mobile first? security first? it's a tie and here's why!
TRANSCRIPT
Mobile First? Security First?It’s a Tie and Here’s Why!
Presented by
Paul DePondVP of Innovation & Technology
globoplc.com© 2014
About Globo
GLOBO is an international leader and technology innovator delivering Enterprise Mobility Management and Mobile Application Development solutions and services.
Subsidiaries & offices:
USA | UK | UAE | Singapore | Greece | Cyprus | Romania
2
2
REVENUE GROWTH
2013: $98.6m
2012: $80.3m2011: $45.9m
Founded in 1997
Listed on AIM
LSE:GBO
2.9m active users of consumer services
340k enterprise users
13m+ device licenses for consumer apps
Deployments in 50+ countries
Latest acquisitions:
globoplc.com
Empowering Mobility In Regulated Industries
© 2014
3
Globo is the only new vendor to be added to Gartner's new Magic Quadrant for EMM report for 2014.
“Unique among its peers… GLOBO is a good fit for organizations looking for a single product that provides MADP and EMM.”
Globo has been evaluated and recognized as a major “Market Challenger” amongst the top 11 EMM vendors and close to the “Market Leaders” space in OVUM’s Decision Matrix for EMM.
"Globo offers a well-rounded, end-to-end EMM solution, and is one of very few vendors to offer five out of six of our defined components."
Globo Recognized by Leading Analysts
globoplc.com© 2014
Identity Theft Report 2014
4
4
• More than 81 million records have been compromised in 2014 in approximately 679 breaches.
• In 2013 only 439 breaches had been reported, representing a 36 percent increase.
• The breach count was last updated on October 3, 2014 by JP Morgan Chase the filing to the SEC that the data of approximately 76 million households and 7 million small businesses that have accounts with the bank has been compromised.
• The nonprofit group counts social security numbers, driver's license numbers, medical records, or payment card information as a record.
• In 2014, medical and health care organizations accounted for the majority of breaches, at 43.5 percent.
• In 2013, businesses accounted for 84 percent of breaches. The dramatic switch in targets, or impacted industries, could be indicative of a lack of education or resources in the health care field.
Source: Identity Theft Resource Center Nov 2014
globoplc.com© 2014
Security Requirements Are Increasing
Security
Government
Healthcare Financial
Utilities
5
globoplc.com© 2014
Encryption is Now Mandated
• Government – Federal Agencies and DOD
• HealthCare HIPAA - Health Insurance Portability and Accountability Act
HITECH - Health Information Technology for Economic and Clinical Health
• Financial - SOX, GLB, FINRA, PCI DSS
• Utilities - FERC, NERC
6
globoplc.com© 2014
Definitions• FISMA - Federal Information Security Management Act defines a framework for managing
information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.
• NIST – National Institute of Standards and Testing is a non-regulatory federal agency within the U.S. Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing FISMA requirements and to protect their information and information systems.
• FIPS – Federal Information Processing Standards are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. Federal Information Processing Standards Publications (FIPS PUBS) are issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002
7
globoplc.com© 2014
Definitions
• FIPS 140-2, is a Federal Information Processing Standard for Security Requirements for Cryptographic Modules, specifies the security requirements that are to be satisfied by the cryptographic module utilized within a security system protecting sensitive information within computer and telecommunications systems (including voice systems
• FIPS 199, is a Federal Information Processing Standard for Security Categorization of Federal Information and Information Systems, approved by the Secretary of Commerce in February 2004, is the first of two mandatory security standards required by the FISMA legislation. FIPS 199 requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category. The most severe rating from any category becomes the information system's overall security categorization.
8
globoplc.com© 2014
• FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.
• NIST SP 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in FIPS 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.
9
Definitions
globoplc.com© 2014
• With the passage of the Federal Information Security Management Act of 2002,
there is no longer a statutory provision to allow for agencies to waive mandatory
Federal Information Processing Standards (FIPS).
• FISMA mandates the categorization and security requirements of FIPS 199,
FIPS 200 and NIST SP 800-53 for all federal information systems.
10
Changes in Federal Government
globoplc.com© 2014
• FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems.
• Unvalidated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext.
• If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.
11
Unvalidated Cryptographic Modules
globoplc.com© 2014
• The U.S. Department of the Health and Human Services (HHS) issued guidance wherein "unsecure protected health information (PHI)" is essentially any PHI that is not encrypted or destroyed.
• The introduction of HITECH's breach notification initiative, which requires HIPAA -covered entities to send notification letters if there is a breach of unsecured PHI.
12
Department of Health and Human Services
globoplc.com© 2014
• HIPAA-covered entities can expect safe harbor if, and only if, they adhere to
specified strict standards and guidelines.
• The fact that a company's data is encrypted is meaningless without taking into
account the NIST requirements.
• Organizations that properly adhere to HIPAA standards understand the impact
of breach notifications.
• By proactively leveraging the proper encryption technologies, companies of all
sizes can avoid these breach notifications while ensuring the security of their
sensitive data.
13
HIPAA Safe Harbor
globoplc.com© 2014
14
• Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside of the corporate network.
Data in-use
Data in-motion
Data at-rest
• Sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry
Data Loss Prevention
globoplc.com© 2014
Optional Encryption
Basic Encryption
Strong Encryption
15
Compliance Demands More Data Protection
globoplc.com© 2014
16
FIPS 140-2 Confusion
o We are FIPS certified
o We are FIPS compliant
o We are FIPS conforming
o We are FIPS validated
globoplc.com© 2014
• FIPS Validated = FIPS Certified
• FIPS Validated = Four Step Process
• FIPS Compliant = using FIPS validated modules within the product which itself has not been validated therefore the overall product is not FIPS validated.
• FIPS Compliant = FIPS Enabled = FIPS Conforming = NOT an actual VALIDATED product
17
Sorting Out the Confusion
globoplc.com© 2014
18
FIPS 140-2 Level 1The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent
FIPS 140-2 Level 3Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces
FIPS 140-2 Level 2Adds requirements for physical tamper-evidence and role-based authentication.
FIPS 140-2 Level 4Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market
Description of FIPS 140-2 Levels
globoplc.com© 2014
CMVP - the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards.
The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).
19
Who Validates FIPS 140-2?
globoplc.com© 2014
20
The FIPS 140-2 Validation Process
globoplc.com© 2014
21
The phrase FIPS 140-2 Validated and the FIPS 140-2 Logo are ONLY intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) as complying with FIPS 140-2, Security Requirements for Cryptographic Modules.
Guidelines for Using FIPS 140-2 Logo
globoplc.com© 2014
22
FIPS 140-2 Validation Certificate
globoplc.com© 2014
• Organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
• A product or implementation does not meet the FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.
23
How to Verify a FIPS 140-2 Validated Vendor
globoplc.com
Empowering Mobility in Regulated Industries
© 2014
24
• Data At Rest Encryption
• Data in Motion Encryption
• Mobile Content Management
• Enterprise Instant Messaging
• Secure Browser
• Secure Camera
• Secure Applications
A Secure Workspace Should Include
globoplc.com© 2014
25
SSL
AES
256 bits
AES
256 bits
+
Internet
AES
256 bits
AES
256 bits
AES
256 bits
CRMERP DatabaseEmail
End to End FIPS 140-2 Validation Encryption
globoplc.com© 2014
26
GO!Enterprise Example
DistributeGO!App
CRMERP
Database
InternetDeveloper
Administrator
User device
Administration
Integration Engine
GO!Apps Repository
AppZone Studio
Enterprise Server
Enterprise Menu
globoplc.com© 2014
27
Customer Examples
globoplc.com© 2014
• Data Loss Protection is a real issue and data breaches continue to escalate.
• Many organizations are requiring vendors to prove they are meeting their compliance requirements.
• Understand the difference between validated and all other terms describing a vendors support of FIPS 140-2 certification.
• Consider a secure mobile workspace for your enterprise mobile management solution that provides validated FIPS 140-2 encryption providing end to end security
28
Takeaways
globoplc.com
Empowering Mobility In Regulated Industries
© 2014
29
Paul DePondVP of Innovation & Technology – Globo [email protected]
Thank You