securing emerging mobile technology

Securing Emerging Mobile TechnologyJOHN G. LEVINE PH.D.D/CHIEF ARCHITECTURE GROUP13 SEP 2012

1

UNAMBIGUOUS DEMAND SIGNAL FROM CUSTOMERS

2

SECURE ANYWHERE, ANYTIME ACCESS TO ENTERPRISE INFRASTRUCTURE

3

CURRENT MOBILITY ENVIRONMENT

Mobile LandscapeUser Threat

• Unaware of potential threats

• Susceptible to social engineering

• Bypassing "inconvenient“ security

• Insider threat, leaks and sabotage

Infrastructure Threat• Multiple points of interception

• Communication and Data Centers / Towers • Towers, Wireless and Wireline

• Over the Air updates• Rogue base stations

• Ease of use is valued over security

• Vulnerabilities are widespread

• Attacks are cheap and easy

• Apps available at low or no cost

• Minimal technical experience required

Infrastructure

MobileLandscape Users

4

PATHWAY TO SECURITY

• Security must be integrated into components – systems approach

• User interfaces must be intuitive and familiar• Policy needs to stay on top of technology curve• Solutions should:

– Support commercial functionality– Be cost effective– Align with commercial product lifecycles

UserExperience

Security

5

MOBILITY ENTERPRISE STRATEGY

3G | 4G

Seamless Transition

Wi-Fi

TheCloud

Internet AccessGateways

PSTNGateways

6

EXTERNAL DEPENDENCIES

• Carrier data coverage• QoS in carrier networks *• Data circuits in carrier networks

* 4G / LTE is expected to improve some of the user experience as carriers upgrade

7

MOBILITY GOALS

Publish and updateCapability Packages

Minimum security capabilities

Vendor agnostic architectures

Residual risk assessments

Establish a Mobile Enterprise Capability

Policy enforcement & enterprise security

Interoperability via gateways

Anywhere, Anytime, Access to Unclass, Secret, Top Secret & SCI infrastructure

Establish Partnerships and work with Industry

Commercial development focused to meet security requirements out of the box

Forecast and prepare for next generation security technologies

8

Design Security Architecture

Identify Need

DevelopConcept Prototype Pilot

Test & Evaluate

CAPABILITY DELIVERY PROCESS

Implement Operational Capability

Requirements Guidance to Industry•Capability Package

Technology Gaps

System Bugs

9

MOBILITY PILOTS

Milestones – Unclassified Pilot Kickoff (30 Sep 2011)– Classified Pilot Kickoff (Dec 2011)– Web based Data Pilot (May 2012)

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Fishbowl Implementation

VPN Concentrator

RedSwitch

High Level Topology

Leased Line

(DS3)

CarrierCore Network

BlackRouter

RedRouter

Gateway

Carrier Infrastructure

HaipeDevice

HaipeDevice

Leased Line(DS3)

EnterpriseGateway Connection

SCIF

SecureVoIP App

- SRTPVoip

Application

VPNApplication

Mobile DeviceAndroid Pro

VPNIpsec

Authen Tec

SecureVoIP AppMocana

DTLS-SRTP


VPNIpsec

Authen Tec


DTLS-SRTP

M o b i l e D e v i c eA n d r o i d P r o

V P NI p s e c

A u t h e n T e c

S e c u r eV o I P A p p

M o c a n aD T L S - S R T P

VPNIpsec

Authentec

3G

SIPServer

VoipApplication

VPNApplication


VPNIpsec

Authen Tec


DTLS-SRTP


VPNIpsec

Authen Tec


DTLS-SRTP

M o b i l e D e v i c eA n d r o i d P r o

V P NI p s e c

A u t h e n T e c

S e c u r eV o I P A p p

M o c a n aD T L S - S R T P

VPNIpsec

Authentec

Architecture– Two layers of encryption (VoIP and VPN)– Gateway connection to Enterprise

Infrastructure– Backend services secured in a SCIF– Delivers secure voice and data capability– Dependant on carrier QoS– Hardened handsets

10

MobilityCapability PackageEvolution(dates reflect target for publication to NSA.gov)

MOBILITY CAPABILITY PACKAGES

Mobility Capability Package • Pilots are used to help create CPs• Development and release is an iterative

process between IAD experts, interested vendors, and external partners

Partners

IAD SME Community

CSfC Package Release

Customers

Vendors

Integrators

11

April 2012Mobility Capability Package Update

Version 1.2Published to

NSA.gov(Secure Voice)

February 2012Initial release Mobile Capability Package

(Secure Voice)

March 2012Mobility Capability Package Update

Version 1.2Delivered to I2M(Secure Voice)

July 2012Mobility Capability Package Update

Version 2.0(Interoperability & Web Data)

February 2013Mobility Capability Package Update

(3G/4G & WiFi Roaming)

October 2012Mobility Capability Package Update

(MDM)

August 2012Mobility Capability Package Update

(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)

Late 2012





(Secure Voice)








(MDM)


(Wi-Fi)

Late 2012





(Secure Voice)








(MDM)


(Wi-Fi)





(Secure Voice)








(MDM)


(Wi-Fi)

Early 2013





(Secure Voice)








(MDM)


(Wi-Fi)

KEY ACHIEVEMENTS TO DATE

• Established Mobility Innovation Center (MIC) to drive/prove technology

• Delivered TOP SECRET voice and data pilot (FISHBOWL)

• Delivered NSA Campus laptop pilot (WIFIGHTER)• Demonstrated tablet architecture• First Mobility Capabilities Package on web at NSA.gov

12

LOOKING AHEAD• Improve user experience• Prototype and pilot data services to other devices• Continue to perform vulnerability analysis of emerging

technologies • Prototype and pilot Evolved Packet Core (EPC) capabilities• Continue to mature Mobility Capability Packages• Continue to work with Industry• Incorporate lessons learned into future demonstrations

13

CONCLUSION

Securing mobility requires a new way of thinking:• Use commercial standards, platforms and applications when

possible• “Composable” and layered solutions/services to achieve

desired security• Integrated and hardened commercial infrastructure• Keep pace with emerging technologies• Strong partnerships between government

and industry• Work early and often with Industry to

get it right from the start!

14

For wa r d.Thinking.

securing emerging mobile technology

Documents

web based data pilot

data capabilitydependant

data circuits

pilot dat

enterprise infrastructure3

data centers towers

mobility goals

carrier networks