Re: [Fed-Talk] .. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Re: [Fed-Talk] .. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- Subject: Re: [Fed-Talk] .. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
- Date: Thu, 21 Feb 2013 08:53:33 -0500
-----Original Message-----
From: Villano, Paul A CIV USARMY TRADOC (US)
[mailto:email@hidden]
Sent: Thursday, February 21, 2013 8:30 AM
To: Shawn Geddis; Link, Peter R.
Cc: email@hidden
Subject: RE: [Fed-Talk] .. (was: CoreCrypto / CoreCrypto Kernel now in "In -
Review"(CMVP))
FWIW, GEN Cone said again at AUSA yesterday that he wants Ipads for Soldiers
(though he probably meant Ipad-like devices). He's meaning form factor and
intuitive function. So that should give someone somewhere more initiative to
fix things and make that possible, hopefully. But he also mentioned it must
fit into DOTMLPF and the Army must be able to configure it as needed, which
we all know is against Apple culture. So...
-----Original Message-----
From: fed-talk-bounces+paul.villano=email@hidden
[mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf
Of Shawn Geddis
Sent: Wednesday, February 20, 2013 5:09 PM
To: Link, Peter R.
Cc: email@hidden
Subject: Re: [Fed-Talk] .. (was: CoreCrypto / CoreCrypto Kernel now in "In -
Review"(CMVP))
Peter,
Comments inline...
On Feb 20, 2013, at 3:37 PM, "Link, Peter R." <email@hidden> wrote:
Shawn,
We know that Apple only supplies COTS devices, that's one of the
problems we've had justifying any Apple device for some time. With BYOD
being in vogue (and not something I personally agree with), more Apple COTS
devices will be coming into government and enterprise installations. We are
still required to figure out ways to properly protect them. As for laptops,
we still require FDE for any device leaving our site. I don't see this
changing any time soon.
iOS Devices actually have two layers of encryption - meeting your stated
requirement of FDE.
- 1st Layer: Hardware Encryption (Full storage) of the device -
"FDE"
- 2nd Layer: File System Layer Encryption - "Data Protection"
As for a perceived protection (or lack there of), we deal with
perception all the time when dealing with auditors and DAAs. Allan is
attempting to go beyond the hyperbole of false protection methods, like
overwritten security plans that don't protect anything, to provide the best
security he can implement. I know you understand the government installation
problems so this shouldn't come as a surprise to you.
Yes, I understand the challenges you face. Hopefully, even better than you
think I do. :-)
Will Apple actually provide a custom iPhone or desktop for those
installations who actually need one?
Apple provides a single platform which directly meets the needs of
millions/billions and works hard to enable third-parties to augment that
with solutions that provide extra capabilities to go beyond the needs of the
masses. History has shown that Apple does not make custom iPhones for a
particular vertical market, but rather strives to provide a balanced
platform to meet the broadest needs of all customers. The challenging and
successful part is making that a truly usable system by all.
The rapidly changing landscape of mobile computing, especially in the
federal space, has shown that the custom/one-off solutions no longer meet
the needs of organizations such as yours.
The epiphany comes when organizations realize it all comes down to risk
management. For example, some may now have decided that it is no longer an
acceptable risk to use Java, while others feel there is a higher payback
than the risk. There is no 100% guarantee, but rather managing the risk to
achieve a given capability is at the core of IT's responsibility.
Will they leave that to third-party vendors who will either have to
break half the devices it tries to secure because of Apple's latest consumer
COTS designs?
I know and understand you are just trying to prove a point, but why would
third-party vendors have to break devices ? Policies are based on perceived
risk and the organization's choice in how they mitigate that perceived risk.
The unfortunate state of many in the IT Community is taking the same
approach, requiring the same tools / approaches and expecting to both enable
new capabilities while protecting against issues of the past. Case in point
is what was noted about the NYT Attacks and the tools used:
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-
york-times-computers.html?pagewanted=all
...
Over the course of three months, attackers installed 45 pieces of
custom malware. The Times - which uses antivirus products made by Symantec -
found only one instance in which Symantec identified an attacker's software
as malicious and quarantined it, according to Mandiant.
They were following traditional belief in requiring certain security tools.
Do you think it was successful ? The computing landscape today is requiring
IT Security individuals take a new look at their approach to protecting
their data.
Why use third-party vendors to do what Apple should include in their
OS in the first place (CAC/PKI drivers to start with)?
I know you've fought to include many of these things but you
understand Apple's direction and are complying with it.
Not meant as an excuse, but a statement of reality. There are always going
to be times / cases where third-party solutions will be needed to add
functionality that does not come with the platform from the original vendor.
That is the case on all systems from servers, to desktops, to laptops to
various mobile devices. That is reality. I would love to be able to offer
you and every other customer support for your Smart Cards on iOS. Right
now, there are players in this space that are providing you with what you
need on all platforms from all vendors. You aren't getting all device
capabilities from a single source - it simply isn't the case.
The future can hold all kinds of opportunities, but I need to be realistic
and speak with you on what is available today that you can use today to help
your staff / end users meet your agency's mission. That is the most
important thing that any of us can do.
To answer your question below; yes, I am serious about Apple
providing an iPhone/iPad with pre-boot authentication if that would protect
all data until a user is properly logged on.
Rather than destroy the user experience on mobile devices (phones/tablets)
with pre-boot authentication, it is far superior to help developers do
exactly what Allan was asking for early on -- App Developers should leverage
the built-in services (available since iOS 4.0) to protect sensitive data at
higher classifications. It becomes a Win-Win-Win situation without forcing
old approaches to old problems on new devices with new users. :-) We are
constantly noodling on how to help accelerate developers in that direction
combined with approaches we can take as well. We are very much a part of
that solution.
My Mac is so messed up with all the extra "security" software
DOE/NNSA requires that having an iPhone work the same way would at least
mean I would be used to it.
You're asking for a bad experience so that it is just as bad like you have
on your desktop/laptop due to extra software required ? I point you back to
lessons being actively learned by people from events as recent as the NYT
situation. If there are risks (perceived or actual) on a given platform, it
is paramount to taking the right approaches and using the right tools.
Forcing old ways on new architectures does not solve the problem.
Do I see Apple building an iPhone one way so everyone would have to
have pre-boot authentication? Unfortunately, right now I do see them only
building an iPhone one way and that's always going to be a problem we're
going to have to figure out how to overcome while justifying mitigations to
continue using Apple products. I still prefer Apple products over any other
computer product but Apple could make my job a lot easier if they bent a
little and helped us out
If Apple is not meeting your needs or those of others then Apple will need
to noodle on how to do that more effectively without destroying the user
experience. Solving the difficult problems in new and innovative ways is at
the core of our DNA.
The dialogue like this is important to have.
- Shawn
________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Enterprise Division email@hidden
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden