Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Accenture Federal Services Managing Mobility: Securing MissionCritical Mobile Devices and Data Moving to a digital government with mobile technology is helping federal agencies enhance their mission, but in doing so, they could be putting their mission at serious risk. Mobile has become the foundation of any successful business—a driver of market differentiation, growth, innovation, adaptability and collaboration. Mobile also poses several challenges, especially in government. With sensitive data at risk, federal agencies must address mobile security early and often, and consider better, more effective ways to deliver public service for the future. Until now, much of the focus has been on securing mobile applications, leaving business and mission-critical mobile devices and data open to malicious attacks. Many federal agencies have turned to mobile device management (MDM), mobile application management (MAM) and secure application container solutions to protect federal data and devices, but these solutions only go so far. MDMs, MAMs and application containers present substantial residual risk for malware and device integrity attacks, as well as denial of service due to resource starvation. The challenge now is for government agencies to look beyond only bringing government-grade security to applications, but to bring government-grade security to the entire software stack on mobile devices— protecting the data and the device itself. We explore some security solutions for enterprise mobility for federal agencies, and discuss the pros and cons of each. manage one system, and the agency’s employee—or mobile operator—can manage the other system. This can help isolate enterprise data and applications from personal data and applications. Virtualization can be applied in three ways: application level, system level and a hybrid approach, which can provide the best of both worlds. Mobile virtualization Application-level virtualization, also known as a type-2 hypervisor solution, consists of one or more operating systems that appear as native applications. This approach is architecturally similar to secure application containers, hence providing a similar level of security. The advantage lies in simple deployment through an application store while enabling isolation of personal and enterprise data. Since the guest operating system (OS) instance appears as a native mobile application, there can be significant performance gaps in the hosted applications. A key threat to the security on mobile devices is the blending of enterprise and personal data. This threat can be vastly eliminated by virtualization, which allows multiple operating systems to run at the same time on a mobile phone and uses hypervisors to create separation between the hardware and the software, thus providing the separation between various personas. With mobile virtualization, mobile phones can support several operating systems on the same hardware, so that the agency’s enterprise IT department can securely Application-level virtualization System-level virtualization Contrastingly, system-level virtualization is enabled by a type-1 hypervisor and runs directly on the device platform hardware as a microkernel, which can host multiple operating systems as well as other system software, such as drivers. This type of virtualization protects the platform by providing greater protection from malicious and root attacks. Business domains can be managed, protected and isolated from personal domains. MDM and other critical enterprise software, which implement enterprise security policies, can be greatly protected in dedicated virtual sections, thus also protecting the upstream enterprise data sources. This is particularly useful for bring your own device (BYOD) programs should a mobile device be lost, since enterprise data can be wiped without affecting the user’s personal data. Hybrid approach Some federal agencies could also explore hybrid virtualization solutions, which combine type-1 and type-2 hypervisors. These solutions enable reloading of modules in kernels and offer shorter deployment paths compared to system-level approaches, by enabling post-deployment installation. However, because hybrid approaches rely on OS kernel extension, if they are not implemented correctly, they can expose the device platform software to various device OS and integrity attacks. Virtualization solutions can mitigate various cross platform attacks and protect data at rest, and secure type-1 hypervisors can reduce the surface area of attack, however each guest OS is still independently susceptible. Trusted Platform Module Mobiles Trusted Platform Module (TPM) Mobiles are security components that meet the Trusted Computing Group specifications for use in mobile devices. The security is rooted in the hardware of the device by providing a secure boot mechanism. Boot sequence of device is paused if a non-approved software is detected. For example, if the host OS is rooted or jail-broken, the security of the Copyright © 2015 Accenture All rights reserved. system is maintained by halting the device to boot up, thus protecting the integrity of operations implemented outside of the OS. A TPM Mobile can be implemented in firmware or hardware. GlobalPlatform™ Trusted Execution Environment TPM Mobiles can be implemented in firmware with a GlobalPlatform™ Trusted Execution Environment (TEE). This solution defines a standards-based isolation environment for a mobile device’s processor chip, which enables processing of sensitive data outside of the main operating environment and isolated system memory. The isolation is enforced by the device’s hardware architecture by providing rootof-trust implemented in the processor, for example, ARM® TrustZone® facilitates the implementation of a root-of-trust, making it highly secure against software attacks. A TEE supports progressive device and peripheral security-use cases, such as secure user interfaces. The main OS of the device runs normally and accesses the trusted applications within a TEE through standardized application interfaces. In this instance, a mobile-trusted platform is implemented as a trusted application within a TEE. Applications requiring even higher levels of security can be executed inside a TEE directly as a “Trustlet,” either as a background task or by exposing the application programming interface to applications in a REE zone for user interfaces. A REE is the rich OS application environment, such as the software stack created by Android operating systems. Applications running in TEE Trustlets are isolated from REEs. Applications running in a REE, which require security functions, use TEE application program interfaces to exchange data. Secure enterprise, promising future Applications for mobile devices can range from secure mobile voice and video for mission-critical work, such as military, public safety and homeland security to business-critical citizen services, such as mobile payments, health and human services, applications requiring biometric data storage on device and field-force enablement—but not just any mobile device will do. Effectively delivering public service for the future means the device needs to be secure. And, while there is little doubt that most federal agencies understand just how important it is to be mobile, few are taking the necessary steps to secure their enterprise data on devices, and this could mean the difference between an enhanced mission and a mission that is at risk. For more information: To learn how you can secure your agency’s enterprise and customize security on commerical-off-the-shelf mobile devices, please contact: Inderpreet Singh [email protected] +1 973 301-1088 About Accenture Federal Services Accenture Federal Services, based in Arlington, VA, a wholly owned subsidiary of Accenture LLP, helps US federal agencies build the government of the future. Visit www.accenture.com/federal for information regarding Accenture Federal Services,including our perspectives on agency and cabinet challenges and experience delivering results. About Accenture Accenture is a global management consulting, technology services and outsourcing company, with more than 323,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$30.0 billion for the fiscal year ended Aug. 31, 2014. Its home page is www.accenture.com.