Mobile Platform Security

Cole French:

The rapid adoption of mobile devices is exposing the human problem in cybersecurity. Mobile devices more than any other kind of device are becoming a part of us with a level of integration never before seen. We focus on convenience and want our devices to just work, which is often at odds with good security. Join us as we talk about both the technical and compliance components necessary for secure mobile device use.

Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

In the not-so-distant past mobile devices in the workplace were used for what now seem like old-fashioned activities, checking email, calling people, and maybe texting colleagues or clients occasionally. Those of us of a certain age, or older, remember the days of the BlackBerry, where you typed on an actual keyboard. Those days have disappeared so fast it seems like ancient history. The expansion of mobile device capabilities along with the fact that we’re all connected all the time is forcing organizations to reckon with their approach to mobile devices. Different than traditional hardware like a desktop or laptop, mobile devices are more and more becoming part of us. And when something functions as part of us, we’re inherently less secure, because we’re focused less on the function and more on the outcome, convenience and ease of use.

Joining me on today’s episode is Matt Stern, CEO of Hypori. Matt is an experienced cybersecurity executive leader in both the public and private sectors. Matt led professional services for a premier cyber threat intelligence company in the United States Computer Emergency Readiness Team. He was also the program director for system engineering, design and deployment of the National Cyber Protection System, and the deputy CIO for the largest ever deployed military communication system supporting 150,000 Operation Iraqi Freedom II soldiers. Matt is a retired and decorated 22-year U.S. Army combat veteran whose service culminated in command of the Army Computer Emergency Response Team.

During today’s episode, we’ll talk about both the benefits and challenges mobile device use has brought into our operating environments. Additionally, we’ll also discuss the unique compliance challenges specifically around FedRAMP Moderate Equivalency and CMMC. We hope you enjoy this episode.

Matt, thanks for taking the time to join us this afternoon to discuss this important topic, and that is the topic of security around our mobile platforms and devices. So, let’s jump right into it. First question, what are the primary security threats that mobile devices introduce into our environments?

Matt Stern:

Well, first of all, Cole, thanks for having me. It’s great to be here. This is a very important topic. As you know, our company, Hypori, is all about mobile security. That’s our number one thing. So, one of the, or at least top of my list for primary security threats is attack surface increase. What I mean by that is, when you introduce mobile devices into your infrastructure, whether it’s a bring your own device, BYOD, or something that you fully manage, and control and own, you’re increasing your attack surface. So, not only do you have to worry about all the systems that you currently own and use, like your laptops, or desktops and everything else in your infrastructure, but companies that employ mobile device policies and actually bring mobile devices in have to worry about, “Now, I’ve got to control inventory, manage all these other systems”, and it creates a large burden on an already taxed normally IT and IT security team.

So, I think it’s not really so much as a threat as now you got to worry about all these other devices. In a lot of cases you’re talking about, if it’s a bring your own device scenario where you’re going to allow employees, say for instance, to bring in their own smartphones or tablets, and access to check email and do those kinds of things that are short-lived, not necessarily a full workload, but something that’s a short-lived thing like that, well, you have to worry about do they even have security on their device? Do I have to worry about, is that device compromised? And then can that compromise then connect into my infrastructure and create a vector into my infrastructure, and my services, and my resources and everything else associated with it? So, that becomes, obviously, an issue.

Then making sure things are configured, that’s great challenge for all CISOs and IT teams out there is, “Did I configure the systems correctly? Are my policies actually getting enforced on the distant devices, wherever they might be?” And obviously from a remote workforce point of view, that’s a huge endeavor itself.

Then the last thing, there’s some attacks that are really prevalent in the mobile space that maybe we didn’t run into as much in the past with laptops, even though these technologies are on laptops, but near-field attacks like Bluetooth or even Wi-Fi, which I think people will connect their phones and tablets to, maybe networks that they wouldn’t necessarily connect their laptops to, or inadvertently they don’t even know that they’ve connected and that they’ve now introduced that attack vector into enterprise or infrastructure. So, from our perspective, that’s where we concentrate is, reducing that attack surface into an area where we can fully control and manage and monitor the devices when I’m talking about in the case of Hypori.

So, that’s my thoughts on what are the primary security threats related to mobile devices.

Cole French:

To your point about those threats, I think an important thing to keep in mind, at least something that I always think of when it comes to mobile devices is, mobile devices, I think exactly like you said, it’s not so much that there’s new attacks or new threats per se. I think it’s the way in which we use those devices. We tend to use mobile devices sort of like we function as people. So, we don’t put a, like you were mentioning about the Wi-Fi, inadvertently connecting to a Wi-Fi network. I don’t really look at my phone all the time to see, “Oh, what network is it connected to? How is it behaving?” It’s almost like a device that just behaves as an extension of me, whereas a laptop or a server, that’s a device that has a very distinct physical property and, for whatever reason, we treat that differently, or it’s easier for us to treat that differently versus mobile devices.

Matt Stern:

To add on that, if you don’t mind, I think about as an extension, how many times when you look at your phone do you go, “Do I really need Bluetooth on right now?” Or, I was just using my AirPods, or my Bluetooth earphones, or whatever and now I don’t really need them, or I’m not using them, or not connected my car, I need to turn this off. You’re right. We don’t think of those things. We don’t think, “Hey, did I turn Wi-Fi off?” We just leave it up and running, because it’s convenient and we don’t want to have to remember, or we get frustrated when we can’t connect to something and go, “Why am I not connecting? Oh, because my Bluetooth is off”, whatever. So, I agree, that’s a great point.

Cole French:

Then there’s the old… I think this happens to everybody, the old, “I’m going to turn off Bluetooth”, or “I’m going to do…”, fill in the blank, and then we open up our phone and immediately there’s something else that distracts us, or we sit there and go, “Why did I open up my phone? I can’t even remember.” I do that all the time.

With that in mind, what are some solutions out there, or do you have a particular solution? I know Hypori is a product that you’re going to talk a lot about here. So, do you want to take a moment and go into what are the solutions to this problem of mobile devices and bringing mobile devices into our computing environments?

Matt Stern:

Sure. I think, obviously, coming from Hypori and being the CISO for Hypori, I think we solve a lot of problems for the mobile device community. So, if people aren’t familiar with Hypori as a product, we take the old thing called client, or we call it virtual mobile infrastructure, which is very much like virtual device infrastructure, or things that are more like Citrix and VMware of the past, but it’s specifically targeting the mobile community. And we offload all of the security controls and everything into our environment, so that the only thing that’s on the device is encrypted pixels. In essence, your touchscreens get sent to the backend infrastructure and what you receive back is just the pixels over encrypted MTLS tunnels that allow that to occur. So, what that does for you is that from a zero trust point of view, and I’m a big fan of zero trust technologies that do this, is, we don’t care what happens to the device. In fact, if the device is compromised, we won’t allow you to connect into the infrastructure. We have that built into the system.

So, having those kind of technologies, where, from a company’s point of view, if you’re going to extend your enterprise out, you want to extend it out to maximize effectiveness and usefulness of the tool for your employees, but you don’t want to extend the attack surface and you certainly don’t want the risk of, say, data loss on those devices, or anything being exposed out to that mobile device. So, I think any kind of technologies that support that I think are essential to doing, especially when you’re talking about bring your own device technologies, you absolutely don’t want to rely on the technologies today to secure the mobile device.

To be frank, I think a lot of the mobile device management solutions that are out there today have security holes in them. I mean, it is part of anything that you put on a device, it ends up having to worry about the security of the device, what’s the latest and greatest threat that’s going to come after and compromise the device. And we concentrate on just making sure that we can attest that the device hasn’t been compromised and we have ways to do that. And if it is, we won’t connect. But if you have to worry about every CVE, every single flaw of all of the apps and all of the capabilities that are on that system, you’re going to be playing whack-a-mole with a system that you don’t even control. And I think that becomes really, really tenuous for anybody to manage, let alone a device that technically is out of your enterprise control, or only a piece of it is inside of your enterprise control.

There’s some other technologies that we partner with, companies like Zscaler that manage the backend and they help secure the access to the enterprise, identity access management companies like Okta, and others that we partner with to help manage our identity and access control for the users.

I mean, a true zero trust architecture is going to incorporate all kinds of technologies to make sure that at every layer of access to that enterprise, you’re monitoring, you’re controlling, you’re trying your best to secure that interface to ensure that you do your best to protect your resources. Obviously, nothing’s perfect, but I think if you get as much of that defense-in-depth architecture or zero trust architecture in place really, really helps move the needle towards a more secure environment that you can have a lot more confidence in and just letting anybody connect into the environment and run amock.

That’s my take on that. I think there’s a lot of great technologies. Obviously, I’m a big fan of ours, but I think there’s a lot of other technologies that nest nicely together to create that true zero trust architecture for enterprises to take advantage of.

Cole French:

You mentioned mobile device management solutions, which those are, I guess, I feel like we see them a lot at organizations, but I tend to agree with you that I don’t know so much about the technical holes in them, or vulnerabilities, if you will. But I can see the operational challenges with them just because there’s limitations and they’re disconnected from the device. I think what you’re talking about is unique in the sense that it is resident on the device. It’s something that’s pushed out to the device, whereas I feel like mobile device management sometimes we’ve seen a disconnect with the devices and the actual mobile device management platform. That’s one thing I can think of. Are there any other items that you would mention in that regard in terms of what are potentially, I guess, the weaknesses with mobile device management solutions? Anything else you want to mention specifically?

Matt Stern:

Sure. Whenever you put a human in the loop, so if you’re doing any kind of management of any system, you can always have misconfigurations, or… Heck, I mean, anytime you update a system, how many times have you seen a system update fail because lack of connectivity or the bandwidth, you were on a high latency link, or whatever, that being connected… I mean, obviously, our product doesn’t work if you’re not connected and we truly are taking advantage of all of the network infrastructure, 5G, 4G, whatever. But if you’re not connected and you don’t get the right messages down to that end user device, then you don’t know whether or not the next time they connect, whether they’re doing it in compliance or not. Now, obviously, there are some mechanisms to put in place that, hey, you interrogate the device, it connects in. And if it’s not properly configured, maybe you put it in purgatory until the end user gets it fixed. But to your point, all those things have to be configurations that have to be monitored. Once again, it just increases that burden on an already stressed out IT team.

I mean, I know in our company, we have lots of different enterprise services, websites that we interact with, resources and everything else that we manage. And we also manage it on a corporate network in a, we call it our CMMC network, so that we can manage and control and protect our CUI when we interact with the federal government.

So, in those two cases, do I issue everybody two laptops because I have two different environments now, or what’s my other recourse to be able to extend all my services and everything else that I need to to my employees? How do I do that securely? It becomes this increased burden now because now I, as a company, have a commercial side and a federal side, and I have to protect both. So, using Hypori, I can actually have some of my employees using commercial systems, but they can connect using our virtual mobile infrastructure technology into a COI cloud and be able to interact with the government, or supporting army networks, or army customers, or our Air Force customers. We can do all that using this idea of virtual mobile infrastructure, and it really allows us to be a lot more agile and effective in managing our data, ensuring it doesn’t mix between networks and it doesn’t violate any of the compliance that we have to related to our FedRAMP High, IL5 and obviously SOC 2 for commercial and CMMC.

All those things we have to negotiate, and it gets to be pretty confusing quickly. So, anything you can find that helps you maintain compliance, be secure and reduce some of your burden, I think is always a positive thing, and that’s something I think we do pretty well.

Cole French:

Now you mentioned CMMC, and I’ll add just from our perspective, CMMC is a lot of what we do here at Kratos. What we’ve seen in conducting assessments on the one hand and also helping organizations get ready to go through their assessments, I think of the Hypori solution as an enclave essentially for mobile devices. I think across the board what we’ve seen is the enclave approach while maybe not necessarily scaling for every organization, depending on size, but it doesn’t take much in terms of the size of an organization to make that enclave worth it, or at least the enclave approach, the enclave mindset if you will, where, “How do I make it such that my users can access these different things that they need, but without giving them multiple devices?”, all that kind of stuff. So, a lot of what we see more on the traditional computing side is virtual desktop infrastructure, and I think this, the Hypori solution, fits right in with that.

Matt Stern:

Yeah. I mean, our approach as a company, we started down the path of, we’re going to have two laptops. And in some cases, we kind of need that because maybe we’re uploading code, or we’re working on files that necessarily don’t fit well in the virtual desktop environment. But we are moving more and more to that. Obviously, we use our own technology within our company. So, if you look at my phone, I have four different accounts because I have access to our army customers, our CMMC, our commercial test accounts, things of that nature, and I can do it all from one device. And that, to your point, if I can, once again, rather than carrying four cell phones… We run into customers all the time and folks out there that are frustrated, because they want to separate their corporate account from their personal stuff. So, they will buy… In some cases, we’ve met people who will buy a separate phone on their own that they’ll only use for work in a BYOD setting. They don’t want to have any connections between their corporate and private environments, and I understand that.

I think Hypori does that pretty well in being able to manage that privacy and that full separation, because we absolutely don’t care what’s on the device. You can do whatever you want on it. The only thing we watch for, it’s just a few attestations that allow us to monitor whether or not this system’s been rooted or jailbroken. But other than that, we’re not reading email, we’re not doing any of those things that technically some of the other management solutions out there can do. It just is part of it.

Cole French:

Yeah. I think as much as we can, like you’re describing, separate the user and the device that they’re using to access our environments while maintaining security, the better off we are. I think from a user standpoint because, like you said, I don’t want to carry around four laptops. But then also from a security perspective because we maintain that control over the security of the environment. And by separating that, I guess, if you will, user layer from the presentation layer on down, we achieve security while also being able to scale for our users.

Matt Stern:

Sure. Sure. It’s a tough problem right now, but I think there are some elegant solutions out there. And like I said, combination of products. I always am wary of a product that comes in and says, “We do it all.” I don’t care what it is, because it’s normally not true. It’s a combination of different technologies that you can pull together to create an architecture, zero trust architecture. I’m a big fan of that. And an enclave approach is one of those approaches to zero trust that works really well, and we fit nicely into that scheme.

Cole French:

Yeah. We say the same thing in compliance, be wary of those who tell you they can do all your compliance, and do it all for a small amount of money, or they can give you sort of a one-size-fits-all thing. You’re exactly right, whether it’s technology, process, whatever it might be, it’s very rarely is there, A, a one-size-fits-all solution and, B, really an easy solution. It takes a lot of pieces, a lot of technology, a lot of human effort as well.

You mentioned compliance, like I said already, CMMC, but you also mentioned FedRAMP, SOC 2. So, I know FedRAMP equivalency is something that’s been, as it relates to CMMC, and I believe your product is FedRAMP authorized. So, how are you seeing the FedRAMP equivalency issue play out for products like yours when we’re talking about working in the CMMC space, for instance, since FedRAMP equivalency, that’s primarily where we’re seeing it applied currently?

Matt Stern:

It’s an interesting topic. We have a lot of firsthand experience in dealing with FedRAMP equivalency because we believe our product… I mean we’re using it for our own CMMC compliance internally. So, the issue becomes when the DoD CIO’s office put out the memo, the CMMC office put out the memo about FedRAMP equivalency, and they talked about, “Any of your CSPs that you use that are going to store process or transmit the CUI data are going to have to be FedRAMP Moderate equivalent.” So, Hypori is unique, where our first customer was the Army. So, we went agency only into the Army, and Army sponsored us through our IL5. The Army G-6 actually sponsored us through our IL5, our DoD Cloud Computing Security Requirements Guide, impact level five authorization, provisional authorization. And then subsequently we have an ATO with the army and now the Air Force. Originally, it was FedRAMP Moderate. And when they changed the rules, we were assessed at FedRAMP High.

So, we did all that before we got our FedRAMP High authorization. In fact, the Army sponsored us then. And it changed, the DISA had sponsored us into FedRAMP, where we’re waiting for our authorization. So, we’re in finalization, but we haven’t fully crossed the line there. So, we’re kind of in this limbo status of we’ve already been assessed, which is what the equivalency memo says, but we’re not in the marketplace authorized. So, we went back to the DoD CIO’s office and we said, “Hey, we’ve been assessed. You guys approved us. The Army’s using us. We’re doing all this. So, now, what’s our status? Can people use us?” So, finally, after a few months of going back and forth with the DoD CIO’s office, we got an email basically saying, “You guys are good to go. We believe that since you’ve met all the requirements for IL5 and FedRAMP High, which means the DoD addendum extends the controls above and beyond the FedRAMP High environment, you’re authorized to have DoD CUI data in your environment and people can use that.”

Now, here’s the kicker of all these discussions we’ve had with customers, and with the DoD, and FedRAMP and everything is, okay, so my sponsor, so our environment, that environment that’s assessed, is connected to the BCAP and the NIPRNet. And therefore, I can’t put a CMMC, like a regular DIB member, into that environment, because it’s connected to the BCAP. So, I have to then change my trajectory for my networking and everything else to get it out to the internet, which they don’t want. So, I have to have a equivalent environment sitting right next to it in AWS GovCloud. Then the expectation from the customer is that I’m sitting there right next to the DoD. And what the reality is from FedRAMP and from all the powers that be is, oh, you can put them right next to them, and using infrastructure as code in making sure the infrastructure and security controls and everything are exactly the same. And our 3PAO assesses all of that, that we’re in compliance.

That’s how we meet the equivalency requirements. But it is not clear because just see a whole bunch of confusion of, you’re talking to a customer and they don’t understand the difference between their requirement for CMMC and my requirement to meet the FedRAMP High standards and the 3PAO audit that assessed us at those standards. So, CMMC is 110 controls of which very few are talking about our infrastructure. And then we are sitting at the FedRAMP High with over 400 controls, and it’s been really crazy. I just wish instead of the equivalency they just authored, said, “Hey, put them in FedRAMP. It’s fine and you’re good.” You know what I mean? Because it depends on your sponsor. If you don’t have a sponsor that’s going to allow you to put that customer in their environment, then it’s got to be an equivalent environment. That’s the kicker that I think is very confusing for customers.

Hopefully, I didn’t confuse you, but that’s the dilemma that we’ve been wrestling since we started this journey I think three years ago as we built our infrastructure, and got it approved by the powers that be, and that we’re now sitting here years later talking to other customers and making sure that we use our shared responsibility matrix to ensure they understand what we’re going to cover and what they inherit from us. And all the vendors do this. Then they still have to do access control into our environment. They control that. We don’t, but we put the mechanisms in place for them to be able to do that.

So, I think that’s some of the nuance that becomes really, really interesting as we move forward in this. And obviously, we’re all coming across new ground. It was really interesting when we first started our IL5 journey a few years back. And with Kratos’ help as our 3PAO, we discovered that I think we were maybe the 15th, somewhere between 15th and 20th IL5 authorized CSO. Hypori is sitting between IBM and HP. We’re a tiny little company and it’s crazy, but it’s been a learning process for us, for sure.

Cole French:

I definitely want to come back to the email letter that you got from the DoD CIO but just to talk about the FedRAMP equivalency thing, I completely agree with you. We’ve said from the beginning on our side that… So, the issue dates back to the DFARS rule says, “FedRAMP Moderate, or equivalent”, and that “or equivalent” phrase has always caused a lot of problems because, well, what does equivalent mean? And it wasn’t defined. So, if you were moderate authorized for the most part, you could say you meet that requirement. But then it became, “Well, what if I meet all the controls for FedRAMP, but I just don’t have a FedRAMP authorization?”, which like you mentioned, can be difficult because you need to get an agency sponsor and not everybody can get a sponsor. That can be challenging.

So, they came out with the memo. I think we were all optimistic that it would clear this up. In a way, it did, but instead of just taking the hard line that FedRAMP Moderate or higher authorization was the standard. They tried to create this other pathway, which, I mean, I understand, but they made that path so difficult. I don’t even necessarily mean difficult, but it’s actually more difficult I think than going through an assessment that it really is like, “Hey, you got to be FedRAMP Moderate authorized, or higher.” So, going back to what you guys got from the DoD CIO, you mentioned that it sounded like it took a little bit of time. Did it take a little bit of time just because things moved slow, or did you guys have to provide additional evidence? Did you guys have to go through a review? How did that work?

Matt Stern:

So, once we got our provisional authorization, and that was in ’23, July of ’23 for IL5, we started the conversation, because we knew we wanted to reach out… We had DIB customers that were coming to us and saying, “Hey, we like your technology. We really would love to use it. Do you have a FedRAMP authorized environment?” At the time, we only had IL5 and even though if you’re assessed FedRAMP High, there was no correlation between that assessment, the 3PAO assessment, and this idea that you’re in the marketplace. Well, that’s another journey. More money, more time, more effort. So, we reached out to the DoD CIO’s office originally and said, “Hey…” Because we had been in with the DoD CISO a couple of times to talk about our work with the Army, and future work with the Air Force and stuff, and making sure that we were meeting all the DoD requirements. In the process we got to know some of the people up there. So I just reached out to them and I said, “Hey, trying to figure out, based on this memo, do we meet that requirement?”

So, what we got back, I think three or four times, and I was doing it almost monthly, we got back these memos or email that would say, “Hey, we’re rewriting the FedRAMP equivalency policy memo and we’re going to change it. So, wait a minute.” “Okay.” So, we waited. And finally, it was last month I sent my habitual, I think it was quarterly letters, out. I got a response back, and they actually in very detail said, “No more assessments.” I mean, obviously, we go through the annual assessment. We’ve been assessed. We have our provisional authorizations. We have ATOs from the Army, and the Air Force and more coming from other organizations. So, it was like, “Okay, you guys obviously meet the requirements for FedRAMP High, because you’ve been through, and just were reassessed and you’re filing everything.” In fact, we just received our latest PA extension, so we’re extended now until 2027.

But anyway, they said, “Because of all that, you meet the requirements. Yes, DIB members are authorized to use your… Because you use infrastructure as code, that you guys can put them in an equivalent environment.” And we’re like, “Okay, great.” So, now we can share that with any of our customers and say, “Here’s the email we got from the DoD that says that you’re covered.” Because really it becomes a… I don’t want to be glib about this, but it kind of becomes a CYA exercise of, “Hey, you’re a supplier of this thing for us. I want to make sure that you’re not in the marketplace yet. I mean, you’re in finalization. So, I’m about to go through an audit. Am I good?” And without that email, they felt like they weren’t going to pass their audit, and one customer in particular.

So, that’s the journey we’ve been on. We didn’t have to go through another assessment. They used the assessment and the information that was already in file in eMASS, or eMASS records, and what we have on file with the FedRAMP program office. And they said, “You meet all the requirements.” So, that was a windfall for us as a small company to be able to say, “Yes, we have our own memo”, I guess, you could say. It’s obviously not a DoD memo, but it is from the CMMC office, and they’re basically saying, “Yes, you meet the intent of what we’re trying to do.”

So, I think, to your point, anytime we can clarify this, because, I mean, it’s involved enough to have to do the 110 security controls to meet your CMMC compliance without having to worry about, oh, did Hypori meet all the 400 requirements they have to meet for FedRAMP High, because that’s what we went after, not moderate. So, obviously, that’s a lot less, but…

Cole French:

So, was the equivalency essentially that you got, was that based on FedRAMP High or FedRAMP High and plus IL5?

Matt Stern:

FedRAMP High plus IL5. So, technically, we’re exceeding a standard by a lot, understanding that we don’t have a FedRAMP Moderate assessment. We have a FedRAMP High assessment. And they actually said in their memo, and I think they said FedRAMP Moderate plus. They understand that we did much more than FedRAMP Moderate, and that they’re very comfortable with the security controls and everything related. That was interesting. I’ve been a long time advocate of, why aren’t we extending out to the DIB partners access to these environments directly instead of coming up with making, if I want to do business with the DIB, I should go through a process, in my humble opinion, of being able to connect to a… I mean, we do coalition networks with our coalition partners. Why can’t we come up with a DIB network that we all enter into collectively, and that the government could fully monitor, and control and we just pay to play?

It just seemed like that would be a much better idea, and go through a lot of the things that we go to get access to the NIPRNet than what we’re currently doing with having all these companies have to attest, and do all their corporate networks and everything else, versus having a couple of systems that they have that interact with the government and all the rest of it. They can more or less try and maintain their corporate standards, or other standards like SOC 2, or whatever. It’s a lot to ask a company, I know, to do business with, but it’s an expense. I mean, we’ve spent millions upon millions of dollars on compliance in the company, and that’s really tough from a bottom line point of view of you’ve got to pay to play. And it’s a lot to ask, especially small companies to put this on them. Anyway, this is my two cents.

Cole French:

I think the impact levels especially should be some type of… And when I say impact levels, I mean the FedRAMP, IL authorizations, right? Those are DoD specific. So, it seems to me that there should be some type of, when it comes to FedRAMP equivalency… And maybe I’ve gotten the same thing actually that you mentioned. They reached out to me in response to an inquiry I had and said, “Yeah, they’re rewriting or redoing the equivalency memo.” And maybe this will be a component of it is, if I have one of the impact level authorizations and why it seems like that would be automatic FedRAMP equivalency regardless of the status of my standing in the FedRAMP marketplace.

So, speaking of FedRAMP, CMMC again, as far you mentioned a bit ago in the differences between FedRAMP and CMMC, obviously FedRAMP being 400 plus controls and add impact levels, all of that, it can be a lot. CMMC on the other hand, not so much. So, what differences do you guys see from a FedRAMP versus CMMC perspective? Do you feel like FedRAMP takes care of everything or do you feel like there’s anything from a CMMC standpoint that stands out that organizations looking at solutions like Hypori should be aware of when they’re thinking about using it for CMMC specifically?

Matt Stern:

Well, I think there’s a lot more detail… Because FedRAMP is dealing with a cloud technology, and there’s a lot of detail on things like FIPS 140-2 encryption on, like in our case, our EC2s. So, our EC2 instances in AWS have to be encrypted and managed. And there’s nuances in FedRAMP that go to that level of detail that you’re not necessarily going to within the whole CMMC environment. So, it’s just a lot deeper dive into those security controls because it’s a much more complex system than technically worrying about whether or not you’re encrypting emails because, I mean, we don’t offer an email service that that’s what people connect to from our platform. But anyway, the point is, I think it’s just different set of controls. There’s still all the personal security controls you have to worry about, but we have to worry about privileged accounts and we also have to worry about a user’s accounts. We have different environments and infrastructure, like the AWS infrastructure is fully separated from our backend Hypori-specific infrastructure.

So, it’s all those nuances that you end up having to worry about and deal with in FedRAMP that you don’t in CMMC. However, I think what we’re seeing from all of our customers, in my opinion as a security guy, it’s refreshing to see them actually doing the due diligence and not… The zero trust is also, “hey, I want to see it. I want you to show me that you’re…” From a supply chain perspective, but also from an inheritance perspective, it’s very much an important thing for the CMMC customers to not trust their CSOs, and CSPs and go to them and say, “Hey, I, know that you say you’re encrypting my email”, or, “I know you say you’re encrypting whatever it is. Show me what you’re using for encryption, so I know and I know that I’m meeting my CMMC requirements.”

I think that’s really important that you just don’t take the word for it and ensure that any controls that you inherit, that you’re diving in and ensuring that your providers are giving you the right thing. I mean, we do audits of all of our vendors that we work with. So, if you’re an app and you’re running inside of our Hypori virtual workspace, which is an virtualized Android environment, every single app that’s in there has been vetted by my security team on top of the normal Google Play vetting that they do. So, I think it’s a little bit of nuances there of ensuring that your full supply chain is covered, because you don’t want to be the guy that’s releasing the plans to whatever next greatest jet fighter, or tank, or whatever is out there in the market and be in that point of, I guess, data loss in that environment.

So, I think that’s what I’ve seen in our interaction with our customers and from my personal point of view is, if you be diligent on your supply chain, and it’s okay. I mean, I don’t get my feelings hurt when I have a customer that’s asking us really hard questions about how we’re meeting a security control and ensuring that we have this whole conversation about equivalency. I’ve had numerous conversations with probably every single one of our customers to ensure that they understand where we sit, and that we’ve documented and provided any evidence that they want to see to make sure that they’re maintaining their compliance. It’s important. I mean, this is a pass-fail kind of thing, and it’s really important for their business that they meet those requirements.

Cole French:

Yeah. We like to say that the CMMC has not actually introduced any new requirements from a security or implementation perspective. It’s, like you mentioned, it’s that third-party external assessment validation that you are actually doing what you say you’re doing. Because as we’ve seen the security around the supply chain, particularly as it relates to data, and like you mentioned, I think for those of you out there, the difference between FedRAMP and CMMC, or one way to look at it is, FedRAMP covers the whole CIA triad with its security. So, confidentiality, integrity, availability. Whereas CMMC is more focused on the confidentiality of data. That’s, again, like we’re talking about supply chain, the biggest thing with supply chain is, we have information passing from one organization to another, or many organizations.

Really the biggest thing with that is, we want to maintain the confidentiality of that data. So, that’s why CMMC is focused on the confidentiality. But again, no new requirements from a security perspective, but we do need that level of rigor that we get from third-party assessments, and people coming in, and asking hard questions and really validating that the security is implemented as folks say it is.

Matt Stern:

Yeah. I think the one thing they did add is, at least for me it was new, is the whole privacy requirements now that we have to provide. When we did our work with the Army, we always had a privacy impact assessment, because that’s one of their requirements. But now FedRAMP’s bring in privacy to the forefront and making sure that’s part of your FedRAMP assessment, is your things related to privacy. That was new. Actually, that’s becoming obviously more and more prevalent.

Cole French:

Yep. I know. I believe that was one of the revisions in Rev.5 was a significant beefing up of the privacy controls.

Matt Stern:

Yeah, like we don’t have enough. Anyway.

Cole French:

Yeah. Just what we need. More controls, as we say.

Matt Stern:

More controls. Yeah.

Cole French:

As we wrap things up, I want to circle back to one thing you mentioned around the shared responsibility matrix, which is a key component of, if I’m an organization and I’m leveraging a solution like Hypori, what is my responsibility? So, if you just want to take a minute, again, as I said, as we wrap up, and just talk about that shared responsibility matrix, the importance of it? And then also from a Hypori perspective specifically, we’re talking about, how do we make it easier on our end customers or contractors? If we’re thinking from a CMMC standpoint, how do we make it easier for them to implement and manage security? So, what savings does that shared responsibility matrix bring to your customers?

Matt Stern:

So, that’s been my number one topic for the last few months with a lot of our customers because we’ve gone down a couple of different paths of providing the shared responsibility matrix. And just so everybody knows, in the CMMC world you have a 110 controls. Of those controls, there’s going to be some that your suppliers will meet fully. Like maybe you’re using Google Workspace, or Microsoft, or whatever, and that’s going to do your encrypted email. So, you’ll inherit that control from them, because they’re providing that service to you.

So, in a shared responsibility matrix, it’s all about what am I inheriting from my suppliers, or my service providers, and what am I going to have to provide for myself? So, what we try and do is lay out for the customers of these 110 controls, we’ll help you… Like mobile device security, that’s one. That’s an obvious one that we do for our customers. But there’s some others that’s joint, like data loss prevention. That’s huge. But that’s become shared because I’m only going to control data loss prevention from the mobile device, from the endpoint. But if their enterprise is, say, Office 365, then the customer would be responsible for access control and ensuring that data loss doesn’t come from their enterprise resources.We control it from our Hypori environment, but they control it from their enterprise.

I think sometimes that gets to be confusing, so it’s just good to have a conversation with your service providers to ensure they understand the matrix. To be honest with you, we thought we had this down pat. We’ve gone through a couple of different iterations and we even provided, here’s our… Because when we inherited our environments in AWS, so when we partnered with AWS and went into GovCloud, we got access to all of their controls that we inherit. So, we could see, okay, these are things we inherit from AWS. And therefore, we tried to provide that same FedRAMP matrix to our customers to say, “These are the controls you inherit.” There’s some of them that line up really well, but the numbers are different and it just became too much.

So, we went back to, “Okay, here’s what we specifically do for you. And here’s the things where we share responsibility and you don’t have to do anything because once you fully inherit from us.” Then there’s a few that are partial, meaning we both are responsible. Then there’s some that they’re fully responsible. Like access control, they provide that access control into our environments, because we give them the ability to do that.

So, it’s just stuff like that, that over time, getting that translation with your service providers sometimes can be a little bit tough because in a lot of cases, this… Well, obviously, our technology is very new to most of our customers, so getting them to understand this is like, you got to think of us like you just bought a phone. It just so happens to be a really secure phone that you access remotely. So, all the controls that you would normally put in place for a desktop, or a laptop, or even another phone, you still have to do all of that, but the difference is that phone is never exposed. So, it’s never out there flapping. It’s inside a very secure container, but it’s still going to reach out and touch your Microsoft Office. So, how do you do your access control? You just do it the exact same way.

So, that’s been an interesting evolution or journey into understanding that translation between that shared responsibility matrix. We provide it to our customers, but it’s really something that’s an evolving and growing document internally to us. And I’m sure that most of the folks out there that have relationships with other service providers are in the same journey of understanding what do they inherit and how does that translate into a specific CMMC control?

Cole French:

Yeah. The shared responsibility matrix is of great importance. I think what you’re saying, it is something that I think people are just starting to wrap their heads around, specific to CMMC that is. I think something I would say to folks out there is, I think the way in which we look at shared responsibility matrices is usually, “What does the service provider take care of, so that I don’t have to do it?” I think actually we want to flip the mindset to, “Okay, these are the things the service provider takes care of. These are the things that I need to do. So, now, because I’m freed up to not have to take care of those things that the service provider takes care of, I really need to make sure”, like you mentioned, “access control.” I mean, that’s one of the most central elements of security is access control. Who has access to my environment and what kind of access do they have?

So, organizations still need to apply that same rigor to what they’re responsible for. That shared responsibility matrix I think just helps us really define, “Okay, this is what I need to do, but we should be doing it well.”

Matt Stern:

Right. I think it helps them focus, like you said, what they need to concentrate on. But I think almost all your service providers, you’re going to be required to do access… To your point, access control is the cornerstone, in my opinion, of all this. Because if you don’t have that right, it’s going to be really difficult for you to track. I mean, if you don’t have your roles and responsibilities, and you don’t have your RVAC in place correctly, you’re going to have a tough time tracing who’s done what, the who, and do the right people have access to the right resources? Or more importantly, do the wrong people have access to the wrong resources? However many ways you want to make that combination, I think you’re right, access control is really, really important.

Then take it to a step further is, how do you nest your access control into your service providers? I mean, like we use, as I mentioned it before, we use Okta. It’s a great resources. There’s other great identity access control management tools out there. Have one, because making sure that you have the ability to have traceability on all that, and have that true access control is massively important. I don’t care if it’s FedRAMP, I don’t care what compliance framework is. To your point, it is the cornerstone.

Cole French:

I appreciate your perspective, Matt. I do think access control, like you mentioned, is one of those central pillars that everyone should be focused on no matter what the tool. Again, just doing security well, that’s what we want to do. We hope compliance drives that forward.

So, Matt, just want to thank you again for coming onto the Cyber Compliance and Beyond podcast today. Grateful that you were willing to come on and share your perspective on these important and actively evolving topics.

Matt Stern:

Thanks for having me, Cole. It was a lot of fun, and it’s great to be able to talk about these topics and, hopefully, provide some perspective to folks out there because this really can be very confusing journey. The more we learn from each other, the better we all are.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss, or you just have some feedback for us? Let us know on LinkedIn and Twitter @Kratosdefense, or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. Until then, keep building security into the fabric of what you do.