securing emerging mobile technology
DESCRIPTION
Securing Emerging Mobile Technology. John G. Levine Ph.D. d/Chief Architecture Group. 13 SEP 2012. 1. Unambiguous demand signal from customers. 2. Secure Anywhere, Anytime Access to Enterprise Infrastructure. 3. Current Mobility Environment. User Threat. Mobile Landscape. - PowerPoint PPT PresentationTRANSCRIPT
Securing Emerging Mobile TechnologyJOHN G. LEVINE PH.D.D/CHIEF ARCHITECTURE GROUP13 SEP 2012
1
UNAMBIGUOUS DEMAND SIGNAL FROM CUSTOMERS
2
SECURE ANYWHERE, ANYTIME ACCESS TO ENTERPRISE INFRASTRUCTURE
3
CURRENT MOBILITY ENVIRONMENT
Mobile LandscapeUser Threat
• Unaware of potential threats
• Susceptible to social engineering
• Bypassing "inconvenient“ security
• Insider threat, leaks and sabotage
Infrastructure Threat• Multiple points of interception
• Communication and Data Centers / Towers • Towers, Wireless and Wireline
• Over the Air updates• Rogue base stations
• Ease of use is valued over security
• Vulnerabilities are widespread
• Attacks are cheap and easy
• Apps available at low or no cost
• Minimal technical experience required
Infrastructure
MobileLandscape Users
4
PATHWAY TO SECURITY
• Security must be integrated into components – systems approach
• User interfaces must be intuitive and familiar• Policy needs to stay on top of technology curve• Solutions should:
– Support commercial functionality– Be cost effective– Align with commercial product lifecycles
UserExperience
Security
5
MOBILITY ENTERPRISE STRATEGY
3G | 4G
Seamless Transition
Wi-Fi
TheCloud
Internet AccessGateways
PSTNGateways
6
EXTERNAL DEPENDENCIES
• Carrier data coverage• QoS in carrier networks *• Data circuits in carrier networks
* 4G / LTE is expected to improve some of the user experience as carriers upgrade
7
MOBILITY GOALS
Publish and updateCapability Packages
Minimum security capabilities
Vendor agnostic architectures
Residual risk assessments
Establish a Mobile Enterprise Capability
Policy enforcement & enterprise security
Interoperability via gateways
Anywhere, Anytime, Access to Unclass, Secret, Top Secret & SCI infrastructure
Establish Partnerships and work with Industry
Commercial development focused to meet security requirements out of the box
Forecast and prepare for next generation security technologies
8
Design Security Architecture
Identify Need
DevelopConcept Prototype Pilot
Test & Evaluate
CAPABILITY DELIVERY PROCESS
Implement Operational Capability
Requirements Guidance to Industry•Capability Package
Technology Gaps
System Bugs
9
MOBILITY PILOTS
Milestones – Unclassified Pilot Kickoff (30 Sep 2011)– Classified Pilot Kickoff (Dec 2011)– Web based Data Pilot (May 2012)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Fishbowl Implementation
VPN Concentrator
RedSwitch
High Level Topology
Leased Line
(DS3)
CarrierCore Network
BlackRouter
RedRouter
Gateway
Carrier Infrastructure
HaipeDevice
HaipeDevice
Leased Line(DS3)
EnterpriseGateway Connection
SCIF
SecureVoIP App
- SRTPVoip
Application
VPNApplication
Mobile DeviceAndroid Pro
VPNIpsec
Authen Tec
SecureVoIP AppMocana
DTLS-SRTP
Mobile DeviceAndroid Pro
VPNIpsec
Authen Tec
SecureVoIP AppMocana
DTLS-SRTP
M o b i l e D e v i c eA n d r o i d P r o
V P NI p s e c
A u t h e n T e c
S e c u r eV o I P A p p
M o c a n aD T L S - S R T P
VPNIpsec
Authentec
3G
SIPServer
VoipApplication
VPNApplication
Mobile DeviceAndroid Pro
VPNIpsec
Authen Tec
SecureVoIP AppMocana
DTLS-SRTP
Mobile DeviceAndroid Pro
VPNIpsec
Authen Tec
SecureVoIP AppMocana
DTLS-SRTP
M o b i l e D e v i c eA n d r o i d P r o
V P NI p s e c
A u t h e n T e c
S e c u r eV o I P A p p
M o c a n aD T L S - S R T P
VPNIpsec
Authentec
Architecture– Two layers of encryption (VoIP and VPN)– Gateway connection to Enterprise
Infrastructure– Backend services secured in a SCIF– Delivers secure voice and data capability– Dependant on carrier QoS– Hardened handsets
10
MobilityCapability PackageEvolution(dates reflect target for publication to NSA.gov)
MOBILITY CAPABILITY PACKAGES
Mobility Capability Package • Pilots are used to help create CPs• Development and release is an iterative
process between IAD experts, interested vendors, and external partners
Partners
IAD SME Community
CSfC Package Release
Customers
Vendors
Integrators
11
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
Late 2012
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
Late 2012
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
Early 2013
April 2012Mobility Capability Package Update
Version 1.2Published to
NSA.gov(Secure Voice)
February 2012Initial release Mobile Capability Package
(Secure Voice)
March 2012Mobility Capability Package Update
Version 1.2Delivered to I2M(Secure Voice)
July 2012Mobility Capability Package Update
Version 2.0(Interoperability & Web Data)
February 2013Mobility Capability Package Update
(3G/4G & WiFi Roaming)
October 2012Mobility Capability Package Update
(MDM)
August 2012Mobility Capability Package Update
(Wi-Fi)
KEY ACHIEVEMENTS TO DATE
• Established Mobility Innovation Center (MIC) to drive/prove technology
• Delivered TOP SECRET voice and data pilot (FISHBOWL)
• Delivered NSA Campus laptop pilot (WIFIGHTER)• Demonstrated tablet architecture• First Mobility Capabilities Package on web at NSA.gov
12
LOOKING AHEAD• Improve user experience• Prototype and pilot data services to other devices• Continue to perform vulnerability analysis of emerging
technologies • Prototype and pilot Evolved Packet Core (EPC) capabilities• Continue to mature Mobility Capability Packages• Continue to work with Industry• Incorporate lessons learned into future demonstrations
13
CONCLUSION
Securing mobility requires a new way of thinking:• Use commercial standards, platforms and applications when
possible• “Composable” and layered solutions/services to achieve
desired security• Integrated and hardened commercial infrastructure• Keep pace with emerging technologies• Strong partnerships between government
and industry• Work early and often with Industry to
get it right from the start!
14
For wa r d.Thinking.