A breakdown of DOD security controls for iOS and Android
- By William Jackson
- May 29, 2013
In recently released Security Technical Implementation Guides of two more mobile operating systems, the Defense Information Systems Agency lays out requirements for the secure use of the devices on DOD networks.
The Samsung Knox platform provides Application Programming Interfaces for use by third-party vendors to develop tools to enable security controls required by the Samsung Knox Android STIG. APIs include:
- The Mobile Device Management API includes more than 500 policies and 1100 interfaces to be called by any MDM agent. A vendor can implement an MDM solution that can meet or exceed requirements. Vendors implementing MDM API include Mobile Iron, AirWatch, SOTI, and Fixmo.
- The Integrity Services Layer (ISL) provides an interface that allows third party vendors to implement an Integrity Services Agent (ISA) to communicate with the on-device MDM agent. The agent provides on-device scanning for integrity failures and reports results to the MDM server. Solutions implementing the ISL include Fixmo ISA.
- The MDM API includes VPN policies and interfaces to allow an administrator to configure third-party IPSec VPN solutions implementing the MDM interfaces. This enables the device to connect to DoD networks using a FIPS 140-2 validated cryptographic module to protect data in transit. Solutions that implement the MDM interface include Mocana KeyVPN and Inside Secure VPN.
- The Smart Card API provides an interface that allows third party vendors to implement smart card reader functionality, enabling Samsung Knox Android to support the DOD Common Access Card for PKI, including user authentication, S/MIME digital signatures, and device unlock. Solutions that implement this interface include the Biometrics Associates Bluetooth Smart Card Reader.
Apple iOS 6:
Third party products are specified to provide:
- Mobile Device Management for DOD network access control and management of the security policy on mobile devices.
- Mobile Application Management for the management of DOD approved applications on mobile devices.
- Mobile Device Integrity Scanning for integrity validation of mobile devices.
- Mobile Email Management for management of DOD email on mobile devices and providing an interface between the email server and the mobile system.
- Security Container to provide FIPS 140-2 validated encryption of sensitive data, usually included as a feature of the MDM or MAM agent.
- Browser must be installed inside a security container.
- CAC reader and middleware.
William Jackson is freelance writer and the author of the CyberEye blog.