View
2.477
Download
1
Embed Size (px)
DESCRIPTION
Joint ATF/USMS iOS mobility pilot, presented at the 2011 DOJ Cyber Security Conference
Citation preview
Office of Science and Technology
ATF & USMS Mobility Pilot:Deploying and Supporting iPads/iPhones
in the DOJ Environment
Rick Holgate
ATF Assistant Director for Science & Technology / CIO
DOJ Cyber Security Conference
February 9, 2011
Office of Science and Technology
Factors Driving Mobility at ATF (& USMS)
• Law enforcement and regulatory missions
– Most work happens away from the office
– Productivity enhancement
• Emergent situations
– Special operations, major events, ESF 13
• Increasing demand for real-time information
– “Knowing what we know”
• Telework / real estate costs
• Predominantly controlled unclassified information
9 February 2011 innovative applications of science and technology 2
Office of Science and Technology
Why A(nother) Mobility Pilot
• Spectrum relocation – video surveillance
• Highly mobile ATF (& USMS) workforce
• Right mobility model for the future
– Usability and functionality
• Lessons learned from mobility pilot v 1.0
– Affordability
9 February 2011 innovative applications of science and technology 3
Office of Science and Technology
ATF Organizational Snapshot (round numbers)
2,560
806
1,738
2,400
-
2,000
4,000
6,000
8,000
10,000
12,000
Contractors / Task Force Officers / Others
Other Professional Staff
Industry Operations Investigators
Special Agents
6,500
3,100
1,800
150
-
2,000
4,000
6,000
8,000
10,000
12,000
Windows Mobile
BlackBerries
Cellular Broadband
Laptops (w/secure WiFi)
9 February 2011 innovative applications of science and technology 4
Personnel Mobile Data Devices
Office of Science and Technology
Overall Pilot Objectives
• Deliver meaningful functionality
• Test relevant and complete use cases
• Understand technical and cost obstacles and
implications
• Demonstrate the ability to secure and manage
the devices
9 February 2011 innovative applications of science and technology 5
…while maintaining device/OS-independence
Office of Science and Technology
Why iOS?
• Market and mind share
• Grass roots adoption
• Intuitive applications readily adopted for law
enforcement
• Appealing form factor(s)
• Easy to use
9 February 2011 innovative applications of science and technology 6
Office of Science and Technology
Secure Email
Security Features
Scalability and Reliability Features
Usability Features
Mobile Workforce
Enterprise Applications
Collaboration Applications
Centralized Device
Management
Provisioning
Production
Decommission
Mobility Solution
9 February 2011 7innovative applications of science and technology
Office of Science and Technology
End User Mobile Devices
Outside Sandbox
(Apple, iTunes, Android Market)
Secure Sandbox
Distribution
ATF
Application Distribution Store
Packaging
Mobile Applications
Mobile
Profiles
ATF Enterprise
Enterprise Applications
Collaborating Applications
Security Policy Profile
Device Control Profile
Configuration Profile
Mobility Solution Architecture
9 February 2011 8innovative applications of science and technology
Office of Science and Technology
Core Technical Objectives
Device Management
Policy Implications
Application Deployment Strategies
9 February 2011 innovative applications of science and technology 9
Office of Science and Technology
Feature & Functionality
Security
Software Management
Asset Management
Configuration Management
Performance & Diagnostic
Backup and Restore
Platform
Apple iOS
Android
Blackberry
Windows Mobile
Symbian
Palm WebOS
Security Compliance
FIPS 140
Data at Rest
FIPS 140
Data OTA
AES 256
Enterprise Integration
MS ActiveSync
MS Exchange
Active Directory
Tivoli, HP Operation Manager, etc.
ArcSight
BES
Mobile Device Management Considerations
9 February 2011 10innovative applications of science and technology
Office of Science and Technology
Mobility Scenarios
Application Deployment
Scenarios
Functional User Scenarios
Executive
ATF & USMS
Operational
USMS 1811
Operational
ATF 1811
Operational
ATF 1801
Office productivity
(email, calendar, contacts)X X X X
Legacy/desktop applications via Citrix X X X X
Document collaboration X X X X
App Store applications with
enterprise dataX X X X
Custom applications X X
Web applications (internal, external) X X X X
Video management X X
9 February 2011 innovative applications of science and technology 11
Office of Science and Technology
Application Deployment Strategies
9 February 2011 innovative applications of science and technology 12
Pinecone
Enterprise Data:
Business Intelligence
Document Authoring,
Collaboration using
Enterprise Content:
• WebDAV
• Enterprise Content
Management System
• IDEA/MyFX (?)
Enterprise Apps:
• NFOCIS (ATF case
management)
• JDIS (USMS)
• MS Office
• Content repository
Sandboxed Access to
Enterprise Productivity
(Exchange, etc.),
Internal Web Apps
(ATFWeb, HRConnect)
Training and Reference
Materials
(internal content
management)
Office of Science and Technology
Application Deployment Strategies
9 February 2011 innovative applications of science and technology 13
PineconeExternal Web Apps:
• WebTA
• learnATF/learnDOJ
• eTrace
Personal accounts (?)
Gmail, Yahoo, Hotmail
Video surveillance and
evidence management
(Provided as a cloud-
based service)
Dictation for
integration with
productivity apps
Personal applications
(?)
Office of Science and Technology
“How Big is My Sandbox?”
9 February 2011 innovative applications of science and technology 14
MailCon-
tactsWebApp
App
App
Ever-
note
Phone
File
Mgr.
eReader
Office2
HD
Web
Con-
tacts
Phone
Anno-
tate
Pages
App
Store
Calen-
dar
Calen-
dar
Camera
Dragon
Notes
Camera
Good
PineconeDedicated
apps in a
FIPS 140-2
sandbox
Native (OS) or
App Store apps
AirWatch,
BoxTone
“Managed
Space”
through
MDM
Functionally
segregated
Office of Science and Technology
“Demo”
9 February 2011 innovative applications of science and technology 15
Office of Science and Technology
Application Deployment Principles
• Don’t break the usability and convenience
• Strive for simplicity
• Identify minimum technology footprint necessary
to deliver the required functionality
• Deliver cross-application integration where
logical
• Provide single sign-on where/whenever possible
9 February 2011 innovative applications of science and technology 16
Office of Science and Technology
Policy Implications
• Personal vs. government devices
• Personal uses
– Applications
– Data
• Commercial application purchase and
distribution
9 February 2011 innovative applications of science and technology 17
Office of Science and Technology
iOS Devices: More Like a Browser or a PC?
Personal “Apps” (Facebook, YouTube, …) –
white/black list
Secure. Managed Browser (“Sandbox”)
Reasonable Use
Locked/Managed Desktop
No User-Installed (Personal) Apps
Device-Wide Management
Device Encryption
9 February 2011 innovative applications of science and technology 18
Browser PC
Office of Science and Technology
Where This is Leading:
Notional Future Mix of User Devices
• Phone, Slate, Virtual Desktop Infrastructure
– Simple, manageable, highly functional mobile devices
– Apps and data available anywhere / from any platform
– Desktop interface and power if/when needed
• Office “kiosks”; home
– Tighter security management
– Significantly lower cost per user
9 February 2011 innovative applications of science and technology 19
Office of Science and Technology
Staying Engaged
• Regular progress meetings – open to DOJ
Components
• ATF POC
– Michael Wallace, [email protected],
(202) 648-9322
• USMS POC
– Roland Perez, [email protected],
(608) 661-8225
9 February 2011 innovative applications of science and technology 20
Office of Science and Technology
Questions?
Office of Science and Technology
Backup
9 February 2011 innovative applications of science and technology 22
Office of Science and Technology
Architecture:
ATF vs. Traditional Environment
9 February 2011 innovative applications of science and technology 23
Office of Science and Technology
Security
• AES 256 bit encryption email and data
• Certified FIPS 140-2 cryptography
• Secure Sandbox solution and run time protection
• Secure browser, file manager, camera, and image storage in the sandbox
• ATF Application Distribution Store authentication
Scalability & Reliability
• Ownership of data, does not rely on external relay or Network Operation Center (NOC)
• Dedicated and secured relay
• Scalability by chained and redundant relays
• Provide ATF with a flexible deployment strategy. Different Sandbox IPA to target different user groups
Usability
• Highly customized ATF Application Store
• Over-the-Air (OTA) download and install Sandbox to the handheld device
• Multiple home screen options inside the Sandbox
• Support ZIP file attachment
Secure Email Solution
9 February 2011 24innovative applications of science and technology
Office of Science and Technology
Enterprise Applications
• Dashboard
• Business Intelligence
• WebTA
• HRConnect
• FO PettyCash
• FO Documents Publishing
Collaborating Applications
• iWalkie
• Secure Chat Room
• GoToMeeting
• eReader
Mobility Workforce Solution
9 February 2011 25innovative applications of science and technology
Office of Science and Technology
Provisioning
• Assign group membership and policies
• Configuring device for connectivity
• OTA delivery of management client
Production
• Track asset data
• Update/repair software
• Distribute and update Large Object Binary (LOB) data and files
• Software license usage and tracking
• Schedule and automate activities
• Remote control of devices
Decommission
• Disable lost/stolen device (remote kill/lock, access violation lock)
• Restore data, redeploy software assets, re-provisioning and re-image device
Centralized Device Management Solution
9 February 2011 26innovative applications of science and technology
Office of Science and Technology
Afaria AirWatch Boxtone MobileIron
Disable applications X X X X
Broadcast SMS, APNs X X X X
OTA Enrollment X X X X
Over-the-air download and update X X X X
Passcode policy enforcement X X X X
Platform - Apple iOS X X X X
Track inventory & audit compliance for corporate governance X X X X
OTA self-provisioning of devices with central control X X X X
OTA app deployment via enterprise app catalog X X X X
Certificate management & distribution (SCEP) X X X X
Enterprise Integration - Microsoft ActiveSync X X X X
Web-based console X X X X
AD integration (authentication, authorization, policy mapping) X X X X
Feature enable/disable (camera, SD, Bluetooth, WiFi, apps, iTunes, cookies) X X X X
Password enforcement (length, age, complex, inactivity, expiration, history) X X X X
Application Blacklisting X X X X
Application Whitelisting X X X X
Asset management X X X X
Fully integrated audit trail X X X X
Enterprise Integration - Microsoft ActiveDirectory & LDAP X X X X
Lockdown device port (Infrared, WiFi, Bluetooth) X X X X
WiFi pre-config (SSID, Hidden Network, Security Type, Password) X X X X
Detailed deployment & utilization by user, device, carrier, platform X X X X
Centralized Device Management Solution
9 February 2011 27innovative applications of science and technology