaches to security — especially amid the spring executive order to strengthen federal cybersecurity — Khaliq is also looking to strong identity and authentication in safe mobile device security.

The strong identity component, Khaliq said, is based in the supply chain, building an understanding of trustful devices in the supply chain, and in the identity and access management perspective, it’s about ensuring that the enterprise has strong authentication, appropriate access controls and full and complete auditing to ensure the security on devices.

Khaliq also advocated for multi-factor authentication adoption as a critical way to protect mobile data amid any security gaps that may come with any given device or app. Multi-factor authentication, Khaliq said, is helpful especially in this age of edge computing.

“Another big area that I think a lot of application are starting to support, especially at the enterprise level, is really have multi-factor authentication, especially at the edge,” Khaliq said. “There are a plethora of different authenticators out there, different types of authentication mechanisms, but having that two-factor in place to protect the mobile apps is really, really needed to mitigate a lot of the security shortfalls on some of these apps.”