How HHS is Improving Mobile Security
Best practices include multi-factor authentication and a ‘least-privileged’ model of managing mobile functions and protecting data.

As federal agencies adopt more mobile devices and ways of operating, government security officials are looking to least-privileged and multi-factor authentication methods of cybersecurity to ensure data protection on mobile phones.
Health and Human Services Office of the Secretary CISO Kamran Khaliq spoke on the unique data protection challenges that come with mobile devices during an FCW virtual event Wednesday. One of these obstacles is the variation of sensors on mobile that collect various information — such as camera, motion, location, acoustic or mechanical data.
Because mobile devices collect all this sensor data that can be shared with different apps and other devices, Khaliq said approaching data security from a “least-privileged” model is critical.
“The intent of that app is to either publish or post or track or monitor something in a business function,” Khaliq said. “If you can minimize the access of that app to only address those particular areas, that would be really the path in terms of managing the least-privileged functions to securely use the apps at the enterprise.”
This model also provides guardrails for mobile device users amid potential dangers of downloading malicious apps or security threats in mobile software development.
“Understanding the purpose of [an] app and using the app, following the least-privileged model, is really going to be the path to ensure that we securely are able to do mobile processing, mobile computing in an enterprise or corporate environment,” Khaliq said.
While instituting least-privileged policies can be a challenge, Khaliq said that mobile device and phone manufacturers have started incorporating more granular limitations on data access to certain apps, enabling users to decide which types of data each app can access.
“This granularity, I think, was greatly needed to limit the function of what the app can access and, in turn, the mobile device management at the enterprise is also consumed and started leveraging a lot of these control functions to limit and protect these mobile devices at the enterprise,” Khaliq said.
As agencies also embrace zero trust architecture and approaches to security — especially amid the spring executive order to strengthen federal cybersecurity — Khaliq is also looking to strong identity and authentication in safe mobile device security.
The strong identity component, Khaliq said, is based in the supply chain, building an understanding of trustful devices in the supply chain, and in the identity and access management perspective, it’s about ensuring that the enterprise has strong authentication, appropriate access controls and full and complete auditing to ensure the security on devices.
Khaliq also advocated for multi-factor authentication adoption as a critical way to protect mobile data amid any security gaps that may come with any given device or app. Multi-factor authentication, Khaliq said, is helpful especially in this age of edge computing.
“Another big area that I think a lot of application are starting to support, especially at the enterprise level, is really have multi-factor authentication, especially at the edge,” Khaliq said. “There are a plethora of different authenticators out there, different types of authentication mechanisms, but having that two-factor in place to protect the mobile apps is really, really needed to mitigate a lot of the security shortfalls on some of these apps.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Boosting Cyber Resiliency in the Financial Sector
Leaders from CFPB and Rubrik discuss how they’re bolstering cyber resiliency to secure the financial sector and its critical assets.
30m watch -
Navy Research Leads Push for Tech Innovation to Stay Ahead
The Naval Research Laboratory is driving innovation to enhance readiness and maintain technological dominance against emerging threats.
3m read -
Preparing for the Future Cyber Landscape
CISA and Rubrik discuss how they’re building cybersecurity best practices and developing their workforces to prepare for the future attack landscape and bolster cyber resilience.
30m watch -
Navy’s Zero Trust Successes Pave the Way for ISV 2.0
Department of the Navy IT leaders say recent zero trust successes lay the groundwork for the next phase of DON's information security vision.
3m read