Mobile Device as a Platform for Assured Identity for the Federal Workforce

Similar documents
Security Characteristics of Cryptographic Mobility Solutions

MOBILE DEVICE SECURITY FOR ENTERPRISES

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile First Government

Mobile device and application management. Speaker Name Date

Use of tablet devices in NHS environments: Good Practice Guideline

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Longmai Mobile PKI Solution

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Security and Compliance challenges in Mobile environment

GOVERNMENT USE OF MOBILE TECHNOLOGY

Data Protection Act Bring your own device (BYOD)

How To Protect Your Mobile Devices From Security Threats

Guidance End User Devices Security Guidance: Apple OS X 10.9

BYOD Guidance: BlackBerry Secure Work Space

Windows Phone 8.1 in the Enterprise

ADDING STRONGER AUTHENTICATION for VPN Access Control

Enterprise Apps: Bypassing the Gatekeeper

Addressing NIST and DOD Requirements for Mobile Device Management

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Hands on, field experiences with BYOD. BYOD Seminar

End User Devices Security Guidance: Apple OS X 10.10

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Symantec Mobile Management Suite

BYOD: End-to-End Security

My CEO wants an ipad now what? Mobile Security for the Enterprise

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Mobile Security BYOD and Consumer Apps

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

How To Manage A Mobile Device Management (Mdm) Solution

Chris Boykin VP of Professional Services

Kaspersky Security for Mobile

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Symantec Mobile Management for Configuration Manager 7.2

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work Space Only

IT Resource Management & Mobile Data Protection vs. User Empowerment

Mobile and BYOD Strategy

Guideline on Safe BYOD Management

Strong Authentication for Secure VPN Access

Deploying iphone and ipad Security Overview

Absolute Manage MDM. John Wu Systems Engineer

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Symantec Mobile Management 7.2

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

February 2015 Federal Mobile Computing Summit Collaboration Session Summary

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Mobile Security: Threats and Countermeasures

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Samsung Mobile Security

When enterprise mobility strategies are discussed, security is usually one of the first topics

Securing end-user mobile devices in the enterprise

The Risks and Rewards of Social Media and Mobile Devices

Use Bring-Your-Own-Device Programs Securely

BYOD Policy. Handout

Deriving a Trusted Mobile Identity from an Existing Credential

Mobile Device Management:

BYOD and Mobile Device Dependency

Ensuring the security of your mobile business intelligence

End User Devices Security Guidance: Apple ios 8

Resco Mobile CRM Security

Decrease your HMI/SCADA risk

Secure Web Access Solution

General Security Best Practices

Endpoint protection for physical and virtual desktops

ipad in Business Security

SENSE Security overview 2014

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Managing Mobility in the BYOD Era:

Consumerization. Managing the BYOD trend successfully. Harish Krishnan, General Manager, Wipro Mobility Solutions

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Better Mobility for the Enterprise: Windows Phone 8.1 and MobileIron

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Remote Access Securing Your Employees Out of the Office

Samsung SDS. Enterprise Mobility Management

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Mobile Device Management

Linux Web Based VPN Connectivity Details and Instructions

SECURE AND MANAGE YOUR MOBILE FLEET Freedome for Business

Endpoint protection for physical and virtual desktops

"Secure insight, anytime, anywhere."

Human Factors in Information Security

Using Entrust certificates with VPN

Enterprise on the Go. How enterprises can leverage mobile apps

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Mobile Device Security Is there an app for that?

BYOD in the Enterprise

Healthcare Buyers Guide: Mobile Device Management

Transcription:

Mobile Device as a Platform for Assured Identity for the Federal Workforce Dr. Sarbari Gupta President and CEO, Electrosoft U.S. Army Information Technology Agency (ITA) Security Forum Fort Belvoir Electrosoft Services, Inc. 1893 Metro Center Drive Suite 228 Reston, VA 20190 October 20, 2014 Web: http://www.electrosoft-inc.com Email: info@electrosoft-inc.com Tel: (703) 437-9451 FAX: (703) 437-9452

Agenda Strong Push to Enable Federal Mobile Workforce Security Concerns and Mitigations for Mobile Computing Use of Derived PIV Credentials for Identity Assurance Wrap-Up Page 2 Electrosoft 2014

Mobile Workforce Drivers (I) Telework Enhancement Act of 2010 A framework for agencies to better leverage technology and to maximize the use of flexible work arrangements Key Objectives of Telework Improve Continuity of Operations (COOP) Promote Management Effectiveness Enhance Work-life Balance for Workers Benefits of Telework Recruit new Federal workers Retain valuable talent Maintain productivity Page 3 Electrosoft 2014

Mobile Workforce - Drivers (II) Digital Government Strategy of 2012 To seize the digital opportunity and fundamentally change how Federal Government serves its internal and external customers Strategy Objectives Information and services anywhere, anytime and on any device Procure and manage devices/applications/data in smart, secure and affordable ways Unlock the power of Government data to spur innovation Page 4 Electrosoft 2014

Mobile Workforce Drivers (III) Presidential Memo Enhancing Workplace Flexibilities and Work-Life Program of 2014 Key Objectives: Right to Request Work Schedule Flexibilities Expanding Access to Workplace Flexibilities Expanding Availability and Encouraging Use of Work-Life Programs Page 5 Electrosoft 2014

Mobile Computing - Wave of the future Gartner: Smart Machines To Be Most Disruptive Trend (Oct 2014) The smart machine is upon us, and it will be the most disruptive in the history of IT Federal CIOs recognize the need to embrace and facilitate mobile computing for their workforce However, key challenges exist in the security and privacy arena Page 6 Electrosoft 2014

Security Challenges with Mobile Devices Small form factor makes it easy to lose, misplace Device passwords seldom enabled Multiple channels of attack and access Poorly secured communication channels (e.g. WiFi) Complexity and proprietary nature of Mobile OS Multiplicity of Mobile OS versions in the field Patches and updates implemented sporadically Plethora of mobile apps Ease of quick download and use of malware Difficulty of source verification and integrity checks Ease of unauthorized OS modification (e.g. jailbreak ) * Reference: 2012 GAO Report Better Implementation of Controls for Mobile Devices Should Be Encouraged Page 7 Electrosoft 2014

Mobile Device Attack Paths Attacker gains physical control of device User visits malicious website User download Apps from web (other than from reputable source) Attacker eavesdrops on unencrypted communications from device Page 8 Electrosoft 2014

Mobile Device Security Controls - User Maintain physical control of device Enable user authentication to device Use 2-factor to protect sensitive transactions Limit use of insecure communication channels Download Apps from reputable sources only Install security software firewall, anti-malware Install security updates promptly Enable remote wipe of data * Reference: 2012 GAO Report Better Implementation of Controls for Mobile Devices Should Be Encouraged Page 9 Electrosoft 2014

Mobile Device Security Controls - Agency Establish / Implement Mobile Device Security Program Security Policy User Training Deployment Plan Implement layered security for mobile device Authentication to device Cryptographic protection of data and transactions User training and awareness of security risks Implement Mobile Device Management (MDM) solution Server and Client App(s) Run in the background Run in sandboxed environment Manage the security configuration of device Implement 2-factor techniques Encrypt stored data Page 10 Electrosoft 2014

Federal Mobile Security References National Institute of Standards and Technology SP 800-164 DRAFT: Hardware Rooted Security in Mobile Devices SP 800-124 Rev 1: Managing the Security of Mobile Devices SP 800-121 Rev 1: Bluetooth Security SP 800-163 DRAFT: Vetting 3 rd Party Mobile Applications SP 800-101 Rev 1: Mobile Device Forensics Office of Management and Budget M-06-16: Protection of Sensitive Agency Information M-15-01: Guidance on Improving Federal Information Security and Privacy Management Practices Federal CIO Council (May 2013) Federal Mobile Security Baseline Mobile Computing Decision Framework Mobile Security Reference Architecture Page 11 Electrosoft 2014

What are Derived PIV Credentials? Specified in NIST Special Publication 800-157 DRAFT A security token, implemented and deployed directly on a mobile device (such as smart phone or tablet) Issued to holder of a valid PIV Card Set of PKI credentials similar to those on PIV Card PIV Authentication (for identity authentication) PIV Signature (for digital signature) PIV Key Management (for encryption) To be used with secure Apps on mobile device Page 12 Electrosoft 2014

Derived PIV Credentials - Life Cycle Initial Issuance Subscriber proves possession/control of valid PIV card Issuer checks that PIV Card is not revoked Derived PIV credentials issued to mobile device Maintenance Updates to Derived PIV credentials done remotely or in-person Derived PIV credentials usable even if PIV Card is lost / revoked Termination When Derived PIV credentials no longer needed When PIV Card is terminated Linkage with PIV Card Maintenance of Derived PIV credentials linked to PIV Card Linkage updated when Subscriber gets new PIV Card Page 13 Electrosoft 2014

Derived PIV Credential Implementation Form Factors Removable (non-embedded) Hardware Crypto Token o Secure Digital (SD) Card o Universal Integrated Circuit Card (UICC) o Universal Serial Bus (USB) Token Embedded Crypto Token o Hardware implementation o Software Implementation Who can issue Agency that issues PIV Card Other Agency Page 14 Electrosoft 2014

How do Derived PIV Credentials Facilitate Federal Mobile Workforce? Enables initialization of mobile devices for secure use by Federal mobile worker Agency-issued device Personal device (BYOD) Facilitates the use of Derived PIV Credentials for Standalone Secure Apps MDM Client Apps Possible Uses Cases Secure Browsing with 2-factor authentication Secure email send and receive IPSEC-based VPN tunnels to agency network Strong encryption of sensitive data on device Sign and verify signature on digital document Page 15 Electrosoft 2014

Wrap-Up and Contact Information Summary Mobile computing a core part of future Federal IT Security challenges need to be addressed Derived PIV Credentials offer strong foundation for security Multiple use cases to leverage Derived PIV Credentials for secure mobile computing for Federal workforce Questions / Comments? Contact Info: Dr. Sarbari Gupta Electrosoft o Email: sarbari@electrosoft-inc.com o Phone: 703-437-9451 ext 12 o LinkedIn: http://www.linkedin.com/profile/view?id=8759633 Page 16 Electrosoft 2014

Mobile Device Security Controls - User Maintain physical control of Device Enable user authentication to device Use 2-factor to protect sensitive transactions Use 2-factor Authentication for access to websites Encrypt data stored on device Use VPN to connect to Organizational network Encrypt and/or sign email communications Restrict download of mobile Apps Allow download only from whitelisted sources Verify authenticity of downloaded Apps Install security software firewall, anti-malware Install security updates promptly Enable remote wipe of data For device loss, too many authentication attempts, etc. Limit use of other communication channels Limit use of public/shared WiFi networks Configure Bluetooth default to non-discoverable * Reference: 2012 GAO Report Better Implementation of Controls for Mobile Devices Should Be Encouraged Page 17 Electrosoft 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information