mobile device management - fedinsider.com · vendors: at&t, viasat, and sri – vendors formed...
TRANSCRIPT
Mobile Device Management: New Strategies for Secure, Accessible Government
Mobile and Accessibility Marine Corps Mobility
Initiatives Mobile Security in an
Enterprise Environment
First Speaker Second Speaker Moderator & Third Speaker
Check for new and updated events anytime on www.FedInsider.com/events
Mobile & Accessibility
How Mobile Has
Changed My Life
•
•
•
•
•
•
•
How Mobile Has
Changed My Life, II
•
•
How Mobile Has
Changed My Life, III
•
•
•
•
•
•
•
•
•
•
•
Additional Benefits of Mobile
Technology
Section 508 and Mobile
•
•
•
•
–
–
–
–
–
–
–
–
–
–
–
User Impact
•
•
•
•
•
•
•
•
•
Lessons Learned at Large on 508
•
•
•
–
–
–
Lessons Learned at Large on 508, II
12
Ray A. Letteer, CISSP, C|CISO
Chief, Cybersecurity Division
Headquarters, US Marine Corps, C4CY
Marine Corps DAA/Senior IA Official
Marine Corps Mobility Initiatives
A Marine Corps fighting force armed with assured, secure, accurate, and timely information, to enhance the ability to take the fight to any enemy, anywhere, and win.
Marine Corps Commercial Mobile Device Strategy
13
1. Establish a secure mobile framework (SMF)
2. Transition the unclassified mobile device
infrastructure to a cost effective and
platform agnostic environment
3. Facilitate a classified mobile device
capability
4. Incorporate personally owned mobile
devices within the MCEN
Signed: April 2013
The roadmap for current Marine Corps Commercial Mobility initiatives.
1. Establish a Secure Mobile Framework
14
The Secure Mobility Framework has been established to define how Marines will securely utilize mobile capabilities. Development of this framework is critical as it lays the foundation for USMC to seamlessly adopt secure CMDs and mobile applications.
Policy, Planning, Guidance
Procurement & Acquisition
Hardware/OS Accreditation
Application Development/Certification/Distribution
Operations Optimization
Secure Mobility
Network Infrastructure
Cyber
Security
Current Efforts:
• Develop Mobile Policies
– ECSD 004: Remote Access Policy 2.0 Revision
• New RAS solutions, including Lightweight Portable Solution (LPS), Windows 8-to-Go
• Standardize Testing – Cyber IA Range
– Developing Wireless Environment
– Blackberry Enterprise Service 10 Testing
– Rapid STIG development
DISA Security
Requirement
Guides
Mission
Requirements
DAA
Decision
SRG
IA Range
Test and
Evaluate
Vendor
Solutions IAW
SRGs & STIGs
DON EMIPT
Focal Point
for Mobility
Initiatives
Streamlining Secure Configurations
2. Unclassified Mobile Device Infrastructure
Blackberry Enterprise Service (BES) 10 Installation is currently under evaluation for install within the MCEN. BES 10 has three components which can help USMC reach this goal with minimal cost within a GFE model, while working towards BYOD:
16
1.) Management of Legacy Server – Will allow USMC to retain and manage
existing Blackberry Devices 2.) Blackberry Device Service (BDS)
– Will enable USMC to deploy BBOS10 devices (Z10, Q10, Playbook)
3.) Universal Device Service (UDS) – Will enable deployment and management of
enterprise connected iOS/Android devices – Fee for use: $80/Device/Year
Current USMC BB Models will reach EOL within the next year
Blackberry corporate situation may complicate project
Developing an iOS feasibility study for iPad/iPhone use by GO/SES
3. Classified Mobile Device Capability
• Current Classified Mobility:
– SME-PED (Secure Mobile Environment Portable Electronic Device):
– Piloting DMCC (DISA Mobile Classified Capability):
• In-Development:
– USMC Systems Command Trusted Handheld (TH2) Solution
• Potential CLASSIFIED Operational Use Cases:
17
Domain 1 Domain 2
Enterprise (NIPR) Enterprise (SIPR)
Operational (SBU) Operational (Secret)
Operational (SIPR) Operational (SIPR/REL)
Closed Test Network - Notional NIPR Closed Test Network - Notional SIPR
Classified Single User Domain Not installed or disabled
18
Trusted Handheld (TH2)
Important features:
– Isolation Technology
– Software Integrity based on Hardware Root of Trust
– Multiple Active User Domains
– Suite B Encryption
– Data at Rest Encryption
Contracts awarded to three vendors: AT&T, ViaSat, and SRI
– Vendors formed teams consisting of industry players like Samsung, LG, ARM
– Competitive prototyping occurred over three iterations, culminating at the end of July 13 with a production representative device.
19
4. Marine Corps BYOD
More than $17M spent on Marine Corps mobility currently; about 40%
consists of management costs which would be almost completely eliminated
with BYOD.
DISA Mobility has a significant level of additional hands-on management;
rough numbers place the per device/per month cost at around $250. No
official “cost” has been provided.
Marine Corps BYOD will leverage a device and unlimited data plan that the
user already has contracted.
– The user will subscribe to enterprise data services at a cost of ~$15 a month.
– Certain command-directed users would receive a reimbursement.
– The carriers would manage the devices according to our policies, and we will audit.
19
Bottom line for BYOD
20
USMC BYOD
• Reduces overhead costs significantly
• Personal selection of device and plan
• Stays current with industry trends and technologies
• Maintains overall IA posture
• Leverages one device with dynamic restrictions
GFE
• Contracts required
• TEM required
• Device, server, and CAL costs
• Data/voice costs
• Management overhead
• Requires multiple devices
• Limited functionality promotes unauthorized behavior
21
Challenges / Timelines
BYOD Beta has slipped ~3 months based on initial estimates. Current Challenges include:
Legal Assurance of User agreement / Contracting for Testing Devices
Enabling Mobile PKI Authentication with Active Sync (Exchange Email)
Adjusting Policy to allow software certificate authentication methods
Way Ahead:
Develop Implementation Plan and schedule
Aid development of sustainable process for Government to certify Commercial Mobile Devices as they hit the market
Beta Phase
Current efforts designed to limit actions to just those directly impacting launch of the Beta Phase.
Questions?
22
Mobile Security in an
Enterprise Environment
Tom Voshell
Senior Customer Solution Director
SAP Regulated Industries
© 2013 SAP AG. All rights reserved. 24 Public
Learning Points
■ Challenges and best practices in both the public and private sector for
adopting mobile technology
■ Steps agencies need to take to remain vigilant when implementing mobile
solutions
■ Best practices from the US Marine Corps and other agencies that are
deploying secure apps
■ The six touch points every agency needs to consider in building a mobile
strategy
■ How baseline security guidelines from the Department of Defense,
Department of Homeland Security, and National Institute of Standards and
Technology are setting the stage for digital government
© 2013 SAP AG. All rights reserved. 25 Public
NIST Special Publication 800-124 Revision 1
■ Architecture. Designing the architecture includes the selection of mobile device management server and client software,
the placement of the mobile device management server and other centralized elements, and the architecture of any virtual
private network (VPN) solutions.
■ Authentication. Authentication involves selecting device and/or user authentication methods, including determining
procedures for issuing and resetting authenticators and for provisioning users and/or client devices with authenticators (see
“Device provisioning” below). Authentication includes access to or integration with existing enterprise authentication
systems.
■ Cryptography. Decisions related to cryptography include selecting the algorithms for encryption and integrity protection of
mobile device communications, and setting the key strength for algorithms that support multiple key lengths.9 Federal
agencies must use FIPS-approved algorithms contained in validated cryptographic modules when using cryptography to
protect information.10
■ Configuration requirements. This involves setting minimum security standards for mobile devices, such as mandatory
host hardening measures and patch levels, and specifying additional security controls that must be employed on the mobile
device, such as a VPN client.
■ Device provisioning. It is important to determine how both new and existing devices will be provisioned with client
software, authenticators, configuration settings, etc.
■ Application vetting and certification requirements. This sets security, performance, and other requirements that
applications must meet and determines how proof of compliance with requirements must be demonstrated.
NIST technical security considerations for designing mobile
device management solutions.
© 2013 SAP AG. All rights reserved. 26 Public
800-124 refers to Managing the device lifecycle
Device Enrollment
Configure devices
Assign to groups
Deploy apps by role
Configure and Enroll in E-mail
Configure Wifi and VPN access
Remote lock
Remote wipe
Access violation lock
Disable device, network, application and e-mail access
Disposal of obsolete devices
Enforce security policies
Monitor/track security violations
Access Control
Compliance activity logging
Maintain/modify configuration
Monitor hardware, software and packages
App notifications and updates
Track assets
Telco expense management
Location tracking
Monitor compliance
Monitor hardware, software and packages
Manage roaming and carrier
Location tracking
Drill-down by data element
© 2013 SAP AG. All rights reserved. 27 Public
Enterprise Security Requires Securing the entry points
Applications Devices
Password
enforcement
Certificate
management
OTA software
distribution
Asset management
Auditing/compliance
monitoring
WiFi settings, VPN
settings
Remote wipe
Content
File access (e.g.
SharePoint), file
sharing, file sync, time-
sensitive file
distribution
Password, lock,
remote wipe,
encryption, DLP,
certifications
LDAP and Active
Directory integration,
group management,
policy enforcement
Communications
Granular app-level
security
Per-app VPN, FIPS 140-
2 compliance
Encryption of data at rest
and data in motion
Application discovery
and private app store
Software updates for
applications
Individually encrypted
apps with secure keys
Manage WiFi
connectivity
FIPS compliant VPN
Systems management
e.g. Cisco ISE
Network access
management
Manage the cost of
the billing, invoicing
© 2013 SAP AG. All rights reserved. 28 Public
PRIVATE APP
STORE
BUSINESS
USER
MOBILE
MIDDLEWARE
OPEN DEVELOPMENT
FRAMEWORK
CONTROL VISIBILITY MANAGEMENT
ENTERPRISE
SYSTEMS
APPLICATION
SECURITY
DEVICE
MANAGEMENT
EMPLOYEE
PRODUCTIVITY
APPLICATION
DEVELOPMENT
Security in an Enterprise Mobile Solution Architecture
1
2
3
4
5
6
© 2013 SAP AG. All rights reserved. 29 Public
Application
Governance
Consistent
application of
defined system
access and
security policies
Security within the Application Lifecycle
Develop / Update
Test
Fingerprint
Secure
Deploy
Consume
Thank you
Tom Voshell
SAP Regulated Industries – Fed / Civ
Senior Customer Solution Director
Washington, DC
Live Events
• Government Mobility: Catalyst for Change – Thursday, November 7, 2013 – 8:00 – 11:00 Breakfast Briefing (public sector only) – 3 CPE’s awarded by George Washington University – http://www.eventbrite.com/event/8633542157/webinar
• Agency Innovation: Making Mobile Government a Reality – Tuesday, October 1, 2013 – 8:00 – 10:30 Breakfast Briefing (private sector welcome) – http://www.eventbrite.com/event/8738453951/webinar
Webinars
• Profile of a Cyber Criminal: Mitigating Threats Inside and Outside of your Agency – Tuesday, November 12, 2013 – 2:00 – 3:00 PM (EST) – https://goto.webcasts.com/starthere.jsp?ei=1022944
Upcoming Events and Webinars
Check for new and updated events anytime on www.FedInsider.com/events