Transcription
CJIS SECURITY POLICY OVERVIEWMobile Device Security1
CJIS SECURITY POLICY OVERVIEW2
CJIS SECURITY POLICY OVERVIEW3
CJIS SECURITY POLICY OVERVIEWMobile Device CategorizationFORM FACTORLarge Form Factor – vehicle mount or a carrying case and include amonitor with attached keyboard (MDTs/Laptops)Medium Form Factor – vehicle mount or portfolio sized carry case thattypically consist of a touch screen without attached keyboard(Tablets)Small Form Factor –intended for carry in a pocket or ‘holster’ attached4to the body (Smartphones)
CJIS SECURITY POLICY OVERVIEWMobile Device CategorizationOperating System (OS)Full-feature OS – Windows, Linux/Unix, Apple OSXLimited-feature OS – iOS, Android, BlackBerry5
CJIS SECURITY POLICY OVERVIEWMobile Device CategorizationThree categories based on two characteristicsLaptop Devices Large form factor Full featured OSPocket/HandheldMobile Device Small form factor Limited feature OSTablet Devices Medium form factor Limited feature OS6
CJIS SECURITY POLICY OVERVIEWMobile Device ConnectivityThree (3) different types based on two (2) technologiesCell primary (always on) plus WiFi “ondemand” (i.e. smartphone)WiFi only – always on (i.e. tablet, laptop)WiFi primary plus Cell “on demand” (i.e.tablet/laptop with extra capability)7
CJIS SECURITY POLICY OVERVIEWMobile Device Management5.13.2 Mobile Device Management (MDM) No devices with unauthorized changes (rooted orjailbroken) Centralized oversight of configuration control, applicationusage, and device protection and recovery [if so desiredby the agency] Minimum MDM controls when allowing CJI access fromcell/smart phones and tablet devices8
CJIS SECURITY POLICY OVERVIEWMobile Device Management5.13.2 Mobile Device Management (MDM)1. CJI is only transferred between CJI authorizedapplications and storage areas of the device.2. MDM with centralized administration capable of atleast:i. Remote locking of deviceii. Remote wiping of deviceiii. Setting and locking device configurationiv. Detection of “rooted” and “jailbroken” devicesv. Enforce folder or disk level encryption9
CJIS SECURITY POLICY OVERVIEWMobile Device Management5.13.2 Mobile Device Management (MDM)2. MDM with centralized administration capable of at least(continued):vi. Application of mandatory policy settings on devicevii. Detection of unauthorized configurationsviii. Detection of unauthorized software or applicationsix. Ability to determine location of agency controlled devicex. Prevention of unpatched devices from accessing CJI orCJI systemsxi. Automatic device wiping after a specified number of failedaccess attempts10
CJIS SECURITY POLICY OVERVIEWSection 5.9.1 Physically Secure Location “A physically secure location is a facility, acriminal justice conveyance, or an area, a room,or a group of rooms within a facility with both thephysical and personnel security controls sufficientto protect CJI and associated informationsystems.”11
PHYSICAL SECURITY12
PHYSICAL SECURITY13
CJIS SECURITY POLICY OVERVIEWCOMPENSATING CONTROLS for AA Applies only to smartphones and tablets Possession of agency issued device is arequired part of control Additional requirements Compensating Controls are temporary CSO approval and support required * MDM is already required14
CJIS SECURITY POLICY OVERVIEWCOMPENSATING CONTROLS for AA Meet the intent of the CJIS Security PolicyAA requirement Provide a similar level of protection orsecurity as the original AA requirement Not rely upon existing requirements for AAas compensating controls15
CJIS SECURITY POLICY OVERVIEW5.5.6.1 Personally Owned Information Systems Not authorized to access CJI unless terms andconditions are specified. When personally owned mobile devices (i.e.bring your own device [BYOD]) areauthorized, they shall be controlled inaccordance with the requirements in PolicyArea 13: Mobile Devices.16
CJIS SECURITY POLICY OVERVIEW17
CJIS SECURITY POLICY OVERVIEW5.13.9.1 Local Device Authentication For devices authorized to access CJI Meet the requirements in Section 5.6.2.1Standard Authenticators Unlock the device for use18
CJIS SECURITY POLICY OVERVIEWSolution ExampleAgency NetworkAgency Issued Device19
CJIS SECURITY POLICY OVERVIEWSANS SEC575: Mobile Device Security &Ethical Hacking Takeaways MDM – must have, even rudimentary Application Management – malware/virusprotection WiFi Considerations – just say no, unlessabsolutely required, cell service more secure Backend is Bigger Target – device not so much No Rooting/Jailbreaking – breaks inherentsecurity features20
CJIS SECURITY POLICY OVERVIEWCloudComputing21
CLOUD COMPUTINGWhat is Cloud Computing? Defined by the CJIS Security Policy as:A distributed computing model that permits on-demandnetwork access to a shared pool of configurable computingresources (i.e., networks, servers, storage, applications,and services), software, and information.22
CLOUD COMPUTINGWhat is Cloud Computing?Infrastructure Cabling HVAC Physical SecurityService ModelsPlatform/OS Windows Linux/Unix AppleSoftware CAD/RMS Email23 Productivity
CJIS SECURITY POLICY OVERVIEWCloud Service Models24
CLOUD COMPUTINGBenefits of Cloud ComputingReduced BudgetsImproved EfficiencyDisaster RecoveryService Consolidation
CLOUD COMPUTINGSecurity Concerns with Cloud Computing Privileged user access Regulatory compliance Data location Data segregation Encryption key management Recovery Investigative support Long-term viability
CLOUD COMPUTINGWhat Does the Cloud Actually Look Like?
CLOUD COMPUTINGWhat Does the Cloud Actually Look Like?
CLOUD COMPUTINGA More Realistic Cloud DiagramOn-premise environment
CLOUD COMPUTINGHow will the Cloud Service Providerhelp meet the CJIS Security Policyrequirements?30
CJIS SECURITY POLICY OVERVIEWHow do I choose a cloud service provider?iso@leo.gov
CJIS SECURITY POLICY OVERVIEWHow do I choose a cloud service provider?https://www.fedramp.gov32
CJIS SECURITY POLICY OVERVIEWWhat does it all mean?Determine what services you can technically virtualize. EmailRMSCADOther CJI applicationsLegacy systemsConsider the Policy impact at each level of cloud services. Infrastructure Platform/OS Software/Applications33
CJIS SECURITY POLICY OVERVIEWWhat does it all mean?Delineation of Responsibility/Governance in Cloud Computing34
CJIS SECURITY POLICY OVERVIEWSection 5.10.1.5 Cloud Computing Only two specific “shall” requirements:“The metadata derived from CJI shall notbe used by any cloud service provider forany purposes. The cloud service providershall be prohibited from scanning anyemail or data files for the purpose ofbuilding analytics, data mining, advertising,or improving the services provided.”35
CJIS SECURITY POLICY OVERVIEWAdvanced Authentication36
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationWhat is authentication? The process of verifying a claimed identity Determining if the subject is really who he/she claims to beBased on at least one of the following three factors: Something a person knows (password, passphrase, PIN) Something a person has (smart card, token, key, swipe card, badge) Something a person is (fingerprint, voice, retina/iris characteristics)Strong, or two-factor, authentication contains two (distinct) outof three of these methods.
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationImplementing AA Standard authenticators: something you know, have, areo Passwordo PIN As standard authenticator – meet password attributes In conjunction with token – meet PIN attributes For local device authentication – minimum 6 digits
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationWhat is advanced authentication (AA)? The process of requiring more than a single factor ofauthenticationWhat is the difference between AA and two-factorauthentication? Advanced authentication, as described in the CJIS SecurityPolicy, allows for the use of risk-based authentication (RBA)methods. Two-factor authentication, as described in the NISTstandards, does not include RBA as an acceptable method ofauthentication.
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationWhen is AA required? “Dependent upon the physical, personnel, and technicalsecurity controls associated with the user location.” (Section5.6.2.2.1)o When outside a physically secure locationo When inside a physically secure location (Section 5.9)where the technical controls (Section 5.5 and 5.10) havenot been implementedo At the point of CJI accesso Don’t forget about Compensating Controls
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationRequired:When requesting access tounencrypted CJI fromoutside the boundaries of aphysically secure location(e.g., remote access)ORInside a physically securelocation where the technicalsecurity requirements havenot been metNot Required:When requesting access to CJIfrom within the boundariesof a physically secureANDThe technical securityrequirements have beenmetORThe user has indirect access toCJII
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationIncoming CJIAccess RequestIncoming CJIAccess Request#1Can request’s physicaloriginating location bedetermined?#1Can request’s physicaloriginating location bedetermined?NoYesSee Figure 9See Figure 10No#4Does request originatefrom an agency-controlleduser device?YesNo or UnknownYes#2Does request originate fromwithin a physically securelocation?No#5Is the agency manageduser device associated withand located within aCriminal JusticeConveyance?YesAdvanced AuthenticationRequired#6Is the user device anagency-issued andcontrolled smartphone ortablet?NoAdvanced AuthenticationRequiredYesYes#3Are all required technicalcontrols implemented at thislocation or at controllingagency?NoNo#7Does the agency-issuedsmartphone or tablet haveCSO-approved compensatingcontrols implemented?NoGo To Figure 9Step #3YesYesAdvanced AuthenticationNot RequiredFigure 908/04/2014Advanced AuthenticationNot RequiredFigure 1010/06/2015
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationWhy Advanced Authentication? AA is used to provide additional assurance the user is whothey claim to be.– Authorized User? AA provides additional security beyond the typical useridentification (e.g., user ID) and authentication (e.g.,password).– Provide Increased Assurance of User Identity– Non-repudiation– Lower Risk for Data Exfiltration
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationHow is AA Achieved? AA can be achieved via:– Two factor authentication using biometric systems, user-basedpublic key infrastructure (PKI), smart cards, software tokens,hardware tokens, paper (inert) tokens,OR– Using a Risk-based Authentication (RBA) solution that includes asoftware token element comprised of a number of factors, suchas network information, user information, positive deviceidentification (i.e. device forensics, user pattern analysis anduser binding), user profiling, and high-risk challenge/responsequestions.
CJIS SECURITY POLICY OVERVIEWSection 5.6Policy Area 6: Identification and AuthenticationImplementing AA Each individual’s identity shall be authenticated ateither the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of theagency’s audit for policy compliance.– The credentials used for determining CJI accesswill be audited for CJIS Security Policy compliance.
QUESTIONS?Jeff CampbellFBI CJIS Assistant Information SecurityOfficerCJIS Information Assurance Unitiso@ic.fbi.gov
authentication What is the difference between AA and two-factor authentication? Advanced authentication, as described in the CJIS Security Policy, allows for the use of risk-based authentication (RBA) methods. Two-factor authentication, as described in the NIST standards, does not include RBA as an acceptable method of authentication.
