The bring-your-own-device (BYOD) trend has become so pervasive that it's almost shocking to consider that just a couple years ago, the idea of employees using their personal smartphones or other devices was still controversial. In some segments -- particularly government -- it still is. But a new product from SafeLogic, which allows developers to "drop in" compliance with a key government security standard, aims to change that.
While BYOD has brought consumer devices, mobile apps, and cloud services into almost every workplace, there are pockets of the workforce where BYOD has run up against formidable challenges. Often this is in regulated industries that require specific security and privacy standards. When technologies that don't measure up are used in these industries, regulators can impose big penalties.
One of the biggest regulated industries is health care, where the key regulations center around the data security and privacy standards set forth by the HIPAA laws that were enacted in 1996 and updated earlier this year. Finance is another industry that often finds itself bound by similar requirements for data security, client privacy, and information-sharing regulations.
But the most regulated and security-focused arena is government itself. Virtually all federal agencies, military units, and government contractors are required to adhere to strict data-security regulation,s and one of the chief security benchmarks for government agencies in both the U.S. and Canada is FIPS 140-2 validation.
FIPS validation is generally required by any technology that uses cryptography to access government resources or store government data. Cryptography, which uses algorithms to encrypt data so it's unreadable except by the approved recipient (be that a device, person, or app), is the bedrock that secure Wi-Fi networks, VPNs, on-device secure containers, and whole-device encryption are built on.
The FIPS validation process creates a range of challenges in today's mobile landscape. First is the validation process itself, which requires that a technology vendor create or use cryptographic modules that meet the standard. Cryptographic modules can include hardware encryption technologies, or software libraries used by an OS or installed apps. Achieving validation can take longer than a year. Any time a validated module is altered, such as in a new version of a OS or the software libraries used by an app, the validation process needs to be repeated. The cost of the validation process can easily reach tens of thousands of dollars.
Given that mobile platforms are generally updated at least once a year, by the time a vendor achieves validation, that validation might already be out of date and the process may need to be started all over.
That's a huge problem for mobile app developers and vendors like Apple and Samsung. In fact, these validation requirements are one of the reasons that BlackBerry devices remained the undisputed mobile technology of choice in government for so long -- even after many private-sector organizations have transitioned to iPhones or Android phones.
Given the Obama administration's push for all federal agencies to become more mobile and use up to date technologies, including BYOD and remote work programs, this creates a certain tension and challenge for federal IT leaders. While there are circumstances in which FIPS requirements can be overruled or worked around, the general rule for agencies is to stay within them. When the Veterans Affairs administration decided last year to deploy iPads in hospitals and other facilities even though iOS has yet to achieve FIPS 140-2 validation, it led Senator Jon Kyl of Arizona to order the VA Office of Inspector General to investigate the decision and its legality. For government contractors, there's an even greater impetus to stay within the confines of FIPS validation because non-compliance could result in loss of government contracts.
How SafeLogic could help
Aiming to help remedy the situation is SafeLogic, which launched its CryptoComply solution and RapidCert service on Wednesday. CryptoComply is a multi-platform binary that developers can license and use for data encryption within their solutions. The product can be used as an alternative set of encryption tools to those included as part of an OS that is not yet FIPS-validated. Supported platforms include both iOS and Android, as well as Windows Server, Red Hat Enterprise Linux, SUSE Enterprise, CentOS, and Apple's OS X Server.
By using CryptoComply, developers can achieve FIPS-validation of their products in an accelerated time frame because the underlying code and APIs are already validated. This leads to what SafeLogic calls "drop-in compliance." If an enterprise developer or a government contractor (or even developers working on apps intended for public distribution in the iOS App Store or Google Play) requires FIPS validation in their company's name, they can use SafeLogic's RapidCert program can assist them in receiving it through a much faster and more cost effective process.
SafeLogic's unique approach has the potential to help government agencies and contractors take fuller advantage of many of the trends transforming today's workplaces. The platform can help developers create FIPS-compliant internal enterprise apps and workflows designed for a specific agency or organization, business to business apps that are developed by contractors for agency use, and web apps and cloud solutions designed specifically for public sector and government contracted workforces. All of these advantages extend the mobile initiatives championed by the Obama administration and U.S. CIO Steve VanRoekel. In the process, these advantages also help provide wider support for iOS and Android devices as well as cloud services among federal workers.
Even organizations outside of the government ecosystem can find value in SafeLogic's offerings because they provide a mechanism for integrating a range of encryption and security features with relative ease. That can make CryptoComply worthy of consideration for businesses in regulated industries as well as those that work with state or local governments (and those governments themselves). Being able to show FIPS compliance serves as a way of demonstrating secure cryptography and thus secure solutions in fields where security and/or privacy are mission-critical requirements like health care, legal, and finance.
At the end of the day, SafeLogic is about more than just developing mobile and cloud solutions for government workers. The company's focus illustrates an uneasy reality for many enterprise developers and IT professionals -- that new and innovative development and IT programs are increasingly needed to bridge the gap between consumerization in the enterprise and long-standing regulations and requirements that will exist in many fields for years to come.