Empowering Secure Mobility in Regulated Industries

Empowering Secure Mobility In Regulated Industries

globoplc.com

Empowering Mobility In Regulated Industries

© 2014

2

2

Background

globoplc.com

Empowering Mobility in Regulated Industries

© 2014

About Globo

GLOBO is an international leader and technology innovator delivering Enterprise Mobility Management and Mobile Application Development solutions and services.

Subsidiaries & offices:

USA | UK | UAE | Singapore | Greece | Cyprus | Romania

3

3

REVENUE GROWTH

2013: $98.6m

2012: $80.3m2011: $45.9m

Founded in 1997

Listed on AIM

LSE:GBO

2.9m active users of consumer services

340k enterprise users

13m+ device licenses for consumer apps

Deployments in 50+ countries

Latest acquisitions:

globoplc.com


© 2014

Customers

4

Partners

Globo Group Customers & Partners

globoplc.com


© 2014

5

“ Unique among its peers… GLOBO is a good fit for organizations looking for a single product that provides MADP and EMM.”

Magic Quadrant for EMM 2014

GLOBO: only new vendor

Globo Recognized by Leading Analysts

globoplc.com


© 2014

About SafeLogic6

6

• Provider of FIPS 140-2 Encryption Technology

• Securing mobile, server, appliance, wearable, IoTenvironments

• Compliance Consulting

• Founded 2012 and privately held

• Headquartered in Palo Alto, CA

globoplc.com


© 2014

7

Mobility ChallengesThe Challenge

7

globoplc.com


© 2014

Identity Theft Report 2014

8

8

• 75+ million records have been compromised in approximately 568 breaches

• A “record” includes Social Security Numbers, driver's license numbers, medical records, or payment card information

• A 29.4 percent increase from 2013 with only 439 breaches reported

• The breach count includes Home Depot’s incident, which affected at least 56 million records

• Medical and healthcare organizations accounted for the majority of breaches, at 43.5 percent.

• In 2013, businesses accounted for 84 percent of breaches. The dramatic switch in targets, or impacted industries, could be indicative of a lack of education or resources in the healthcare field.

Source: Identity Theft Resource Center Oct 2014

globoplc.com


© 2014

Security Requirements Are Increasing

Security

Government

Healthcare Financial

Utilities

9

globoplc.com


© 2014

Encryption is Now Mandated

• Government – Federal Agencies and DOD

• HealthCare HIPAA - Health Insurance Portability and Accountability Act

HITECH - Health Information Technology for Economic and Clinical Health

• Financial - SOX, GLB, FINRA, PCI DSS

• Utilities - FERC, NERC

10

globoplc.com


© 2014

Definitions• FISMA - Federal Information Security Management Act defines a framework for managing

information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

• NIST – National Institute of Standards and Testing is a non-regulatory federal agency within the U.S. Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing FISMA requirements and to protect their information and information systems.

• FIPS – Federal Information Processing Standards are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. Federal Information Processing Standards Publications (FIPS PUBS) are issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002

11

globoplc.com


© 2014

Definitions

• FIPS 140-2, is a Federal Information Processing Standard for Security Requirements for Cryptographic Modules, specifies the security requirements that are to be satisfied by the cryptographic module utilized within a security system protecting sensitive information within computer and telecommunications systems (including voice systems

• FIPS 199, is a Federal Information Processing Standard for Security Categorization of Federal Information and Information Systems, approved by the Secretary of Commerce in February 2004, is the first of two mandatory security standards required by the FISMA legislation. FIPS 199 requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category. The most severe rating from any category becomes the information system's overall security categorization.

12

globoplc.com


© 2014

• FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.

• NIST SP 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in FIPS 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.

13

Definitions

globoplc.com


© 2014

• With the passage of the Federal Information Security Management Act of 2002,

there is no longer a statutory provision to allow for agencies to waive mandatory

Federal Information Processing Standards (FIPS).

• FISMA mandates the categorization and security requirements of FIPS 199,

FIPS 200 and NIST SP 800-53 for all federal information systems.

14

Changes in Federal Government

globoplc.com


© 2014

• FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems.

• Unvalidated cryptography is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext.

• If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.

15

Unvalidated Cryptographic Modules

globoplc.com


© 2014

• The U.S. Department of the Health and Human Services (HHS) issued guidance wherein "unsecure protected health information (PHI)" is essentially any PHI that is not encrypted or destroyed.

• The introduction of HITECH's breach notification initiative, which requires HIPAA -covered entities to send notification letters if there is a breach of unsecured PHI.

16

Department of Health and Human Services

globoplc.com


© 2014

• HIPAA-covered entities can expect safe harbor if, and only if, they adhere to

specified strict standards and guidelines.

• The fact that a company's data is encrypted is meaningless without taking into

account the NIST requirements.

• Organizations that properly adhere to HIPAA standards understand the impact

of breach notifications.

• By proactively leveraging the proper encryption technologies, companies of all

sizes can avoid these breach notifications while ensuring the security of their

sensitive data.

17

HIPAA Safe Harbor

globoplc.com


© 2014

18

• Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside of the corporate network.

Data in-use

Data in-motion

Data at-rest

• Sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry

Data Loss Prevention

globoplc.com


© 2014

Optional Encryption

Basic Encryption

Strong Encryption

19

Compliance Demands More Data Protection

globoplc.com


© 2014

• Valid encryption processes must comply with the requirements of Federal Information Processing Standards (FIPS) 140–2. While there are many technical requirements involved, only a few vendors offer products that are FIPS 140-2 validated.

• Organizations must look for a solution that is FIPS140-2 validated, not FIPS140-2 compliant. The former means that NIST evaluated, and validated, the encryption.

20

Encryption of Data in Motion

globoplc.com


© 2014

• NIST SP 800–111, Guide to Storage Encryption Technologies for End User Devices "Federal agencies must use FIPS-approved algorithms contained in validated cryptographic modules. Whenever possible, AES (Advanced Encryption Standard) should be used for the encryption algorithm because of its strength and speed.“

• NIST SP 800-57, "Recommendation for Key Management," and notes that it "provides detailed information on key management planning, algorithm selection and appropriate key sizes, cryptographic policy and cryptographic module selection."

21

Encryption of Data at Rest

globoplc.com


© 2014

22

FIPS 140-2 Confusion

o We are FIPS certified

o We are FIPS compliant

o We are FIPS Conforming

o We are FIPS validated

globoplc.com


© 2014

• FIPS Validated = FIPS Certified

• FIPS Validated = Four Step Process

• FIPS Compliant = using FIPS validated modules within the product which itself has not been validated therefore the overall product is not FIPS validated.

• FIPS Compliant = FIPS Enabled = FIPS Conforming = NOT an actual VALIDATED product

23

Sorting Out the Confusion

globoplc.com


© 2014

24

FIPS 140-2 Level 1The lowest level, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent

FIPS 140-2 Level 3Adds requirements for physical tamper-resistance and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces

FIPS 140-2 Level 2Adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 4Makes the physical security requirements more stringent, and requires robustness against environmental attacks. Level 4 is currently not being utilized in the market

Description of FIPS 140-2 Levels

globoplc.com


© 2014

CMVP - the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards.

The CMVP is a joint effort between NIST and the Communications Security Establishment Canada (CSEC).

25

Who Validates FIPS 140-2?

globoplc.com


© 2014

27

The phrase FIPS 140-2 Validated and the FIPS 140-2 Logo are ONLY intended for use in association with cryptographic modules validated by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) as complying with FIPS 140-2, Security Requirements for Cryptographic Modules.

Guidelines for Using FIPS 140-2 Logo

globoplc.com


© 2014

• Organizations are advised to refer to the FIPS 140-1 and FIPS 140-2 validation list.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

• A product or implementation does not meet the FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.

29

How to Verify a FIPS 140-2 Validated Vendor

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

globoplc.com


© 2014

30

• Data At Rest Encryption

• Data in Motion Encryption

• Mobile Content Management

• Enterprise Instant Messaging

• Secure Browser

• Secure Camera

• Secure Applications

A Secure Workspace Should Include

globoplc.com


© 2014

31

SSL

AES

256 bits

AES

256 bits

+

Internet

AES

256 bits

AES

256 bits

AES

256 bits

CRMERP DatabaseEmail

End to End FIPS 140-2 Validation Encryption

globoplc.com


© 2014

• Data Loss Protection is a real issue and data breaches continue to escalate.

• Many organizations are requiring vendors to prove they are meeting their compliance requirements.

• Understand the difference between validated and all other terms describing a vendors support of FIPS 140-2 certification.

• Consider a secure mobile workspace for your enterprise mobile management solution that provides validated FIPS 140-2 encryption providing end to end security

32

Takeaways

globoplc.com

Empowering Mobility In Regulated Industries

© 2014

33

Paul DePondVP of Business Development & Analyst Relations – Globo [email protected]

Ray PotterCEO – [email protected]

Thank You

mailto:[email protected]

mailto:[email protected]

Empowering Secure Mobility in Regulated Industries

Technology

Transcript of Empowering Secure Mobility in Regulated Industries