1 cloud & mobile security kcjis conference june 8 – 9, 2015 jeff campbell fbi cjis assistant...
TRANSCRIPT
![Page 1: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/1.jpg)
1
Cloud & Mobile Security
KCJIS ConferenceJune 8 – 9, 2015
Jeff CampbellFBI CJIS Assistant ISO
![Page 2: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/2.jpg)
CLOUD COMPUTING
What is Cloud Computing?
2
• Defined by the CJIS Security Policy as:
A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information.
![Page 3: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/3.jpg)
What is Cloud Computing?
Infrastructure• Cabling• HVAC• Physical Security 3
Platform/OS• Windows• Linux/Unix• Apple
Software• CAD/RMS• Email• Productivity
CLOUD COMPUTING
![Page 4: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/4.jpg)
Cloud Service Models
4
CLOUD COMPUTING
![Page 5: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/5.jpg)
5
• How do I choose a Cloud Service Provider?
CLOUD COMPUTING
![Page 6: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/6.jpg)
6cloud.cio.gov/fedramp
CLOUD COMPUTING
![Page 7: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/7.jpg)
7
• How will the Cloud Service Provider meet the CJIS Security Policy requirements?
CLOUD COMPUTING
![Page 8: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/8.jpg)
8
• How committed will the Cloud Service Provider be to ongoing Policy compliance?• Physical security• Encryption• Personnel Security
CLOUD COMPUTING
![Page 9: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/9.jpg)
What does it all mean?
9
Determine what services you can technically virtualize.
• Email• RMS• CAD• Other CJI applications• Legacy systems
Consider the Policy impact at each level of cloud services.• Infrastructure• Platform/OS• Software/Applications
CLOUD COMPUTING
![Page 10: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/10.jpg)
Delineation of Responsibility/Governance in Cloud Computing
10
What does it all mean?
CLOUD COMPUTING
![Page 11: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/11.jpg)
Section 5.10.1.5 Cloud Computing
• Only two specific “shall” requirements:
“The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”
11
CLOUD COMPUTING
![Page 12: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/12.jpg)
Questions?
12
CLOUD COMPUTING
![Page 13: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/13.jpg)
MOBILE SECURITY
13
CSP Section 5.13 Mobile
Devices
![Page 14: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/14.jpg)
Mobile Device Categorization
FORM FACTOR
Large Form Factor – vehicle mount or a carrying case and include a monitor with attached keyboard (MDTs/Laptops)
Medium Form Factor – vehicle mount or portfolio sized carry case that typically consist of a touch screen without attached keyboard (Tablets)
Small Form Factor –intended for carry in a pocket or ‘holster’ attached to the body (Smartphones) 14
MOBILE SECURITY
![Page 15: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/15.jpg)
Operating System (OS)
Full-feature OS – Windows, Linux/Unix, Apple OSX
Limited-feature OS – iOS, Android, BlackBerry
15
Mobile Device Categorization
MOBILE SECURITY
![Page 16: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/16.jpg)
Tablet Devices Medium form factor Limited feature OS
Pocket/Handheld Mobile Device
Small form factor Limited feature OS
Laptop Devices Large form factor Full featured OS
Three categories based on two characteristics
16
Mobile Device Categorization
MOBILE SECURITY
![Page 17: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/17.jpg)
Mobile Device Connectivity
Three (3) different types based on two (2) technologies
WiFi only – always on (i.e. tablet, laptop)
WiFi primary plus Cell “on demand” (i.e. tablet/laptop with extra capability)
Cell primary (always on) plus WiFi “on demand” (i.e. smartphone)
17
MOBILE SECURITY
![Page 18: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/18.jpg)
Who’s Winning the Battle?
OperatingSystem
DeviceManufacturer
18
MOBILE SECURITY
![Page 19: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/19.jpg)
Taken from comScore MobiLens June 2014 19
MOBILE SECURITY
![Page 20: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/20.jpg)
Operating System Market Share
Taken from comScore MobiLens June 2014 20
MOBILE SECURITY
![Page 21: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/21.jpg)
5.13.2 Mobile Device Management (MDM)
• No devices with unauthorized changes (rooted or jailbroken)• Centralized oversight of configuration control, application
usage, and device protection and recovery [if so desired by the agency]
• Minimum MDM controls when allowing CJI access from cell/smart phones and tablet devices
Mobile Device Management
21
MOBILE SECURITY
![Page 22: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/22.jpg)
Mobile Device Management
22
MOBILE SECURITY
![Page 23: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/23.jpg)
Mobile Device Management
23
MOBILE SECURITY
![Page 24: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/24.jpg)
Mobile Device Management
24
MOBILE SECURITY
![Page 25: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/25.jpg)
MDM and Lifecycle Management
25
MOBILE SECURITY
![Page 26: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/26.jpg)
Section 5.9.1 Physically Secure Location
• “A physically secure location is a facility, a police vehicle, or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems.”
• Police vehicle = enclosed criminal justice conveyance
26
MOBILE SECURITY
![Page 27: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/27.jpg)
27
MOBILE SECURITY
![Page 28: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/28.jpg)
28
MOBILE SECURITY
![Page 29: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/29.jpg)
COMPENSATING CONTROLS for AA
• Applies only to smartphones and tablets• Possession of agency issued device is a
required part of control• Additional requirements mostly met by MDM• Compensating Controls are temporary• CSO approval and support required
29
MOBILE SECURITY
![Page 30: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/30.jpg)
COMPENSATING CONTROLS for AA
• Meet the intent of the CJIS Security Policy AA requirement
• Provide a similar level of protection or security as the original AA requirement
• Not rely upon existing requirements for AA as compensating controls
30
MOBILE SECURITY
![Page 31: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/31.jpg)
SANS SEC575: Mobile Device Security & Ethical Hacking Takeaways
• MDM – must have, even rudimentary• Application Management – malware/virus
protection• WiFi Considerations – just say no, unless
absolutely required, cell service more secure• Backend is Bigger Target – device not so much• No Rooting/Jailbreaking – breaks inherent
security features31
MOBILE SECURITY
![Page 32: 1 Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO](https://reader031.vdocument.in/reader031/viewer/2022013011/56649de85503460f94ae1a66/html5/thumbnails/32.jpg)
QUESTIONS?
Jeff CampbellFBI CJIS Assistant Information Security Officer
CJIS Information Assurance Unit(304) 625 - 4961