Access to work resources via mobile devices or tablets while outside the office has become a common practice for many businesses in recent years. However, organizations that manage highly sensitive data and systems are often unable to adopt these practices without facing considerable security risks.
In response to these challenges, the NCSC has introduced ‘Advanced Mobile Solutions’ (AMS). AMS encompasses a risk model alongside a set of architectural patterns and associated technologies that enable high-threat organizations to remain connected securely while on the move.
This blog examines what AMS entails and the potential benefits of its implementation. Additionally, we invite you to engage with us at CYBERUK 2024 to learn more.
Challenges of Securing Mobile Devices
Historically, governments have produced custom secure phones to enhance security. However, this approach is increasingly impractical; today’s users demand a seamless experience akin to that of their personal devices. Designing a bespoke, secure phone that meets user expectations and remains current would be prohibitively expensive, necessitating the use of ‘consumer-grade’ devices.
Nevertheless, this shift introduces a series of challenges:
- Across the government, ‘high-grade’ cryptographic appliances safeguard our most sensitive communications. Unfortunately, applying a similar strategy with consumer-grade mobile devices is unfeasible with current technological advancements.
- Consumer-grade devices are highly advanced and complex, which can lead to vulnerabilities, as evidenced by incidents like the Pegasus malware attack. While most consumers might not need to worry about these vulnerabilities, high-threat organizations face significant risks as capable attackers may exploit unknown vulnerabilities and leverage them discreetly.
- Compromised devices could be exploited to target services that the user is authorized to access, such as email servers, thus giving attackers a route into critical infrastructure.
The objective is to create a risk management model and architecture that acknowledges the following:
- Individual mobile devices and their accessible data may occasionally be compromised.
- Efforts should focus on protecting entire fleets of devices from being compromised.
- Compromises must not jeopardize bulk data security or threaten sensitive systems’ integrity.
The AMS Risk Framework
To implement AMS, organizations must embrace the foundational risk model and be confident in their ability to manage these risks effectively.
The AMS risk model emphasizes the need to:
- Accept potential data loss from mobile solutions to facilitate modern business practices.
- Mitigate systemic risks, ensuring staff do not resort to less secure communication methods or other insecure workarounds.
Aimed at organizations facing threats from highly capable adversaries, including nation-states, AMS assumes that these attackers will devote considerable resources to compromising systems. Techniques may include exploiting zero-day vulnerabilities, social engineering, and other strategies to gather information or disrupt operations.
To enable secure mobile operations against such threats, AMS adheres to several key principles:
1. Trust in Mobile Devices is Limited
It must be assumed that individual mobile devices can be compromised, information on them may be at risk, and that they could serve as points of access into mobile infrastructures.
This risk must be accepted for mobile deployment, as any protective measures will be inherently imperfect.
Networks should therefore be architected with the assumption that devices may be compromised, ensuring protections are in place to safeguard other devices and data during such events.
2. Protect Core Networks and Services
Under the assumption that an attacker can breach any server that devices connect to, a strong barrier is essential between mobile infrastructures and core networks. This boundary must block access to the core from fully compromised mobile systems.
3. Avoid Data Aggregation of Sensitive Information
Given that mobile networks will likely be compromised, it is crucial to prevent any part of the mobile infrastructure from storing or transmitting sensitive data in plain text.
The AMS Architecture
To support secure mobile work, the AMS architecture is designed to:
- Maximize protection for consumer mobile devices.
- Ensure that sensitive data is not aggregated within mobile infrastructures.
- Implement robust security measures for core systems through hardware-backed, cross-domain technologies.
We are in the process of developing detailed architectural guidance along with risk management advice. As organizations vary, the approach to secure mobile solutions cannot be a ‘one size fits all’ model. Different options or explanations for additional risks involved when deviating from the architecture will be provided to facilitate informed decision-making relative to your business requirements.
Highlighted below are the primary components of the AMS architecture:
Device Protection
User devices will be managed via a Mobile Device Management (MDM) system that restricts access to necessary applications only. Internet-enabled applications should be used exclusively through remote browser isolation gateways (termed ‘browse down gateways’ in government).
Carefully structured MDM deployment configurations will be employed, sometimes incorporating cross-domain technologies to shield the device fleet from potential exploitation.
Efforts are underway to enhance devices to counter baseband (radio stack) attack threats.
Data Protection on Global Networks
While our ultimate goal is to employ NCSC-evaluated high-grade encryption technology, current limitations render this unfeasible for certain scenarios—especially when users may find themselves in areas with restricted connectivity or blocked protocols. As a result, we utilize leading commercial technology solutions to protect data appropriately within the AMS risk framework.
Border Protection
We harness the size of public cloud services alongside rigorous monitoring frameworks to mitigate the risk of DDoS attacks on data centers and to help identify malicious behaviors.
High-grade or ephemeral VPN terminators are recommended to lower the risk of internet-based attacks.
Remote Access Zone Protection
The remote access zone is defined as the structure that lies between the internet and cross-domain gateways safeguarding your core systems.
Our design philosophy focuses on making the DMZ highly ephemeral, where minimal services or user data persist across sessions. This complexity complicates attackers’ efforts to maintain prolonged access and diminishes the risk of bulk data theft.
We employ multiple layers of encryption to safeguard against information leaks due to potential infrastructure compromises.
Core Networks and Systems Protection
While not every secure mobile system requires access to enterprise resources like email and chat, when they do, we integrate cross-domain solutions that leverage hardware (FPGA)-based gateways to thoroughly vet all data entering core networks, thus protecting against network and content-based attacks. Additional information can be found in the NCSC blog on cross-domain security.
User identity is managed using public key cryptography, along with strict access control to minimize the risk of sensitive data exfiltration from core infrastructures.
Assumption of Compromise
Due to the intrinsic nature of secure mobile systems, one must consider the likelihood of periodic compromises. This recognition may appear as a security failing, but it is crucial realism. Assuming otherwise suggests a fundamental misunderstanding of existing risks. A well-architected and monitored system will not face catastrophic consequences from limited compromises, and these risks can be balanced with the operational advantages of mobile functionality.
AMS’s monitoring strategies aim for swift detection of compromises, ideally preempting data theft. The architecture of AMS is also designed for rapid redeployment to recover from security breaches.
Deployment of AMS
The architecture and risk frameworks for AMS have been developed, and much of the essential technology is now licensed for government use, with documentation for risk and design guidance nearing completion.
A managed service based on AMS has recently become available for enterprise users throughout the government, with plans to extend AMS patterns and technologies to other sectors, including critical national infrastructure.
Years of research and development, funded by multiple government departments in collaboration with various organizations and experts, have culminated in AMS. We extend our gratitude to all contributors to this initiative.
Further updates will be posted on the NCSC website in the upcoming months. In the meantime, you can engage with AMS technology providers at CYBERUK 2024 or reach out directly to the NCSC for additional information.
Chris P
Security Architect, NCSC
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/advanced-mobile-solutions-update
