Download Securing Mission- Critical Mobile Devices and Data

Accenture Federal Services
Managing Mobility:
Securing MissionCritical Mobile
Devices and Data
Moving to a digital government with mobile technology is helping federal
agencies enhance their mission, but in doing so, they could be putting
their mission at serious risk.
Mobile has become the foundation of any
successful business—a driver of market
differentiation, growth, innovation,
adaptability and collaboration. Mobile
also poses several challenges, especially in
government. With sensitive data at risk,
federal agencies must address mobile security
early and often, and consider better, more
effective ways to deliver public service for
the future. Until now, much of the focus has
been on securing mobile applications, leaving
business and mission-critical mobile devices
and data open to malicious attacks.
Many federal agencies have turned to
mobile device management (MDM), mobile
application management (MAM) and secure
application container solutions to protect
federal data and devices, but these solutions
only go so far. MDMs, MAMs and application
containers present substantial residual risk for
malware and device integrity attacks, as well
as denial of service due to resource starvation.
The challenge now is for government
agencies to look beyond only bringing
government-grade security to applications,
but to bring government-grade security to
the entire software stack on mobile devices—
protecting the data and the device itself. We
explore some security solutions for enterprise
mobility for federal agencies, and discuss the
pros and cons of each.
manage one system, and the agency’s
employee—or mobile operator—can manage
the other system. This can help isolate
enterprise data and applications from
personal data and applications. Virtualization
can be applied in three ways: application
level, system level and a hybrid approach,
which can provide the best of both worlds.
Mobile virtualization
Application-level virtualization, also known
as a type-2 hypervisor solution, consists of
one or more operating systems that appear
as native applications. This approach is
architecturally similar to secure application
containers, hence providing a similar level
of security. The advantage lies in simple
deployment through an application store
while enabling isolation of personal and
enterprise data. Since the guest operating
system (OS) instance appears as a native
mobile application, there can be significant
performance gaps in the hosted applications.
A key threat to the security on mobile
devices is the blending of enterprise and
personal data. This threat can be vastly
eliminated by virtualization, which allows
multiple operating systems to run at the
same time on a mobile phone and uses
hypervisors to create separation between the
hardware and the software, thus providing
the separation between various personas.
With mobile virtualization, mobile phones
can support several operating systems on
the same hardware, so that the agency’s
enterprise IT department can securely
Application-level virtualization
System-level virtualization
Contrastingly, system-level virtualization
is enabled by a type-1 hypervisor and runs
directly on the device platform hardware
as a microkernel, which can host multiple
operating systems as well as other system
software, such as drivers. This type of
virtualization protects the platform by
providing greater protection from malicious
and root attacks. Business domains can
be managed, protected and isolated from
personal domains. MDM and other critical
enterprise software, which implement
enterprise security policies, can be greatly
protected in dedicated virtual sections, thus
also protecting the upstream enterprise data
sources. This is particularly useful for bring
your own device (BYOD) programs should a
mobile device be lost, since enterprise data
can be wiped without affecting the user’s
personal data.
Hybrid approach
Some federal agencies could also explore
hybrid virtualization solutions, which
combine type-1 and type-2 hypervisors.
These solutions enable reloading of modules
in kernels and offer shorter deployment
paths compared to system-level approaches,
by enabling post-deployment installation.
However, because hybrid approaches rely
on OS kernel extension, if they are not
implemented correctly, they can expose the
device platform software to various device
OS and integrity attacks.
Virtualization solutions can mitigate
various cross platform attacks and protect
data at rest, and secure type-1 hypervisors
can reduce the surface area of attack,
however each guest OS is still independently
susceptible.
Trusted Platform Module Mobiles
Trusted Platform Module (TPM) Mobiles are
security components that meet the Trusted
Computing Group specifications for use in
mobile devices. The security is rooted in
the hardware of the device by providing a
secure boot mechanism. Boot sequence of
device is paused if a non-approved software
is detected. For example, if the host OS is
rooted or jail-broken, the security of the
Copyright © 2015 Accenture
All rights reserved.
system is maintained by halting the device
to boot up, thus protecting the integrity of
operations implemented outside of the OS. A
TPM Mobile can be implemented in firmware
or hardware.
GlobalPlatform™ Trusted Execution
Environment
TPM Mobiles can be implemented in
firmware with a GlobalPlatform™ Trusted
Execution Environment (TEE). This solution
defines a standards-based isolation
environment for a mobile device’s processor
chip, which enables processing of sensitive
data outside of the main operating
environment and isolated system memory.
The isolation is enforced by the device’s
hardware architecture by providing rootof-trust implemented in the processor,
for example, ARM® TrustZone® facilitates
the implementation of a root-of-trust,
making it highly secure against software
attacks. A TEE supports progressive device
and peripheral security-use cases, such
as secure user interfaces. The main OS of
the device runs normally and accesses the
trusted applications within a TEE through
standardized application interfaces. In
this instance, a mobile-trusted platform
is implemented as a trusted application
within a TEE. Applications requiring even
higher levels of security can be executed
inside a TEE directly as a “Trustlet,” either
as a background task or by exposing
the application programming interface
to applications in a REE zone for user
interfaces. A REE is the rich OS application
environment, such as the software stack
created by Android operating systems.
Applications running in TEE Trustlets are
isolated from REEs. Applications running
in a REE, which require security functions,
use TEE application program interfaces to
exchange data.
Secure enterprise, promising future
Applications for mobile devices can range
from secure mobile voice and video for
mission-critical work, such as military,
public safety and homeland security to
business-critical citizen services, such as
mobile payments, health and human services,
applications requiring biometric data storage
on device and field-force enablement—but
not just any mobile device will do. Effectively
delivering public service for the future
means the device needs to be secure. And,
while there is little doubt that most federal
agencies understand just how important it
is to be mobile, few are taking the necessary
steps to secure their enterprise data on
devices, and this could mean the difference
between an enhanced mission and a mission
that is at risk.
For more information:
To learn how you can secure your agency’s
enterprise and customize security on
commerical-off-the-shelf mobile devices,
please contact:
Inderpreet Singh
[email protected]
+1 973 301-1088
About Accenture Federal Services
Accenture Federal Services, based in
Arlington, VA, a wholly owned subsidiary
of Accenture LLP, helps US federal agencies
build the government of the future.
Visit www.accenture.com/federal for
information regarding Accenture Federal
Services,including our perspectives on agency
and cabinet challenges and experience
delivering results.
About Accenture
Accenture is a global management
consulting, technology services and
outsourcing company, with more than
323,000 people serving clients in more than
120 countries. Combining unparalleled
experience, comprehensive capabilities
across all industries and business functions,
and extensive research on the world’s most
successful companies, Accenture
collaborates with clients to help them
become high-performance businesses and
governments. The company generated net
revenues of US$30.0 billion for the fiscal
year ended Aug. 31, 2014. Its home page is
www.accenture.com.