Cloud & Mobile Security KCJIS Conference June 8 – 9, 2015 Jeff Campbell FBI CJIS Assistant ISO

What is Cloud Computing? Defined by the CJIS Security Policy as: A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information. There are a few definitions of cloud computing. The CJIS Security Policy defines cloud computing as: A distributed computing model that permits on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications, and services), software, and information. Whenever discussing the cloud and any cloud-offered solutions it should be understood that cloud services can take several forms: a simple application, a platform, or an infrastructure service. Why Cloud? With many state governments looking for ways to attain greater efficiency while grappling with reduced budgets, the idea of cloud computing to maintain data and applications is a very appealing option. Whether driven by economic efficiencies or technological improvements, increasing numbers of organizations are considering transitioning to a cloud environment. There is also a push among the Information Technology (IT) industries of both the private and public sectors to consider employing cloud strategies.

What is Cloud Computing? Cloud Service Models The NIST-defined cloud model also describes the following three service models as those that cloud computing can offer:   Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) SaaS comprises end-user applications delivered as a service rather than the traditional, on-premises software (e.g. software that requires being installed on the server or workstation for use). The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. PaaS provides an application platform, or middleware, as a service on which developers can build and deploy custom applications (e.g., APIs). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. IaaS primarily encompasses the hardware and technology for processing, storage, networks and other fundamental computing resources, delivered as off-premise, on-demand services rather than as dedicated, on-site resources. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). NOTE: You may hear about other service models, such DaaS or Naas. Tose are marketing ploys. According to NIST, these are the only three. Infrastructure Cabling HVAC Physical Security Platform/OS Windows Linux/Unix Apple Software CAD/RMS Email Productivity

CLOUD COMPUTING Cloud Service Models Cloud Service Models The NIST-defined cloud model also describes the following three service models as those that cloud computing can offer: Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) SaaS comprises end-user applications delivered as a service rather than the traditional, on-premises software (e.g. software that requires being installed on the server or workstation for use). The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. PaaS provides an application platform, or middleware, as a service on which developers can build and deploy custom applications (e.g., APIs). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. IaaS primarily encompasses the hardware and technology for processing, storage, networks and other fundamental computing resources, delivered as off-premise, on-demand services rather than as dedicated, on-site resources. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). NOTE: You may hear about other service models, such DaaS or Naas. Tose are marketing ploys. According to NIST, these are the only three.

CLOUD COMPUTING How do I choose a Cloud Service Provider? CJIS Security Policy website Cloud Computing Report and Control Catalog CJIS Security Policy, Appendix G.3 Cloud Computing

CLOUD COMPUTING cloud.cio.gov/fedramp GSA held the first of two FedRAMP information days with the first being June 4 for industry, and the next one happening June 10 at the agency's National Capital Region building on 7th and D Streets in Washington, D.C. If you missed the June 4 industry day, here's the slide deck from that event. FISMA Low and Moderate – high level of assurance for crim/noncrim justice community Cloud.cio.gov/fedramp FedRAMP Ready systems – readiness to meet requirements // readiness review // may or may not have done any assessments (3PAO required) // ready to begin a SAF (Security Assessment Framework) FedRAMP In Process – JAB (Joint Auth Board) Provisional Authorization OR Agency Authorization // actively working with government through the SAF (Security Assessment Framework) FedRAMP Compliant systems – JAB Provisional Authorizations and Agency FedRAMP Authorizations // meet FedRAMP requirements cloud.cio.gov/fedramp

CLOUD COMPUTING How will the Cloud Service Provider meet the CJIS Security Policy requirements? Consider things like: Physical Security Encryption Organization Personnel Security

CLOUD COMPUTING How committed will the Cloud Service Provider be to ongoing Policy compliance? Physical security Encryption Personnel Security

CLOUD COMPUTING What does it all mean? Determine what services you can technically virtualize. Email RMS CAD Other CJI applications Legacy systems Consider the Policy impact at each level of cloud services. Infrastructure Platform/OS Software/Applications Determine how you want to use the cloud Consider the Policy impact at each level of cloud services

Delineation of Responsibility/Governance in Cloud Computing What does it all mean? Delineation of Responsibility/Governance in Cloud Computing Delineation of Responsibility/Governance in Cloud Computing Outside of continuing to maintain your own on-premise environment, some level of responsibility and control must be transferred to the cloud service provider. You may maintain some management control within the cloud, but that level of management varies between the differing cloud service models as seen on this slide. On-premise Environment As you can see, you maintain management of everything from the networking to the applications. This is typically what most organizations are still doing today. IaaS (Infrastructure as a Service) Infrastructure as a Service (IaaS) delivers basic storage and compute capabilities as standardized services over the network. Servers, storage systems, switches, routers, and other systems are pooled and made available to handle workloads that range from application components to high-performance computing applications. Example of IaaS market players: Amazon Web Services, Rackspace, Vmware vCloud PaaS (Platform as a Service) Platform as a Service (PaaS) encapsulates a layer of software and provides it as a service that can be used to build higher-level services. Example of PaaS market player: Google AppEngine, Windows Azure Platform, MS SharePoint SaaS (Software as a Service) Software as a Service (SaaS) features a complete application offered as a service on demand. A single instance of the software runs on the cloud and services multiple end users or client organizations. Example of SaaS market player: Gmail, Facebook, Google Docs, Netflix, SalesForce, Office 365 Office 365 Office 365 tends to be considered a SaaS solution, but also integrates with SharePoint which is a PaaS solution. So, it is kind of a hybrid in its capabilities. When reviewing Office 365, evaluate each capability separately.

CLOUD COMPUTING Section 5.10.1.5 Cloud Computing Only two specific “shall” requirements: “The metadata derived from CJI shall not be used by any cloud service provider for any purposes. The cloud service provider shall be prohibited from scanning any email or data files for the purpose of building analytics, data mining, advertising, or improving the services provided.”

CLOUD COMPUTING Questions?

CSP Section 5.13 Mobile Devices MOBILE SECURITY CSP Section 5.13 Mobile Devices AKA: Smartphone / Tablet / Laptop Device Security

Mobile Device Categorization MOBILE SECURITY Mobile Device Categorization FORM FACTOR Large Form Factor – vehicle mount or a carrying case and include a monitor with attached keyboard (MDTs/Laptops) Medium Form Factor – vehicle mount or portfolio sized carry case that typically consist of a touch screen without attached keyboard (Tablets) Small Form Factor –intended for carry in a pocket or ‘holster’ attached to the body (Smartphones)

Mobile Device Categorization MOBILE SECURITY Mobile Device Categorization Operating System (OS) Full-feature OS – Windows, Linux/Unix, Apple OS Limited-feature OS – iOS, Android, BlackBerry Full-feature OS – Windows, Linux/Unix, Apple OSX Limited-feature OS – iOS, Android, BlackBerry

Mobile Device Categorization MOBILE SECURITY Mobile Device Categorization Three categories based on two characteristics Laptop Devices Large form factor Full featured OS Tablet Devices Medium form factor Limited feature OS Tablets will/may have exceptions as newer devices are released that support and run a full-feature OS (windows 10 for example) Pocket/Handheld Mobile Device Small form factor Limited feature OS

Mobile Device Connectivity MOBILE SECURITY Mobile Device Connectivity Three (3) different types based on two (2) technologies Cell primary (always on) plus WiFi “on demand” (i.e. smartphone) WiFi only – always on (i.e. tablet, laptop) WiFi primary plus Cell “on demand” (i.e. tablet/laptop with extra capability)

Who’s Winning the Battle? MOBILE SECURITY Who’s Winning the Battle? Device Manufacturer Operating System Many choices for both OS and platform

Taken from comScore MobiLens June 2014 MOBILE SECURITY Taken from comScore MobiLens June 2014

Taken from comScore MobiLens June 2014 MOBILE SECURITY Taken from comScore MobiLens June 2014

Mobile Device Management MOBILE SECURITY Mobile Device Management 5.13.2 Mobile Device Management (MDM) No devices with unauthorized changes (rooted or jailbroken) Centralized oversight of configuration control, application usage, and device protection and recovery [if so desired by the agency] Minimum MDM controls when allowing CJI access from cell/smart phones and tablet devices MDM – centralized management and oversight EMM – Enterprise Mobility Management // industry shift // broader scope // content management // financial management Requirement is MDM but if your EMM solution provides the capabilities to meet the requirements you’re OK.

Mobile Device Management MOBILE SECURITY Mobile Device Management SMB – Small and mid-sized businesses

Mobile Device Management MOBILE SECURITY Mobile Device Management

Mobile Device Management MOBILE SECURITY Mobile Device Management

MDM and Lifecycle Management MOBILE SECURITY MDM and Lifecycle Management Will talk about MDM lifecycle and how the CSP supports many aspects.

Section 5.9.1 Physically Secure Location MOBILE SECURITY Section 5.9.1 Physically Secure Location “A physically secure location is a facility, a police vehicle,  or an area, a room, or a group of rooms within a facility with both the physical and personnel security controls sufficient to protect CJI and associated information systems.” Police vehicle = enclosed criminal justice conveyance 5.9.1 Physically secure location Add police vehicle Impacts AA situations as well Discuss whole inside/outside the vehicle issue Reminder that the technical controls in 5.5 and 5.10 must be met for AA not to be required Next slides have pics of good and bad

MOBILE SECURITY Potential physically secure location police vehicles

MOBILE SECURITY Non-potential physically secure location police vehicles

COMPENSATING CONTROLS for AA MOBILE SECURITY COMPENSATING CONTROLS for AA Applies only to smartphones and tablets Possession of agency issued device is a required part of control Additional requirements mostly met by MDM Compensating Controls are temporary CSO approval and support required Compensating Controls for AA Applies to smartphones and tablets Possession of agency issued device part of compensation Additional requirements mostly met by MDM

COMPENSATING CONTROLS for AA MOBILE SECURITY COMPENSATING CONTROLS for AA Meet the intent of the CJIS Security Policy AA requirement Provide a similar level of protection or security as the original AA requirement Not rely upon existing requirements for AA as compensating controls Compensating Controls for AA Meet the intent of the CJIS Security Policy AA requirement Provide a similar level of protection or security as the original AA requirement Not rely upon existing requirements for AA as compensating controls

SANS SEC575: Mobile Device Security & Ethical Hacking Takeaways MOBILE SECURITY SANS SEC575: Mobile Device Security & Ethical Hacking Takeaways MDM – must have, even rudimentary Application Management – malware/virus protection WiFi Considerations – just say no, unless absolutely required, cell service more secure MDM – must have, even rudimentary Application Management – malware/virus protection WiFi considerations – just say no, unless absolutely required, cell service more secure Backend is bigger target, not the device No rooting/jailbreaking – breaks inherent security features Backend is Bigger Target – device not so much No Rooting/Jailbreaking – breaks inherent security features

iso@ic.fbi.gov QUESTIONS? Jeff Campbell FBI CJIS Assistant Information Security Officer CJIS Information Assurance Unit (304) 625 - 4961 jeffrey.campbell@ic.fbi.gov iso@ic.fbi.gov