Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mobile First? Security First?
It’s a Tie and Here’s Why!
Presented by
Paul DePond
VP of Innovation & Technology
globoplc.com© 2014
About Globo
GLOBO is an international leader and technology innovator delivering Enterprise Mobility
Ma...
globoplc.com
Empowering Mobility In Regulated Industries
© 2014
3
Globo is the only new vendor to be added to Gartner's ne...
globoplc.com© 2014
Identity Theft Report 2014
4
4
• More than 81 million records have been compromised in 2014 in approxim...
globoplc.com© 2014
Security Requirements Are Increasing
Security
Government
Healthcare Financial
Utilities
5
globoplc.com© 2014
Encryption is Now Mandated
• Government – Federal Agencies and DOD
• HealthCare
 HIPAA - Health Insura...
globoplc.com© 2014
Definitions
• FISMA - Federal Information Security Management Act defines a framework for managing
info...
globoplc.com© 2014
Definitions
• FIPS 140-2, is a Federal Information Processing Standard for Security Requirements for
Cr...
globoplc.com© 2014
• FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems the
second o...
globoplc.com© 2014
• With the passage of the Federal Information Security Management Act of 2002,
there is no longer a sta...
globoplc.com© 2014
• FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic
protection of sensitiv...
globoplc.com© 2014
• The U.S. Department of the Health and Human Services (HHS) issued guidance wherein
"unsecure protecte...
globoplc.com© 2014
• HIPAA-covered entities can expect safe harbor if, and only if, they adhere to
specified strict standa...
globoplc.com© 2014
14
• Data loss prevention (DLP) is a strategy for making sure that end users do not send
sensitive or c...
globoplc.com© 2014
Optional
Encryption
Basic
Encryption
Strong
Encryption
15
Compliance Demands More Data Protection
globoplc.com© 2014
16
FIPS 140-2 Confusion
o We are FIPS certified
o We are FIPS compliant
o We are FIPS conforming
o We a...
globoplc.com© 2014
• FIPS Validated = FIPS Certified
• FIPS Validated = Four Step Process
• FIPS Compliant = using FIPS va...
globoplc.com© 2014
18
FIPS 140-2 Level 1
The lowest level, imposes very limited
requirements; loosely, all components
must...
globoplc.com© 2014
CMVP - the National Institute of Standards and Technology (NIST)
established the Cryptographic Module V...
globoplc.com© 2014
20
The FIPS 140-2 Validation Process
globoplc.com© 2014
21
The phrase FIPS 140-2 Validated and the
FIPS 140-2 Logo are ONLY intended for
use in association wit...
globoplc.com© 2014
22
FIPS 140-2 Validation Certificate
globoplc.com© 2014
• Organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list.
http://csrc.nist...
globoplc.com
Empowering Mobility in Regulated Industries
© 2014
24
• Data At Rest Encryption
• Data in Motion Encryption
•...
globoplc.com© 2014
25
SSL
AES
256 bits
AES
256 bits
+
Internet
AES
256 bits
AES
256 bits
AES
256 bits
CRMERP DatabaseEmail...
globoplc.com© 2014
26
GO!Enterprise Example
Distribute
GO!App
CRM
ERP
Database
Internet
Developer
Administrator
User devic...
globoplc.com© 2014
27
Customer Examples
globoplc.com© 2014
• Data Loss Protection is a real issue and data breaches continue to
escalate.
• Many organizations are...
globoplc.com
Empowering Mobility In Regulated Industries
© 2014
29
Paul DePond
VP of Innovation & Technology – Globo
pdepo...
Upcoming SlideShare
Loading in …5
×

Mobile First? Security First? It's a Tie and Here's Why!

728 views

Published on

Leveraging mobility does not have to mean sacrificing security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mobile First? Security First? It's a Tie and Here's Why!

  1. 1. Mobile First? Security First? It’s a Tie and Here’s Why! Presented by Paul DePond VP of Innovation & Technology
  2. 2. globoplc.com© 2014 About Globo GLOBO is an international leader and technology innovator delivering Enterprise Mobility Management and Mobile Application Development solutions and services. Subsidiaries & offices: USA | UK | UAE | Singapore | Greece | Cyprus | Romania 2 2 REVENUE GROWTH 2013: $98.6m 2012: $80.3m 2011: $45.9m Founded in 1997 Listed on AIM LSE:GBO 2.9m active users of consumer services 340k enterprise users 13m+ device licenses for consumer apps Deployments in 50+ countries Latest acquisitions:
  3. 3. globoplc.com Empowering Mobility In Regulated Industries © 2014 3 Globo is the only new vendor to be added to Gartner's new Magic Quadrant for EMM report for 2014. “Unique among its peers… GLOBO is a good fit for organizations looking for a single product that provides MADP and EMM.” Globo has been evaluated and recognized as a major “Market Challenger” amongst the top 11 EMM vendors and close to the “Market Leaders” space in OVUM’s Decision Matrix for EMM. "Globo offers a well-rounded, end-to-end EMM solution, and is one of very few vendors to offer five out of six of our defined components." Globo Recognized by Leading Analysts
  4. 4. globoplc.com© 2014 Identity Theft Report 2014 4 4 • More than 81 million records have been compromised in 2014 in approximately 679 breaches. • In 2013 only 439 breaches had been reported, representing a 36 percent increase. • The breach count was last updated on October 3, 2014 by JP Morgan Chase the filing to the SEC that the data of approximately 76 million households and 7 million small businesses that have accounts with the bank has been compromised. • The nonprofit group counts social security numbers, driver's license numbers, medical records, or payment card information as a record. • In 2014, medical and health care organizations accounted for the majority of breaches, at 43.5 percent. • In 2013, businesses accounted for 84 percent of breaches. The dramatic switch in targets, or impacted industries, could be indicative of a lack of education or resources in the health care field. Source: Identity Theft Resource Center Nov 2014
  5. 5. globoplc.com© 2014 Security Requirements Are Increasing Security Government Healthcare Financial Utilities 5
  6. 6. globoplc.com© 2014 Encryption is Now Mandated • Government – Federal Agencies and DOD • HealthCare  HIPAA - Health Insurance Portability and Accountability Act  HITECH - Health Information Technology for Economic and Clinical Health • Financial - SOX, GLB, FINRA, PCI DSS • Utilities - FERC, NERC 6
  7. 7. globoplc.com© 2014 Definitions • FISMA - Federal Information Security Management Act defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST. • NIST – National Institute of Standards and Testing is a non-regulatory federal agency within the U.S. Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing FISMA requirements and to protect their information and information systems. • FIPS – Federal Information Processing Standards are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non- military government agencies and by government contractors and vendors who work with the agencies. Federal Information Processing Standards Publications (FIPS PUBS) are issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002 7
  8. 8. globoplc.com© 2014 Definitions • FIPS 140-2, is a Federal Information Processing Standard for Security Requirements for Cryptographic Modules, specifies the security requirements that are to be satisfied by the cryptographic module utilized within a security system protecting sensitive information within computer and telecommunications systems (including voice systems • FIPS 199, is a Federal Information Processing Standard for Security Categorization of Federal Information and Information Systems, approved by the Secretary of Commerce in February 2004, is the first of two mandatory security standards required by the FISMA legislation. FIPS 199 requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category. The most severe rating from any category becomes the information system's overall security categorization. 8
  9. 9. globoplc.com© 2014 • FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. • NIST SP 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in FIPS 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability. 9 Definitions
  10. 10. globoplc.com© 2014 • With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). • FISMA mandates the categorization and security requirements of FIPS 199, FIPS 200 and NIST SP 800-53 for all federal information systems. 10 Changes in Federal Government
  11. 11. globoplc.com© 2014 • FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. • Unvalidated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext. • If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated. 11 Unvalidated Cryptographic Modules
  12. 12. globoplc.com© 2014 • The U.S. Department of the Health and Human Services (HHS) issued guidance wherein "unsecure protected health information (PHI)" is essentially any PHI that is not encrypted or destroyed. • The introduction of HITECH's breach notification initiative, which requires HIPAA - covered entities to send notification letters if there is a breach of unsecured PHI. 12 Department of Health and Human Services
  13. 13. globoplc.com© 2014 • HIPAA-covered entities can expect safe harbor if, and only if, they adhere to specified strict standards and guidelines. • The fact that a company's data is encrypted is meaningless without taking into account the NIST requirements. • Organizations that properly adhere to HIPAA standards understand the impact of breach notifications. • By proactively leveraging the proper encryption technologies, companies of all sizes can avoid these breach notifications while ensuring the security of their sensitive data. 13 HIPAA Safe Harbor
  14. 14. globoplc.com© 2014 14 • Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside of the corporate network.  Data in-use  Data in-motion  Data at-rest • Sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry Data Loss Prevention
  15. 15. globoplc.com© 2014 Optional Encryption Basic Encryption Strong Encryption 15 Compliance Demands More Data Protection
  16. 16. globoplc.com© 2014 16 FIPS 140-2 Confusion o We are FIPS certified o We are FIPS compliant o We are FIPS conforming o We are FIPS validated
  17. 17. globoplc.com© 2014 • FIPS Validated = FIPS Certified • FIPS Validated = Four Step Process • FIPS Compliant = using FIPS validated modules within the product which itself has not been validated therefore the overall product is not FIPS validated. • FIPS Compliant = FIPS Enabled = FIPS Conforming = NOT an actual VALIDATED product 17 Sorting Out the Confusion
  18. 18. globoplc.com© 2014 18 FIPS 140-2 Level 1 The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent FIPS 140-2 Level 3 Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces FIPS 140-2 Level 2 Adds requirements for physical tamper-evidence and role-based authentication. FIPS 140-2 Level 4 Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market Description of FIPS 140-2 Levels
  19. 19. globoplc.com© 2014 CMVP - the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC). 19 Who Validates FIPS 140-2?
  20. 20. globoplc.com© 2014 20 The FIPS 140-2 Validation Process
  21. 21. globoplc.com© 2014 21 The phrase FIPS 140-2 Validated and the FIPS 140-2 Logo are ONLY intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) as complying with FIPS 140-2, Security Requirements for Cryptographic Modules. Guidelines for Using FIPS 140-2 Logo
  22. 22. globoplc.com© 2014 22 FIPS 140-2 Validation Certificate
  23. 23. globoplc.com© 2014 • Organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm • A product or implementation does not meet the FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates. 23 How to Verify a FIPS 140-2 Validated Vendor
  24. 24. globoplc.com Empowering Mobility in Regulated Industries © 2014 24 • Data At Rest Encryption • Data in Motion Encryption • Mobile Content Management • Enterprise Instant Messaging • Secure Browser • Secure Camera • Secure Applications A Secure Workspace Should Include
  25. 25. globoplc.com© 2014 25 SSL AES 256 bits AES 256 bits + Internet AES 256 bits AES 256 bits AES 256 bits CRMERP DatabaseEmail End to End FIPS 140-2 Validation Encryption
  26. 26. globoplc.com© 2014 26 GO!Enterprise Example Distribute GO!App CRM ERP Database Internet Developer Administrator User device Administration Integration Engine GO!Apps Repository AppZone Studio Enterprise Server Enterprise Menu
  27. 27. globoplc.com© 2014 27 Customer Examples
  28. 28. globoplc.com© 2014 • Data Loss Protection is a real issue and data breaches continue to escalate. • Many organizations are requiring vendors to prove they are meeting their compliance requirements. • Understand the difference between validated and all other terms describing a vendors support of FIPS 140-2 certification. • Consider a secure mobile workspace for your enterprise mobile management solution that provides validated FIPS 140-2 encryption providing end to end security 28 Takeaways
  29. 29. globoplc.com Empowering Mobility In Regulated Industries © 2014 29 Paul DePond VP of Innovation & Technology – Globo pdepond@globoplc.com Thank You

×