In today’s business landscape, accessing work resources via mobile devices while away from the office has become a norm. Yet organizations that handle highly sensitive data are often unable to do so without facing significant security risks posed by advanced attackers.
To tackle these challenges, the NCSC has introduced ‘Advanced Mobile Solutions’ (AMS). This comprehensive risk model includes architectural patterns and technologies designed to enable high-threat organizations to remain connected while minimizing security risks.
This article explains what AMS entails and why it might be beneficial for your organization. Additionally, you can engage with our team about this at CYBERUK 2024.
Challenges of Secure Mobile Access
Historically, governments have relied on bespoke secure phones; however, this approach is now impractical. Users today expect their mobile experience to match that of their personal devices. Creating such highly secure devices while ensuring they remain current is prohibitively expensive, leading to the need for ‘consumer-grade’ devices.
This reliance on consumer devices introduces several issues:
- Government entities typically utilize ‘high grade’ cryptographic appliances to safeguard sensitive communications. Using such systems with consumer-grade devices is not practical with current technological capabilities.
- Consumer mobile devices, while advanced, may have vulnerabilities (like those exploited by the notorious Pegasus malware). Although these vulnerabilities might not concern average consumers due to prompt fixes, high-threat organizations that attract capable attackers face significant risk. Adversaries could exploit unknown vulnerabilities and keep them hidden.
- Should a user’s device become compromised, it could be exploited to attack legitimate services (e.g., an email server), creating a pathway for attackers to compromise core infrastructure.
Thus, the goal becomes designing a risk model and architecture that:
- Accepts that individual devices (and the data they can access) may be compromised at times.
- Aims to protect entire fleets of devices from breaches.
- Ensures that compromises do not jeopardize bulk data or the security of sensitive systems.
The AMS Risk Framework
To engage with AMS, organizations need to embrace its underlying risk model and confidently manage these risks.
The AMS framework emphasizes the need to:
- Understand that some loss of data from mobile systems is acceptable to enable modern business practices.
- Minimize systemic risks (i.e., reducing the chances of staff resorting to unsecured communication platforms or workarounds).
Aimed at organizations facing threats from highly sophisticated adversaries, such as nation-states, AMS accepts the reality that these attackers will spend considerable resources attempting to breach systems, using tactics like zero-day vulnerabilities and social engineering over extended periods.
To facilitate secure mobile operations amid these threats, AMS follows several key principles:
1. Trust No Device
We operate under the assumption that any individual mobile device may be compromised, putting the information on it at risk and potentially creating an attack vector into the mobile infrastructure. Organizations must acknowledge this risk when deploying mobile devices, as any protective measures will be inherently limited.
Networks should be constructed with the understanding that device compromises might occur, focusing on safeguarding other devices and data in such scenarios.
2. Safeguard Core Networks and Services
Assuming that an attacker may breach any server accessed by mobile devices, it is essential to establish a strong boundary between the mobile infrastructure and the core network to thwart attackers from compromising the latter.
3. Avoid Data Aggregation in Mobile Infrastructure
Given the likelihood of mobile networks being compromised, it is crucial to prevent any point within the mobile infrastructure from storing or aggregating sensitive data in plaintext. This principle applies to both data being transmitted and stored on servers.
The AMS Architecture
We have designed the AMS architecture to support secure mobile working under the outlined threat and risk framework. Key features include:
- Maximized protection for consumer mobile devices.
- Prevention of data aggregation within the mobile infrastructure.
- Strong protections for core systems using hardware-backed, cross-domain technology.
Currently, we are preparing detailed architectural guidelines along with risk advice. Recognizing that every organization has different requirements, AMS does not follow a one-size-fits-all model. We provide tailored options and clarifications on additional risks associated with deviations from the architecture, empowering organizations to make informed risk decisions to meet their unique business needs.
Below is a concise overview of the essential components of the AMS architecture.
Device Protection
User devices are controlled through a Mobile Device Management (MDM) system to ensure that only necessary applications are accessible. Users should avoid direct internet-connected apps without using remote browser isolation gateways.
We implement meticulously designed MDM configurations and occasionally utilize cross-domain technology to secure the device fleet from compromise.
Efforts are underway to address risks associated with baseband (radio stack) attacks on devices.
Data Protection on Global Networks
While we ultimately aim to support NCSC-evaluated high-grade cryptography, current technological limitations may restrict this, especially in areas with network connectivity challenges. Therefore, we employ the best available commercial technology to safeguard data in line with the broader AMS risk framework.
Border Protection
Using public cloud service capabilities and carefully defined monitoring rules, we aim to minimize the risks of DDoS attacks on data centers and identify malicious activities.
We recommend utilizing high-grade or ephemeral VPN terminators to mitigate the risk of internet-based attacks.
Remote Access Zone Defense
The remote access zone encompasses the infrastructure between the internet and cross-domain gateways protecting core systems. We design our patterns around a highly ephemeral DMZ, ensuring limited persistence across sessions to hinder attackers from maintaining access, thereby reducing the potential for bulk data theft.
Additionally, multiple layers of cryptography are used to prevent information leaks due to infrastructure compromises.
Protection of Core Networks and Systems
Though not all secure mobile systems must access corporate services like email and messaging, when they do, we utilize cross-domain solutions built on hardware (FPGA)-based gateways to thoroughly inspect incoming data for core networks. This approach protects against both network and content-based attacks. For further details, refer to the NCSC blog on cross-domain security.
User identity is managed using public key cryptography, alongside release controls to mitigate risks associated with sensitive data from core systems.
Assume Compromise
Given the nature of secure mobile environments, it is prudent to assume that compromises will occur periodically. This perspective promotes realism rather than viewing it as a security failure. Failing to acknowledge these risks indicates a lack of understanding of the existing threats. A well-architected and monitored system should manage limited compromises without catastrophic outcomes, allowing for a balance between risk and the benefits of mobile work.
The AMS monitoring strategy facilitates rapid detection of compromises to ideally avert data theft, and its architecture is designed for quick redeployment following breaches.
Current Deployment of AMS
We have laid down the architecture and risk models required for AMS, and much of the necessary technology is either licensed to government bodies or in the process of being made available. We are finalizing documentation on risk and design guidance.
A managed service based on AMS is currently available to government enterprise employees, with plans to extend AMS technologies and patterns to other sectors, including critical national infrastructure.
The development of AMS involved years of research, government funding, and collaboration with numerous organizations and experts. We express our gratitude to all contributors involved thus far.
Stay tuned for more updates on the NCSC website in the coming months. In the meantime, engage with AMS technology providers at CYBERUK 2024 or contact the NCSC for additional information.
Chris P
Security Architect, NCSC
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/advanced-mobile-solutions-update
