EMM John Bertoli's post
Mobile in mission-critical environments
JUN 17, 2016
John: Hello everybody, this is John Monroe, Director of Custom Editorial at FCW. I want to welcome you to today's webcast, Mobile in Mission Critical Environments, How to Maximize Security and Ease of Use. This webcast is brought to you by FCW and sponsored by Samsung. There's a growing realization that the federal workforce, by and large is a mobile workforce. Federal employees do it securely, especially when it comes to mission-critical or classified environment, and that's the focus of today's webcast.
So here's our agenda. We'll begin by taking a close look at the current industry landscape and then we'll talk about the challenges that are particular to working in mission-critical environments. And then after a quick audience poll, we'll focus on what to look for in a mobile security solution. And then we'll look at those same issues from an agency perspective before we wrap things up with an audience Q&A.
So let me introduce our speakers. First, I wanted to let you know that Yasir Aziz from Samsung is not able to join us as originally planned, but we're happy to have Johnny Overcast in his place. Johnny is the senior director of government sales for Samsung Electronics America. We also have Nick Stablein. Nick is business development manager for Samsung SDS America, and then we'll hear from our featured speaker, Nathan Kielman. Nathan is the tactical mobility lead in the weapons division at the Naval Air Warfare Center. With that, I'd like to turn things over to Johnny Overcast and Nick Stablein. Folks?
Johnny: Thank you very much. I want to wish everybody a great day and thank you for joining this webcast. Commercial off the shelf mobile technology for government secure communications is available and here today. In the case of Samsung, you have devices that at the point of manufacturer have inherent a security platform that is common criteria certified, it's certified and that has DOB approvals to be implemented via Department of Defense implementation guide approvals. And the way that that has occurred is that you have this security platform that meets all the requirements of the National Information Assurance Program, but also NIST and again, as mentioned, the Department of Defense. So it's real important that when looking at commercial off the shelf as opposed to products that have been traditionally called government off the shelf that at the point of manufacturer, these are considerations that are taken into account.
Also the second point is that this commercial off the shelf technology, these devices and the security platform, have the flexibility to allow developers such as Samsung Data Solutions to customize the device for these special and high secure use cases. And then thirdly as just mentioned for developers, it is extremely important that these products come with those particular hooks as it's called, or ways to customize and develop these products below the operating system level for these particular use cases. The benefit to the government is that the costs are extremely lower, the efficiencies are higher and the time to get these tools and essential devices to the end user has been reduced significantly. So as you can see here on the slide, there have been implementations of this technology currently and there are more than a few in developments currently.
John: Now we'd like to invite the audience to take a poll here. And really what we wanna talk about here is kind of challenges. What is your biggest challenge around securing mobility in a mission critical environment? So if you could pick what you see as the biggest challenge and the options are procurement delays, solution architecture and interoperability, information assurance, accreditations and policy and device deployment.
I think this is an interesting question because our thinking about this issue has changed over the years. I remember when agencies first started getting into mobility, security was sort of seen as, “Well yeah, security's good but it wasn't really seen as a necessity necessarily.” There was a lot of pushing into mobility without really thinking about security closely. And I think now there's a general recognition this security is important. And so, really that's what this question is about, especially when we're talking about mission-critical environments.
So why don't we take a look and see what the results are. So let's see. So solution architecture and interoperability by far is the lead at 50% and then you got the other 3. I don't know, Nick and Johnny any thoughts on what you see here?
Nick: Yeah, there are challenges involved with all and we see a little bit of distribution between them. But one of the things that we'll touch upon is interoperability. You have these great components and on their own they may be secure, they may be designed to work with maybe others from the same manufacturer, but how do you pull the whole solution together? And so that's always a challenge. So that's surprising that that's coming up as something that's a key challenge for folks
Johnny: And my comment would be from an architecture, and then as from architecting to interoperability, is that at the end of the day, the goal has to be usability, right? Because to your comment regarding security there has been in the past of correlation with security and then hard to use and not, you know, as simplified as it could be. So the technology's working together need to be usable for the end user.
John: Okay, great, Johnny and Nick, I want to turn things back over to you.
Nick: Okay, great. You know, we really see it as four key areas, so one, obviously around procurement delays. So with a CSfC solution or especially when you're starting to talk about putting together a tactical solution, there are a lot of different components to look at. But at the core of it is obviously the mobile device and the associated hardware, but there's a lot more that goes beyond that. So you start to talk about, you know, an EMM tool to actually manage and secure the device. There may be starting accessories that are needed in order to do that and then in order to secure the device, especially in some of these challenging environments. And then beyond that, there are other pieces to the solution and the architecture. You may need a certificate authority or a VPN to secure the actual communication.
So there's a lot of different pieces to that. So we've seen that there's been a desire from the government and from our customers to bundle these products together and buy them as a more of a solution as opposed to a piece part component from different sources. So that's something that I think a lot of agencies are looking to do. Another piece we've talked about this, and this was the leading challenge within the poll question, so related to solution architecture. Solutions are there's a lot of great processes out there for validation such as the NSA's commercial solutions for classified list and other areas where the government really is making an effort to leverage cost solutions for these use cases.
But one of the key things is if it's secure on its own in a silo, you need to be able to pull it together with the other components as well. So how do you do that? You have to have an understanding of how all of these different components that you do need for your environment can interoperate with each other. So that's one of the key things that I think a lot of programs are looking to tackle right now. And then we've talked about this a little bit, so the CSfC list, NIAP validation, common criteria, since these deployments are in, you know, sensitive environments where classified information may be exchanged, sensitive data may be transmitted, you need to make sure that it's secure. So that's not only just, you know, having the right software tools, but actually getting, you know, a system accredited, you know, by a government authority, whatever it may be. That's a key part of the solution as well. So to make sure that you have the validated solution from the individual component parts, that's one aspect, but also gaining authority to operate as an entire system. So that's something that I know we've assisted agencies with.
And then sort of the logistical part. So now I have this great solution. I pulled together all the right components, I have gotten the check marks from the accrediting agency, from an IA perspective, but now how do I get those devices out there and how do I get them staged kit, configured, provisioned so that, you know, my end user has a fully functional device? And there's a lot of time and complexity that goes into that. So that's another thing that we look to address for our customers, I know a lot of agencies and programs are putting plans in place to address that because it's often overlooked, but it's a critical component in sort of the last mile to get the devices out there. So Johnny, I'll turn it back to you.
Johnny: Nick, just to continue along the lines of looking at it from the perspective that you were talking from what to look for in a solution. So again, one must look at the accreditation and certification. And you mentioned the national information assurance program and common criteria. So the devices for that class of secure communication and connectivity absolutely must meet those profiles and that level of vetting.
The other element would be robust encryption, on device encryption, and the various layers of encryption that are necessary for these types of devices and for use in these types of environments and use cases. And also to have the ability to be managed remotely behind the firewall and on premise. The third element would be to be able to operate without being connected to a network or a commercial network and have the flexibility to connect to, you know, different frequencies and radio systems. And that leads me to my last point, which is these devices must have the ability to have a certain level of customization and programming and the ability to have different drivers that are loaded on the device for these specific use cases.
John: Okay, great. All right. Thank you gentlemen. And now I'd like to bring in our featured speaker, Nathan Kielman. As I said before, Nathan is from the Naval Air Warfare Center. Nathan?
Nathan: Thank you, John. I'd like to take this opportunity to thank FCW for enabling this webinar and Samsung for sponsoring it and inviting me to participate. I really do appreciate that. What we're trying to do out here at the Naval Air Warfare Center Weapons Division in China Lake is to establish ourselves as a leader in the tactical mobile computing technology space. One of the things that we've identified is that the commercial computing market is moving much faster than the government can react or respond or even write requirements for that matter. It seems like every time we turn around, every 6 to 9 months, there's a new mobile computing device being released by any one of a number of companies that provides this frenzy in the commercial market space where people go out and trade in technologies and get the newest, latest, greatest thing that is better or faster, looks much different than it did even 6, 8, 9, 12 months ago.
So what we're seeing is that typical DoD processes taking two to five years to deploy a acquisition system is not acceptable in this new marketplace. What we're attempting to do is drive cultural change at all levels by challenging the status quo. Effectively, we're looking at new policies and procedures for exploiting these commercial mobile computing devices, trying to establish the fact that they're consumables. The cost of a mobile computing device being from $300 to $800 these days is much less than the typical logistics chain on a historic laptop or supporting the device for a long period of time of 3 to 5 years. We're trying to establish a team of technical experts that know mobile computing integration, solutions, test cases, deal with the operators on a daily basis of what they need and what they experience in the operational force and the deployed environment.
And we're also attempting to establish what we call the Mobile Computing Center of Excellence here at China Lake, being a lab facility and integration environment, a team of software development folks as well as the overall support infrastructure to support procurement, information assurance and driving solutions on the system engineering level in the mobile space. We believe that if we're successful in establishing the MC CoE that we'll be able to provide the war fighter with patrol portable devices and real time access to information across the battle space with minimal delays compared to the commercial industry.
One of the biggest problems that I hear feedback from, from some of the users that I communicate with on a normal, everyday basis is, ''I could've done it at home with my smartphone or my mobile computing device and there I was with a multimillion dollar piece of equipment and unable to do what I wanted to do.'' So if we're able to provide that same ease of use as was discussed earlier, to those end users, I believe that it will be fantastic.
The other thing is that digital inoperability is the seamless data exchange that the Marine Corps aviation community is attempting to establish. Effectively, what we're talking about there is can we get the man out of the loop? Competing technology has come leaps and bounds to where we were 5 years ago or even more 10 to 15 years ago. We're moving the human and all the human error of data entry, data processing, and allowing computer technology to manage that for us and give us results and answers and just make decisions at the human level is what we need to do in order to evolve and become an effective fighting force overall.
What we've seen in government trends for procurement and investment in technology, as was mentioned earlier, the DoD is not building hardware these days. We used to have a large industrial base of very advanced equipment in the grand scheme of things. And we used to manufacture a lot of government off the shelf devices or have mil [SP] standards or mil specs that we required things to be built to. We've given a lot of that technology and capability back to industry and transferred a lot of that investment over to the commercial market space. Some of the slides here show that just on the research and development dollars that are invested between the DoD entities in information technology, and this is by far not related to mobile computing alone, is dwarfed by any one individual company in their individual investments in mobility alone, let alone if you combine those companies that we're typically looking at in the Samsung, Google, Cisco, HP Aruba, Apple, and combine those together. They invest in order of magnitude more funding than the federal government does these days in research and development in the mobile marketplace. We're kind of foolish in the industry if we don't invest in those commercial capital investments and the resulting technology that comes out of that.
So effectively what we're attempting to do with the Mobile Computing Center of Excellence is to deliver an integrated set of capabilities that is tried and trued and tested prior to fielding. Some of the things that we're looking at is providing a secure mobile device, whether that be tethered or non-tethered, with cables or wireless, classified or unclassified. One of the biggest things we've seen, as Johnny mentioned earlier, folks saw the ease of use in mobile computing devices. Five years ago we had to do government training based on mobile computing OSs and technology's moving away from Windows platforms. Now what we're seeing is we're having to start to switch the paradigm back to training Windows and Linux-based platforms and people in the mobile environment are coming into the military construct already knowing how to do that. A lot of the folks that do enlist in the military don't know life without a mobile computing device.
So providing them with something other than that is just not something that we can do. As Nick mentioned, just purchasing a secure mobile device off the CSfC list from NSA does not mean that it meets all the STIGs, it does not mean it's an integrated. So what we're attempting to do is come up with an ability to provide a turnkey template for all programs and users of a classified mobile computing device. That solves the end user problem, but that does not help the overall mission set at the unit or command element level of managing those devices. Nick mentioned mobile device management, EMMs. One of the things we have to figure out how to do is how do you manage all those individual mobile devices, ensure that they have security features inflicted on them as well as managed, ensure that we're monitoring what has been done with those devices so there isn't any malicious intent.
So what we have proposed to do is provide a deployable wireless networking capability for campus wireless networks for connecting the mobile devices easily, providing data to those as well as providing an MDM and that security layer. We believe that we package that in a two man carry Pelican case with all of the equipment, devices, software and everything turnkey, that we'll be able to provide operator training in two to three days and they'll be self-sufficient at the unit level. We also plan to provide programs and projects in the acquisition space as well as individual units, provisioning profiles for those MDMs. Just because you have a mobile device and an MDM does not mean that you have all the required security lockdowns by NSA or DISA. Or if you do have them, it doesn't necessarily mean that the mobile device will be useful for the end users. So one of the things that we're attempting to do here at NAWCWD is perform a large amount of experimentation and integration in order to understand the effects of the thousands of configuration options that come in the commercial MDMs, and what effects those have on the devices themselves, the security posture of the devices, but most importantly, the tactical end user's experience and utility of that specific device to execute his or her mission.
Mobile application and tools, these are more things that we're looking at in house support on the government side, not necessarily exploiting commercial technologies, but consuming those commercial technologies and providing support to projects and programs. On the development side, one of the things that we see the most is if you tell a typical software developer that's been working on embedded systems or Windows-based systems or webpages or things like that, ''Hey, go ahead and do software development on a mobile computing app.'' Typically they have done this outside of the work space, they can do it fairly rapidly. The issue that we have is they're not doing it in a cyber secure manner or with the proper best practices for DOD-based security. We also see problems with utility and universality of the various development tools and environments that they use.
One of the things we're looking at doing is standardizing not only in the development environment, but the data sets and the training that those individual software developers do to provide a capability throughout the research development, testing and evaluation of the market space within NAVAIR to provide a laptop, a device, all of the required software and then the training to make those developers as rapid and expedited as possible in their application development. Doing development support, not every program will need someone, long term or short term. We will provide staffing for those programs either embedded or independent outside of their individual efforts. And then once those applications are developed, one of the biggest problems that we've seen historically has been getting those ATOs or those approvals on the information assurance side. Typically on a software development activity, you develop the piece of software and when you go to field it you're providing the software itself via webpage or a CD ROM or any method that you have of distributing that.
One of the problems with the information assurance construct that we've seen historically has been you want to know what device it's on. If I'm a software developer, I don't know what mobile device my application will be on. As long as we can start putting the app scanning tools and the technical support and expertise together, we can say this application has been vetted, it meets these particular requirements and it can be installed on any mobile computing device that meets the rest of the rules and regulations for the hardware side itself, whether it be CSfC, NIAP, or meeting any of the DISA STIGs.
Our long term crown jewel that we're looking for producing at the Mobile Computing Center of Excellence as our end goal is the tactical mobile enterprise environment. This is something that we want to provide end users with a bring your own government device type construct. They would purchase or procure the devices with local unit dollars or be provided devices by the acquisition enterprise. They would connect those two closed loop, classified military networks, be provided with updates, software patches, security settings, all of those MDM based pushes and have a device that is configured and authorized for use. This will reduce the amount of footprint and logistics entity that we have to maintain, mobile computing devices and the distribution network, and really provide the support that's needed. Our vision is that we can have multiple of those provisioning profiles for very specific end user types or styles, whether you be an aviator, a ground user or somebody else. We believe that having a tactical enterprise solution is something that needs to be done at the government level and hosted on some of our DoD closed loop LAT networks. It's slightly different than some of the enterprise networks that are currently being invested in and the enterprise mobility for checking email and things on commercial wireless networks and dialing into the cellular companies. We're really primarily focused here on the war fighter that is at the tactical leading edge, the gentleman that's walking the beat with a gun and a backpack on, carrying multiple pounds of weight on his back. So that's more or less what we're attempting to do here at NAWCWD under the Mobile Computing Center of Excellence. John?
John: Thank you Nathan and thank you Nick and Johnny. And so now we want to begin to answer your questions. Let's go to our first question. And I think Nick, this might be for you. Can you explain what a typical solution stack would look like for a secure deployment?
Nick: Sure. So I think there's a number of different components, beginning with the hardware, right? You start with a secure mobile device. On that device it may have a security solution like a Knox, and even in a lot of scenarios, especially in a tactical environment they may be running a customized ROM on the device that supports some of the things that we've talked about earlier. So things like tactical radios, sensors support those types of drivers. And then there's the management piece. So how do you manage and secure the device, how do you monitor it to make sure that it's staying in compliance? So that's really where the EMM or the enterprise mobility management tool would come into play.
And then above there there's usually we like to call it sort of the utility layer where there's certain gaps that a program may have where there may be another policy that needs to be enforced that's nonstandard or a certain API that needs to be called, and there may be some solution that addresses that, that program puts in place. Then there's usually the, really, the killer app, right? So whether it's some sort of tactical or situational awareness app or a communication application that the device is intended to really bring to the end user or the war fighter, that's usually what resides on top.
So those are sort of the key things. And then adjacent to that, especially when we're talking about a tactical environment, there may be certain accessories like a case or a hub or cabling to attach to those peripherals or those sensors or those radios that you may be using. So those are sort of the core components. And then beyond that, there may be other pieces of the architecture as well. So if you're integrating with the certificate authority for example, or you need to set up another secure tunnel such as a VPN network, so those are sort of the key pieces. And usually what we've seen is obviously for these environments, they're leveraging components that are on the CSfC list or common criteria validated.
John: Next question. How can a solution be customized based on our specific needs?
Nathan: Some of the things that we've looked at as was mentioned by Samsung earlier, we have looked at doing customized ROMs with them. One of the biggest problems we've seen with mobile computing devices integration in the government space is that we tend to typically think of, ''Hey, it's going to be a drop in for the current computing device.'' The issue that we've seen with that is mobile computing devices typically have a single micro USB port on them. And a lot of the things that we've connected with laptops in the past have had multiple ports available to them. It was mentioned, some of the drivers, custom ROMs and things like that, that are required to make these mobile computing devices just dropped in. So that's one method is customizing the OS or binary at the level on the device prior to release and deployment of that or even the DT/OT stage.
Some of the other things that we're looking at in the government space and some of the government contracting sectors has been customizing solutions in mobility by exploiting wireless connectivity and getting rid of the weight and cables and really taking advantage of the fact that mobile devices are so much lighter and smaller than typical competing devices that have been deployed in the past.
Nick: I think something else that we could do in addition to all the things that Nathan mentioned, how do you actually customize the provisioning? So do you want the devices to actually be enrolled and validated with the applications and the security management tools that you may be using, you know, once they're received by the end user or the program? So I think that that provisioning aspect is another way that the solution can be customized.
Johnny: That is a great answer as well. Customizing the device with provisioning capabilities not only allows for devices to be fielded for extended periods of time and not have to come back to networks, but it also allows for policies to be invoked as things go down the line and security is degraded, taking more and more attributes or capabilities away from the operator until those security vulnerabilities have been fixed. So we've seen a number of customized solutions just based on the provisioning capabilities of the mobile device managers themselves. So that has been a great tool for us to exploit within the government.
John: How would you handle the IT for secret and top secret requirements and the inner workings with MACP?
Nathan: One of the things we're looking at is data in transit right now. A lot of things that have been discussed on the devices themselves and things that some of the manufacturers have done with the devices have been truly amazing. With the data that's actually on that device, the data at rest solutions specific to Samsung, the Knox containerization, other vendors have other containerization capabilities. But that's all keeping the data on the device. I believe that the question is more geared towards, okay, great, now I have data on this device, how do I get it onto another device or to another system inside the battle space or inside the architecture? And then the MACP is the Mobile Access Capabilities Package I believe that they're referring to.
So some of the things that we've looked at currently, there are not a whole lot of data in transit solutions that have been certified or validated by folks. We're investing in some of those, both internal, in government development entities as well as a number of acquisition programs are funding data in transit in the commercial space with vendor-based solutions. It is a problem for an individual turnkey solution. I believe what we're doing is we're taking a layered approach to handle that. So not only are we encrypting the data and depending on the classification level, it's how much encryption there is, but we're also providing data tunnels amongst networks and encrypting that tunnel, that that data is transmitted in either one, two, or sometimes even up to three times.
Compliance with the mobile access capability package, it's difficult at best in a tactical scenario. Again, a lot of the capabilities packages that have been published have been more for the standard enterprise type environment. In the tactical space, we are having to ask for waivers and deviations in order to have a solution set that is small enough to be able to be tactically employed and fielded. So that's some of the policy change that I discussed earlier as well as challenging some of the status quo and using what I call the engineering rational man argument of this is good enough for the environment, that this particular device and/or utility will be employed in and then asking for permission to use and accept the risk associated with that.
John: How do you envision bridging the current communication and product-sharing gap between military emergency responders and public safety emergency responders? Most of the time these entities are not even able to share data during event response, so does someone want to tackle that?
Nick: I think there's a couple of things that are going on right now. There are some initiatives out there related. FirstNet is an example of one where the government is looking at ways to encourage collaboration between federal, local and state authorities. I think it's a little bit different when you start talking about even for a tactical use case, when you start talking about a domestic thing. So there's some different considerations that are involved. A lot of times the connectivity's a little bit different. And I think one of the major challenges out there that agencies are trying to address are how to deal with federated systems. So if a local or state agency needs to access to data that may be owned by a federal agency, how do they, you know, securely authenticate into that information and, you know, what are the sorts of access controls, how does that local or state police department and device can be ensured that it's managed up to a level to access to .a certain federal agency's data system. I think that there's still a lot of questions out there. You know, I've done a good job of outlining the challenges, but I think some folks are working on a solution, but those are sort of the key things that people are taking into consideration as they're working towards, you know, interagency cooperation.
Winfield: To add on to what Nick said, these are the same challenges that the first responders have had from the beginning is how do they work together and a lot of the architectural changes that they're making for even desktop systems to work together and joint terrorism task force and things like that will allow mobile devices to retrieve that same data. So it's kind of one solution fits most of the scenarios.
John: So what are some obstacles that you're experiencing in setting up this center of excellence?
Nathan: You know, it's really interesting the poll questions that we had earlier, I think, I believe that I've hit every single one of those as some of the challenges that I've personally seen in setting up this center of excellence. First and foremost though I have to mention, you know, it's knowledge and education of mobile computing devices. The support staff that we have inside of DoD and the government entity as a whole, we aren't up to speed yet with policies, procedures, and training in how to exploit and utilize mobile computing devices. So that's one of the things that we've seen a lot of challenges with is this outdated policy is something that we're trying to do.
The procurement delays, initially I believe that that's going to be a problem, but it's short term in nature. Once we figure it out, I believe that we'll be able to do it. Some of the issues that we've seen with that have been the rapid changing of part numbers in the mobile marketplace. Typical government acquisition takes a minimum of 30 to 60 days. Sometimes you can make it go faster, sometimes for larger buys in an acquisition system, it does take much longer to perform all the competition. But with the mobile devices the part numbers typically go away in 12 to 24 months.
So we're having a hard time and figuring out how to get the contract vehicles that would allow us to have instant access to those new emerging technologies and pieces of hardware and software when the part numbers and everything change rapidly. We're getting creative in that, like I say, I believe it will be a short term problem, but right now it is definitely a hindrance that we ran into.
The information assurance accreditation and policies, that's been something that we've run into quite a bit. We're working on some policy changes at the highest levels within DoD. I believe that in the next six to nine months, some of those will be released to alleviate some of that problem. And then we're trying to get templates created here at the Mobile Computing Center of Excellence so that others don't experience the same level of pain that we've had with that.
The other big issue that we've had honestly is the lack of requirements, well-defined requirements revolving around mobility in some of the DoD space. With the lack of requirements, there's a lack of funding to invest in some of these technologies and some of these things and then the requirements are a little bit unclear. So we're having a lot of requirements, revisiting and rewriting currently to figure out how to exploit the mobile devices and the mobile marketplace itself. So I believe those are the majority of the challenges that I've met.
John: Okay, great. So when will the CoE be available?
Nathan: So currently the lab that we've built is up and running. We had the last hardware and software installs done in the past couple of weeks. We're currently going through and making sure everything is functional, all of the networks work, and we're looking at an initial operational capability on the 2nd of January, working on a few projects that we already have funded here internally and then as well as going out and getting the word out that it exists and that our services are available to multiple government programs.
John: Okay. Good. All right, well thank you. And you know, we are out of time. I would like to thank Johnny Overcast, Nick Stablein and Nathan Kielman for a very informative session. Also I want to thank Winfield Decker for joining us for the Q&A. And I'd like to thank Samsung for their sponsorship of this webcast. Also I want to remind everyone that in the next day or two, we'll be emailing you a link to an archived version of this session so that you can review it or pass it along to a colleague. Thank you all very much for attending. This concludes today's webcast.
Whether you're looking for a specific business solution or just need some questions answered, we're here to help.