Mobile security for today’s police

For many years Credant Technologies has been working in the US to protect sensitive data at rest in hundreds of organisations. Now it is bringing its expertise to the UK’s police service. Paul Huntingdon explains…

The Government has mandated that all police officers spend less time back at the station completing paperwork and reports and more time policing – out on the beat.
To this extent there have been a number of initiatives, combined with a principal budget, to enable the police to invest in mobile technology. This takes the form of either handheld or vehicle-mounted devices, or in some cases both.
Of paramount importance is the security of the data that’s held on these devices, as it comprises people’s identities – names, addresses, driving licence numbers, insurance details, etc. While the police has its own network, it also has the requirement to connect back into the GCSx (Government Connect Secure Extranet), and to do this securely without compromising the security of the overall network and attached systems.
The majority of the devices being deployed are Microsoft-based, using Windows Mobile operating system (OS) – developed for handheld computers – plus some with earlier versions of Windows Mobile and Pocket PC. Although Windows Mobile does include encryption, it requires the users themselves to elect to switch it on to protect the data on the device.
This causes a police authority a problem as although it can say “this is what we’re going to do as a force”, it can only issue manual instructions and ask for the users to comply, allowing room for potential error.
The Government department responsible for standards in data security, CESG (the information assurance (IA) arm of GCHQ and the Government’s national technical authority for IA, has deemed the operating system alone as not suitable for operation with restricted data, and made the recommendation that appropriately-accredited, after-market, centrally-managed additional security software should also be used.
Credant Technologies’ Credant Mobile Guardian (CMG) holds CESG accreditations, which allow it to work at confidential data levels up to Impact Level 4, enabling police authorities to comply with, among other things, the requirements of the GCSx Code of Connection (CoCo), designed to connect one accredited network to another. CMG also holds Common Criteria (EAL3) accreditation and FIPS 140-2, which is the standard required by US federal and other public sector implementations.
The design and capabilities of CMG lends itself ideally to what police authorities, and others, need to do. It has a strong focus on mobile devices, ie, handhelds of all types, which makes it ideally suited for deployment by the police, using the typical mix of devices seen in their environments.
Being centrally-managed, it allows a police authority at county level to define a central policy for all its handheld devices – based around the role of the intended user – publish it and be secure in the knowledge that all data held remotely on the devices complies with the central policy and is encrypted to predefined standards.
The police officer (or other end user), doesn’t have to make a personal decision about whether, let alone how, a piece of data is protected because they can’t turn it off or bypass it. To them, it’s seamless; it doesn’t require them to do anything they wouldn’t otherwise do, and importantly, it doesn’t slow down the device.
CMG doesn’t interfere with any other functions carried out by the device, such as running other applications and attaching a bluetooth printer or a mobile finger print reader. It co-exists and interoperates, securing the data quietly in the background.
Deployment
CMG has been rolled out by a number of police authorities and it is also being deployed as part of a nationwide mobile fingerprinting initiative, with Credant involving regional police authorities across the UK with the technology and its capabilities, and hopefully opening the door to other possible deployments.