Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
- Date: Thu, 21 Feb 2013 11:00:56 -0500
The point of DOTMLPF is not the software configuration but to make sure the support system is available throughout the Army so not every bright idea is bought and we're stuck with what can't be supported and continued.
Doctrine: Will the Ipad/tech solution meet the stated objectives of the mission (not just a "tech toy")
Organization: Which organizations can it be used in to be most cost-effective?
Training: Ipads are intuitive but is there training required to use them, specifically for the missions in a particular organization? Training in how to operate it securely and to keep it from being compromised? (OPSEC if nothing else, and physically securing the device)
Materiel: Ipads need cords. Do they need ruggedized sleeves? Where will they be plugged in for recharging? Can apps be supplied directly or must it have another device to be upgraded securely? When? Where? How?
Leadership: Does the Leadership "get it" why this form factor works, why Soldiers should be using them, why THEY should use them and how they can help meet mission better?
Personnel: Are the right personnel being issued the device? Can use of the device actually decrease the need for personnel at cost savings?
Facilities: Where are these devices procured from? Where are they stored? What issues are there about supply chains?
That kind of thing. It's not always about the software. Sometimes it's all about the support of the system that delivers, allows it to be operated replaced long-term.
From: https://dap.dau.mil/aap/pages/qdetails.aspx?cgiSubjectAreaID=9&cgiQuestionID=19945
Doctrine: the way we fight, e.g., emphasizing maneuver warfare combined air-ground campaigns. A fuller definition is as follows: Fundamental principles by which the military forces or elements thereof guide their actions in support of national objectives. It is authoritative but requires judgment in application.
Organization: how we organize to fight; divisions, air wings, Marine-Air Ground Task Forces (MAGTFs), etc.
Training: how we prepare to fight tactically; basic training to advanced individual training, various types of unit training, joint exercises, etc.
Materiel: all the "stuff" necessary to equip our forces, that is, weapons, spares, etc. so they can do operate effectively.
Leadership and education: how we prepare our leaders to lead the fight from squad leader to 4-star general/admiral; professional development.
Personnel: availability of qualified people for peacetime, wartime, and various contingency operations.
Facilities: real property; installations and industrial facilities (e.g. government owned ammunition production facilities) that support our forces.
-----Original Message-----
From: fed-talk-bounces+paul.villano=email@hidden [mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf Of Link, Peter R.
Sent: Thursday, February 21, 2013 10:42 AM
To: Villano, Paul A CIV USARMY TRADOC (US)
Cc: email@hidden
Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Paul,
Does DOTMLPF have documented configuration requirements available for Apple/Shawn to address? Apple devices can be extensively configured by software. If the Army demands hardware configuration/disablement, that's another story but one the Army needs to do some soul searching on since even though you get rid of the camera, someone will figure out how to attach an external one. Lock down the hardware using software controls and it's much harder to bypass the ability to even use a camera. Of course, I'm sure the Army wants a camera, microphone, wireless, and cellular at least some of the time or there's no reason to get an iPhone or iPad in the first place.
As for initiative, Shawn has continued to state "specialized" configurations are done by third-party vendors and not by Apple. I've beaten that dead horse more times than most. Someone also told me months ago that if someone actually wants something changed (e.g., policies), they will change them. BYOD is a perfect example. Five years ago nobody in their right mind would have thought any government installation would even be thinking about BYOD and now they are not only thinking about it, they are changing the policies to implement it (same with personal cell phones and computers allowed on site). I talked to a Navy friend and they do all sorts of things I don't agree with because they have to--end of story. The Army might be led to changes kicking and screaming (like me) but change is guaranteed sooner or later.
btw: it's iPad and I find it funny that it took the simplest Apple device to get government IT people to want Apple devices again. Go figure.
On Feb 21, 2013, at 5:29 AM, "Villano, Paul A CIV USARMY TRADOC (US)" <email@hidden> wrote:
> FWIW, GEN Cone said again at AUSA yesterday that he wants Ipads for Soldiers (though he probably meant Ipad-like devices). He's meaning form factor and intuitive function. So that should give someone somewhere more initiative to fix things and make that possible, hopefully. But he also mentioned it must fit into DOTMLPF and the Army must be able to configure it as needed, which we all know is against Apple culture. So...
>
> -----Original Message-----
> From: fed-talk-bounces+paul.villano=email@hidden [mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf Of Shawn Geddis
> Sent: Wednesday, February 20, 2013 5:09 PM
> To: Link, Peter R.
> Cc: email@hidden
> Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
>
> Peter,
>
> Comments inline...
>
> On Feb 20, 2013, at 3:37 PM, "Link, Peter R." <email@hidden> wrote:
>
> Shawn,
> We know that Apple only supplies COTS devices, that's one of the problems we've had justifying any Apple device for some time. With BYOD being in vogue (and not something I personally agree with), more Apple COTS devices will be coming into government and enterprise installations. We are still required to figure out ways to properly protect them. As for laptops, we still require FDE for any device leaving our site. I don't see this changing any time soon.
>
>
> iOS Devices actually have two layers of encryption - meeting your stated requirement of FDE.
>
> - 1st Layer: Hardware Encryption (Full storage) of the device - "FDE"
> - 2nd Layer: File System Layer Encryption - "Data Protection"
>
>
> As for a perceived protection (or lack there of), we deal with perception all the time when dealing with auditors and DAAs. Allan is attempting to go beyond the hyperbole of false protection methods, like overwritten security plans that don't protect anything, to provide the best security he can implement. I know you understand the government installation problems so this shouldn't come as a surprise to you.
>
>
> Yes, I understand the challenges you face. Hopefully, even better than you think I do. :-)
>
>
> Will Apple actually provide a custom iPhone or desktop for those installations who actually need one?
>
>
> Apple provides a single platform which directly meets the needs of millions/billions and works hard to enable third-parties to augment that with solutions that provide extra capabilities to go beyond the needs of the masses. History has shown that Apple does not make custom iPhones for a particular vertical market, but rather strives to provide a balanced platform to meet the broadest needs of all customers. The challenging and successful part is making that a truly usable system by all.
>
> The rapidly changing landscape of mobile computing, especially in the federal space, has shown that the custom/one-off solutions no longer meet the needs of organizations such as yours.
>
> The epiphany comes when organizations realize it all comes down to risk management. For example, some may now have decided that it is no longer an acceptable risk to use Java, while others feel there is a higher payback than the risk. There is no 100% guarantee, but rather managing the risk to achieve a given capability is at the core of IT's responsibility.
>
>
> Will they leave that to third-party vendors who will either have to break half the devices it tries to secure because of Apple's latest consumer COTS designs?
>
>
> I know and understand you are just trying to prove a point, but why would third-party vendors have to break devices ? Policies are based on perceived risk and the organization's choice in how they mitigate that perceived risk. The unfortunate state of many in the IT Community is taking the same approach, requiring the same tools / approaches and expecting to both enable new capabilities while protecting against issues of the past. Case in point is what was noted about the NYT Attacks and the tools used:
>
>
> http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all
> ...
> Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
>
>
> They were following traditional belief in requiring certain security tools. Do you think it was successful ? The computing landscape today is requiring IT Security individuals take a new look at their approach to protecting their data.
>
>
> Why use third-party vendors to do what Apple should include in their OS in the first place (CAC/PKI drivers to start with)?
>
> I know you've fought to include many of these things but you understand Apple's direction and are complying with it.
>
>
> Not meant as an excuse, but a statement of reality. There are always going to be times / cases where third-party solutions will be needed to add functionality that does not come with the platform from the original vendor. That is the case on all systems from servers, to desktops, to laptops to various mobile devices. That is reality. I would love to be able to offer you and every other customer support for your Smart Cards on iOS. Right now, there are players in this space that are providing you with what you need on all platforms from all vendors. You aren't getting all device capabilities from a single source - it simply isn't the case.
>
> The future can hold all kinds of opportunities, but I need to be realistic and speak with you on what is available today that you can use today to help your staff / end users meet your agency's mission. That is the most important thing that any of us can do.
>
>
> To answer your question below; yes, I am serious about Apple providing an iPhone/iPad with pre-boot authentication if that would protect all data until a user is properly logged on.
>
>
> Rather than destroy the user experience on mobile devices (phones/tablets) with pre-boot authentication, it is far superior to help developers do exactly what Allan was asking for early on -- App Developers should leverage the built-in services (available since iOS 4.0) to protect sensitive data at higher classifications. It becomes a Win-Win-Win situation without forcing old approaches to old problems on new devices with new users. :-) We are constantly noodling on how to help accelerate developers in that direction combined with approaches we can take as well. We are very much a part of that solution.
>
>
> My Mac is so messed up with all the extra "security" software DOE/NNSA requires that having an iPhone work the same way would at least mean I would be used to it.
>
>
> You're asking for a bad experience so that it is just as bad like you have on your desktop/laptop due to extra software required ? I point you back to lessons being actively learned by people from events as recent as the NYT situation. If there are risks (perceived or actual) on a given platform, it is paramount to taking the right approaches and using the right tools. Forcing old ways on new architectures does not solve the problem.
>
>
> Do I see Apple building an iPhone one way so everyone would have to have pre-boot authentication? Unfortunately, right now I do see them only building an iPhone one way and that's always going to be a problem we're going to have to figure out how to overcome while justifying mitigations to continue using Apple products. I still prefer Apple products over any other computer product but Apple could make my job a lot easier if they bent a little and helped us out
>
>
> If Apple is not meeting your needs or those of others then Apple will need to noodle on how to do that more effectively without destroying the user experience. Solving the difficult problems in new and innovative ways is at the core of our DNA.
>
>
> The dialogue like this is important to have.
>
> - Shawn
> ________________________________________
> Shawn Geddis T (703) 264-5103
> Security Consulting Engineer C (703) 623-9329
> Apple Enterprise Division email@hidden
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden