interagency advisory board - fips201.com · mobility trends and security challenges leveraging...

Interagency Advisory Board Meeting Agenda, Wednesday, September 28, 2011

1. Opening Remarks (Mr. Tim Baldridge, IAB Chair)

2.  An Introduction to the NIMS Credentialing Guidelines (Ted Sobel, DHS)

3.  Identity Management: A Financial Services Perspective (David Belchick, CitiBank)

4.  Leveraging PIV to Enhance Mobile Device Security (Andrew Sheedy, ActivIdentity)

5. Closing Remarks (Mr. Tim Baldridge, IAB Chair)

Add IP Classification Label to all Slides (See IP slide for more info.): 1. Go to the View menu, select Header and Footer.

IP Classification Labels •  Confidential © 2011 ActivIdentity

DO NOT place slide content

•  Line Spacing for basic body

NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount

reduce font size if there is a

74/146/164

sRGB Color Palette Values

227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140

Chart Accent Colors 1 – 6 (For charts, use colors in order of appearance. Colors 1 - 4 will apply automatically.)

Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color



20 Confidential © 2011 ActivIdentity







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color



Mobile Security

Andrew Sheedy Technical Account Manager September 28, 2011

21 © 2011 ActivIdentity







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Agenda

Mobility Trends and Security Challenges Leveraging existing proven components to enhance Mobile Security

The secure handset stack

Riding the NFC wave Questions & Answers

© 2011 ActivIdentity 22







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Mobility trends

•  Web traffic and service usage increasingly originates from mobile phones –  As part of its key predictions for IT organizations and users in 2010 and

beyond, Gartner Research has predicted that mobile Web access will surpass traditional PC access by 2013.

•  Mobile platforms are becoming the new attack ground –  Mobile is becoming the same malware ridden security sieve we are used to

on the PC –  Major players are pushing mobile endpoint security (e.g. Symantec) –  Sophisticated coordinated attacks on both Mobile and PC (Zeus trojan on

PC + mobile spyware to get to out of band OTP) http://www.eweekeurope.co.uk/ news/news-security/zeus-malware-targets-european-mobile-banking-10148

•  Mobile platform is increasingly used for new category of devices (tablets) –  Tablets being used increasingly to access sensitive enterprise resources –  Tablets being pushed as the new thin client (Citrix, etc.)








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

The mobile tide – app consumption surpasses web







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Mobile Platform market – a rapidly changing ecosystem

•  Market share of phone platforms can change dramatically in very short time •  We need to be agile and adapt. •  Long and extensive planning do NOT work – CEO just walked with an new

Blackberry Playbook that runs QNX instead of Blackberry OS







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Mobility Use Cases (ranked by importance)

Category Use case

Secure Messaging

1) Email on phone

2) Messages (IM, SMS, etc.)

Secure Browser (2-factor portal access)

1) From phone with local Secure Element (MicroSD, embedded, etc.)

2) From phone using external Secure Element (CAC/PIV)

3) From tablet using existing phone with Secure Element capability (e.g. BlueTooth connected)

4) From tablet with local Secure Element (sleeve or MicroSD)

Physical Access

Using “virtual” physical access credential on Secure Element on the phone (with embedded antenna)

Application Access (SaaS)

E.g. Google Apps secure 2fa access from phone / tablet








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Mobility Platforms

Platform Capabilities •  Strong legacy presence in government and enterprise •  Native CAC/PIV support and PKI-enabled applications

•  Versatile hardware platforms (phones with microSD, tablet)

•  Strong iPhone & iPad market share for consumers; increasing presence in the workplace

•  No native Secure Element capabilities •  No native PKI capabilities, but available via app (Good)

•  gaining market share in government and enterprise, even if not fully “enterprise-ready”

•  Variety of hardware platforms with Secure Element options •  No native PKI capabilities, but available via app (Good)

•  Limited market share, not “enterprise-ready” •  No native Secure Element or PKI capabilities

•  Future versions addressing government and enterprise

•  Enterprise focused •  Variety of hardware platforms with Secure Element options

•  No future








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

The challenges

•  Users increasingly using non PC standard built mobile devices and tablets

•  Need to secure many different platforms that change rapidly

•  Need to secure them quickly as attacks are increasing

•  Policy needs to be adaptable to these increased Mobility trends.

•  What do we have today in our arsenal that we can use for this or do we need something new…. Maybe PIV can help







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Beyond PIV

•  May 2009 Federal CIO council issued “Personal Identity Verification Interoperability For Non-Federal Issuers” opening PIV beyond government

•  PIV-I (PIV Interoperable) –  An identity card that meets the PIV technical specifications to work with PIV

infrastructure elements such as card readers, and is issued in a manner that allows Federal government relying parties to trust the card

–  Based on cross certification of PKI so that PIV-I card can be used in the Federal Infrastructure (US Federal Bridge or CertiPath®)

–  Requires external audit of identity management systems and processes

•  PIV-C (PIV-compatible) –  An identity card that meets the PIV technical specifications so that PIV

infrastructure elements such as card readers are capable of working with the card, but the card itself has not been issued in a manner that assures it is trustworthy by Federal government relying parties








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Reusing the same proven tested and approved components from a PIV card in the mobile device secure elements

FIPS / CC Approved Module

FIPS certified

Approved PIV Applet

•  Same certified approved secure execution environment (Smart Card Chip) inside the Smart MicroSd or Embedded Secure Element on the mobile device

•  Same certified approved PIV Application (Data structure, functionality, security model) inside the Smart MicroSd or Embedded Secure Element on the mobile device as on a standard PIV card

•  Same interface (Card Edge) meaning same certified approved middleware

PIV Middleware PIV Middleware

PIV

interface

PIV

interface







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

A secure container (e.g.Good) to build your applications on

•  Secure application pipe back into the backend services

•  Secure data storage with encryption based on keys held in Secure Element

•  Authentication services towards the backend services

•  Security features to shield the application from the rest of the (potentially compromised) Operating System

•  Leverages GSA APL PIV Middleware

Handset

SIM

PIV-C

SIM

Embedded

PIV-C

Smart MicroSD

PIV-C

eSE sMicroSD

Secure Container

PIV Middleware

Secure Data store

Custom Application

Backend Services







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Mobile Security Middleware based on PIV

A proven standard based stack for security on Mobile platforms

•  Provides Security services (PKI, OTP, etc) to applications abstracting (meaning you do not need to worry about): –  What Secure Element: MicroSD, Embedded, SIM –  What Secure Element Manufacturer and API: SfS,

OCS, Tyfone, etc

•  Provides Over the Air (OTA) services for usage, management and post issuance updates







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Riding the NFC wave

•  NFC driven by payment will bring open secure element support to mobile devices in form of Single Wired Protocol capable SIMs and Embedded Secure Elements fully capable of harbouring the PIV-C applet

•  NFC can put the complete contents of a wallet into a smartphone — payment cards, identification cards, receipts, loyalty cards and keys allowing for contactless use cases like physical access

•  NFC can help public-sector enterprises improve services in ways that parallel consumer NFC applications in payment and wallet functions

•  NFC can be used by employees to securely interact with kiosks, meters and other field assets by acting as both an electronic key (that can be sent remotely) and as bridge to exchange data with employees' smart-phones or tablets. E.g. ePermits, HRconnect.

Gartner forecasts that NFC-enabled mobile devices will reach 50% of the installed base by 2015.







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Significance of NFC + PIV investments

•  The ability to leverage the strong PIV investments in security anchors without physically provisioning a new credential

•  Reduce cost of deployment (no physical provisioning) – all Over the Air - including Certificate Renewal

•  Government certified and approved components •  Strengthened security by Over-the-Air wiping and enhanced user awareness

(one rarely forgets the phone without noticing)

Over the Air delivery

NFC Infrastructure

TSM







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Leveraging the PIV standard investment In the mobile eco system •  Strengthened Security – Closing the weakest links

–  Supports protection of resources up to Assurance Level 4 –  Makes malware an order of magnitude less effective –  Makes security usable for the end user

•  Reduced risk and higher return on investment –  Pervasiveness of ecosystem support for PIV and open standards reduce

deployment costs and increase interoperability –  PIV Issuance model is “best practice”

Now available “on mobile”







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Using a PIV card as the breeder credential For a strong derived credential on the mobile

•  Create a PIV derived credential –  Uses PIV standards –  Allows secure alternate form factor based on existing

investment in strongly vetted PIV credential

•  With FIPS 140-2 L3-certified MicroSD or other secure elements, reaches Assurance Level 4

•  Enables main use cases: secure messaging (email), secure enterprise resource access, secure physical access –  Credential emulation can include physical access with

new pivCLASS readers expected Q4 CY 2011 –  Contactless no PIN –  Contactless + PIN –  HID now supporting 800-116 and Activentry








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM 37 © 2011 ActivIdentity

Solution use case comparison

1. George, an Army employee, must carry his CAC, Mobile device and external Bluetooth reader

2. To conduct business, George must leverage either his laptop and CAC, or external Bluetooth reader

1. George enters a PIN to access his PKI certificates and private key directly into his mobile device to encrypt, decrypt, and sign emails.

2. George uses phone in credential emulation mode to open a door

3. George can access AKO via his mobile device

•  OMB 04-04 Level 4 authentication

•  Ease of Use •  Increased Security •  Reduced costs

Before PIV leveraged Secure Mobile Device

Benefits of Secure Mobile Device

After PIV leveraged Secure Mobile Device







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Challenges of using the phone as a trusted ID In the US government

•  Currently FIPS 201-1 only allows Smart Card form factor, FIPS 201-2 is expected to introduce different form factors to harbour credentials –  PIV card + mobile credential will result in two different signing and

authentication certificates for a single user active at the same time –  Current operational processes and some infrastructure components (CAs)

are designed around a single certificate per use active at the same time

•  Physical access and check point (guard) use cases if no contactless interface is available –  Need to find a secure way to show picture or badge

•  Issues with non Blackberry platforms –  Android deemed very unsecure (recent discovery of malware apps in

Marketplace, Android rootkits) – can be solved by Secure Container + PIV leveraged middleware (e.g. Good)

–  iOS and associated hardware represent very restrictive ecosystem 38 © 2011 ActivIdentity







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Conclusion

•  We already are in the “post PC era” –  Mobile devices must be secured now in face of increasing and advanced

persistent threats –  The NFC wave will bring Embedded Secure Elements to the majority of

phones •  We must secure the main use cases: secure messaging (email), secure

enterprise resource access, secure physical access •  Instead of creating new security technology let’s leverage known and proven

components –  Secure elements: Smart MicroSD, Embedded, SIM –  PIV certified applets –  PIV compliant middleware

•  Now is the time to explore and pilot with Mobile Access Security –  Technology and standards are mature enough that trial results can

realistically be used to create a business case, identify and resolve any policy issues, and plan roll-outs.








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color



Questions and Answers








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM







74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color



Backup Slides








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Logical Access

Proofing / Credentialing

Process 1

Process 2

Process N

Physical Access

Proofing / Credentialing

Process X

Process Y

Process Z employee

•  Multiple credentials issued through duplicate processes with limited interoperability •  Result is higher cost to manage credentials and greater security risk exposure

Security Concerns within Enterprises and between Enterprise and Cloud providers








74/146/164


227/114/34

58/95/115

74/146/164

129/156/146

176/188/140

179/179/140


Title Color

86/90/92

Body Text Color

10/6/11 8:41 AM

Logical Access Physical Access

Common Proofing and Credentialing

Process

•  Convergence on common processes and a common, smart credential •  Result is increased efficiencies, greater interoperability, and stronger controls

PIV Alignment – Process and Credential Convergence


interagency advisory board - fips201.com · mobility trends and security challenges leveraging...

Documents