Shawn,
We know that Apple only supplies COTS devices, that's one of the problems we've had justifying any Apple device for some time. With BYOD being in vogue (and not something I personally agree with),
more Apple COTS devices will be coming into government and enterprise installations. We are still required to figure out ways to properly protect them. As for laptops, we still require FDE for any device leaving our site. I don't see this changing any time
soon. As for a perceived protection (or lack there of), we deal with perception all the time when dealing with auditors and DAAs. Allan is attempting to go beyond the hyperbole of false protection methods, like overwritten security plans that don't protect
anything, to provide the best security he can implement. I know you understand the government installation problems so this shouldn't come as a surprise to you.
Will Apple actually provide a custom iPhone or desktop for those installations who actually need one? Will they leave that to third-party vendors who will either have to break half the devices
it tries to secure because of Apple's latest consumer COTS designs? Why use third-party vendors to do what Apple should include in their OS in the first place (CAC/PKI drivers to start with)? I know you've fought to include many of these things but you understand
Apple's direction and are complying with it.
To answer your question below; yes, I am serious about Apple providing an iPhone/iPad with pre-boot authentication if that would protect all data until a user is properly logged on. My Mac is
so messed up with all the extra "security" software DOE/NNSA requires that having an iPhone work the same way would at least mean I would be used to it. Do I see Apple building an iPhone one way so everyone would have to have pre-boot authentication? Unfortunately,
right now I do see them only building an iPhone one way and that's always going to be a problem we're going to have to figure out how to overcome while justifying mitigations to continue using Apple products. I still prefer Apple products over any other computer
product but Apple could make my job a lot easier if they bent a little and helped us out (customized Macs without certain components starts my list).
The "pre-boot" capability that I spoke of refers to having all the data on the device encrypted until the device is turned on and the password is entered.
I do understand "pre-boot" authentication. :-) My question was were you actually serious about having "Pre-Boot" Authentication on a COTS phone ? The user experience would plummet to say the least. That is reminiscent of FDE on your desktop and laptop.
People forget that once you boot a desktop/laptop device using FDE, the FDE no longer provides the perceived protection after that because the OS always need to read/write data to the volume. The Enhanced Data Protection framework in iOS provide much more
granular control of the data even after the device is up and running - much more powerful on a mobile device than the traditional FDE solution with a single encryption key.
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
The contents of this message are mine personally and do not reflect the views or position of the U.S. Department of Energy, Federal Government, National
Nuclear Security Administration, Lawrence Livermore National Security, or Lawrence Livermore National Laboratory.
|