Secure mobile working in public authorities – including for confidentiality level VS-NfD

Mobile working also offers public authorities a high degree of flexibility, but at the same time, it brings a variety of IT security requirements and needs organisation-specific solutions. This is especially true when handling information that is subject to confidentiality or classified at a specific security level.

Remote solutions should also comply with all organisational security requirements, just like regular workplaces in public authorities. While video conferencing, cloud applications and mobile devices offer clear advantages for decentralised collaboration, they also represent potential entry points for attacks by cybercriminals. 

In May 2020, the Berlin Commissioner for Data Protection and Freedom of Information Maja Smoltczyk warned that the use of digital communication tools within and between the administrative units of the capital was becoming increasingly unregulated, thereby endangering the security of citizens’ data – simply because secure alternatives were lacking. Due to the crisis, services and software were being used that were “insecure and unacceptable from a data protection perspective.” She warned that the current exceptional situation could lead to the continued use of “such questionable services”, potentially resulting in a “reduction of data protection standards.” 

In many organisations, staff are required to use their personal devices for mobile work because the employer cannot provide a sufficient number of official devices. However, private devices are often outdated, routers insecure, and Wi-Fi connections inadequately protected. If, in addition, classified information up to the level of VS-NfD (for official use only) is to be processed on the move, complexity and protection requirements increase significantly. 

Given the highly diverse usage and security requirements, there can be no ‘one-size-fits-all’ universal solution for authorities. A good approach is to build measures for mobile working modularly and tailor them specifically to each intended use. If data up to and including the confidentiality level VS-NfD (classified information – for official use only) is to be processed, the solutions must be approved by the Federal Office for Information Security (BSI).

Modular solutions for every requirement 

The following aspects in particular should be considered: 

Secure devices 

In any case, the laptop must be secured. Some devices even offer two separate working environments – one for standard applications such as browsers, email clients and word processing, and another exclusively for the transfer, processing and storage of sensitive data. This enables secure mobile working in public administration – up to and including VS-NfD. 

Secure access 

For most mobile workers, it is necessary to connect to the authority’s network in order to access and process data and documents. For this purpose, a smartcard can be used in combination with a software solution such as genuconnect. genuconnect is a VPN software client that is installed on the mobile device and establishes a highly secure connection to the authority’s network – even over unsecured networks such as WiFi or mobile data. The software complies with BSI approvals for confidentiality levels such as VS-NfD. Additionally, authentication of the employee is performed via the smartcard and a PIN; this ensures both access control and identity verification. 

For logging in, two-factor authentication is recommended. Centrally managed client systems or a secure virtual desktop have the advantage that employees are equipped seamlessly – both for regular on-site operations and for mobile working. Such a solution avoids employees storing data on their device’s local hard drive and also helps to absorb peak loads. Some solutions automatically prevent data from being shared outside the virtual environment. 

Secure Data Exchange 

Cloud solutions are suitable for enabling rapid data exchange and collaborative work within teams at any time. Here too, security must remain the highest priority. Data should already be encrypted on the laptop of the remote worker. Solutions that utilise RAIC technology (Redundant Array of Independent Clouds) make data particularly secure. This ensures that public authorities remain compliant and audit-proof. 

Secure Encryption 

Emails can be encrypted and signed using certificates. This is essential, as confidential and sensitive information in public administration must be protected against unauthorised access, and both the sender and recipient of an email must be reliably authenticated. Both emails and files can be encrypted and signed at the highest security level – up to VS-NfD. A robust protection method for email transmission is end-to-end encryption. In this process, information is encrypted on the sender’s system. Only the intended recipient is able to decrypt and read the message. This prevents criminals from intercepting, spying on, or manipulating the data. If the encryption software is integrated into the familiar working environment, such as Outlook or Notes, the solutions are particularly user-friendly. 

Secure Digital Signature 

A remote signature enables public authorities to sign documents digitally, securely, and in compliance with legal requirements while on the move. Today, all that is required is an internet-enabled device and a mobile phone for signature authorisation. Signature cards, card readers, and even circulation folders or analogue signature processes are now obsolete. 

Secure building blocks for mobile working support public authorities in effectively protecting access to and exchange of confidential and sensitive data. This allows modern, flexible forms of mobile working to be introduced quickly and securely in public administration. 

*Source: Tagesspiegel Background, 6 May 2020.