This article was originally printed in APCO’s PSC Communications Magazine, November/December 2015 Issue.
By the FirstNet CTO Devices Group
Recognizing that the public safety user community will demand support for personal devices on the nationwide public safety broadband network (NPSBN), FirstNet is taking steps to develop and implement an effective BYOD policy. The BYOD policy must provide adequate security and control of the device, while still providing an acceptable user experience when accessing the NPSBN. It must also operate in real time to analyze BYOD access and identify anomalies.
Throughout the course of our consultation and outreach efforts, including feedback on the Special Notice and Draft Request for Proposals (RFP) documents, many of our stakeholders have asked a recurring question -
“Will FirstNet allow personal devices on the NPSBN?”
This question tells us that many within the public safety community have personal smart phones that utilize commercial networks, and they are interested in accessing the NPSBN from their personal phones when the NPSBN is operational. In addition, many existing public safety devices are highly specialized and costly (such as the units used by the emergency medical services teams) and could benefit first responders by working over the NPSBN, too.
To address these and other device scenarios, FirstNet is planning to support personal devices on the NPSBN through a BYOD policy that is being developed as part of the overall network architecture.
Like many commercial enterprises today, FirstNet is working toward an effective BYOD model that will enable public safety users to utilize the NPSBN under a number of scenarios, including:
- Personally Owned Devices: A public safety user would like to access his or her agency’s email and public safety applications on his or her personal smartphone or tablet while using the NPSBN. These users may be accessing the FirstNet band 14 or roaming to a commercial partner as coverage allows. A significant core public safety group in this category is the volunteer firefighter community, which represents a large percentage of all firefighters in the U.S.
- Agency Owned Legacy Devices: A public safety agency may own devices that are not part of the FirstNet-approved device portfolio that it wants to transition from its existing commercial broadband provider to the NPSBN. Some of these devices may be band 14-enabled, but most will require access to the NPSBN through other commercial partner bands.
- Devices Accessing FirstNet Service Through An Intermediate Connection: Public safety users may wish to use the NPSBN while using devices (such as a smartphones, tablets, laptops or mobile data terminals) connected locally to an in-vehicle router or mobile Wi-Fi hotspot. These devices would connect to the NPSBN using an intermediate connection such as Ethernet, Wi-Fi or other commercial wireless networks. It is expected that all FirstNet approved devices will be band 14 enabled so that any devices requiring an intermediate connection for NPSBN access will be supported under the FirstNet BYOD model. Many popular smartphone and tablet devices will likely fall under this BYOD scenario prior to their support of band 14.
In addition to the benefits of BYOD, there are also associated security risks concerning the sharing of information and loss of data on the device. For example, devices can be purchased that have malware in their software image or in preloaded applications (e.g., via distributors, integrators, etc.) without the individual’s knowledge, or through malware within downloaded applications before any enterprise security protection has been installed. With malware present on the device, FirstNet’s security solutions (e.g., encryption, credentials, and container products) can be circumvented.
To address security concerns, FirstNet is considering a range of technical services that can be used to support public safety users who wish to BYOD, including:
- Mobile Device Management/Mobile Application Management (MDM/MAM) that can help remotely secure, manage and support personally owned devices.
- Security container applications, where data is contained within a separate environment, can help to manage information flows between personal and public safety areas of a device. Container functionality is available within a range of MDM client applications as well as mobile OS platforms (such as Android Work in Android 5.0 Lollipop or the MDM updates in iOS 7.0) to support business security partitions.
- Device certification and carrier acceptance testing processes, designed in conjunction with our selected partner(s) that provide detailed analysis of a BYOD category or device type and identify weaknesses or concerns.
- Firewalls that prohibit the applications in the personal area of the device from reaching the network assets of the public safety area of the device
However, these technical solutions still depend on the integrity of the underlying device and can affect its usability. An effective BYOD policy also needs to be enacted to guide these technical controls. For example, a policy should require all users to authenticate themselves with strong credentials before being given access to information on the NPSBN, require that all data stored in the security container area of the device has to be encrypted, and only provide access to necessary information. Striking the right balance between control and usability is important to encourage adoption and avoid potentially unsafe workarounds.
Lastly, as technology advances, an effective BYOD policy requires ongoing and active NPSBN and device technical support and expertise to manage a growing range of devices, operating systems, and user devices.
Allowing users to BYOD is an increasingly important aspect for enterprise IT organizations to support in commercial organizations, and FirstNet will be able to take advantage of an enormous amount of process and platform developments that are constantly evolving in the area of enterprise mobility management. The FirstNet BYOD policy can start with an enterprise model and be tailored as needed to meet the special mission critical and security requirements of a public safety network.
In summary, key attributes of an effective FirstNet BYOD policy might include the following:
- Providing support to local agencies to allow them to make the majority of BYOD decisions
- A convenient and user friendly method to bring BYOD devices under MDM/MAM control
- Clear notifications to a user of any service access restrictions due to the limitations of the BYOD device configuration
- Proper balance for flexibility of device support and protecting the security of the NPSBN (for example, preventing access for jail broken iOS or rooted Android devices)
- Effective management of public safety and personal applications and data on the device (for example, not allowing personal data to be wiped from a device when the device is removed from MDM control)
- Fast and effective MDM/MAM methods to isolate a BYOD device if it’s determined to have malware or to cause network issues (for example, excessive signaling traffic, security holes, etc.)
- The ability to determine if a BYOD has been through formal device certification to ensure the device will not have an adverse effect on the band 14 network