Jump to content

Soldiers with top-secret clearances say they were forced to use an app that could endanger them


Jason

Recommended Posts

The standard is called FedRAMP. At my current employer, every cloud-based app we buy into has to be FedRamp authorized. Part of FedRAMP authorization states the data within can't be stores overseas or accessed by non-US persons. Am I reading this right? Is the Army directing folks to download a non-FedRAMP authorized app? If the app developer stores the Army's user data in a FedRAMP instance of the app or its databases, this is a non-story. Blackberry isn't even an American company, but they offer FedRAMP authorized services.

Link to comment
Share on other sites

35 minutes ago, Ghost_MH said:

The standard is called FedRAMP. At my current employer, every cloud-based app we buy into has to be FedRamp authorized. Part of FedRAMP authorization states the data within can't be stores overseas or accessed by non-US persons. Am I reading this right? Is the Army directing folks to download a non-FedRAMP authorized app? If the app developer stores the Army's user data in a FedRAMP instance of the app or its databases, this is a non-story. Blackberry isn't even an American company, but they offer FedRAMP authorized services.

 

Doesn't sound like it. The fact that this came from the regular app store and they were ordered to put it on their personal phones is sketchy as hell.

Link to comment
Share on other sites

1 minute ago, Anathema- said:

 

Doesn't sound like it. The fact that this came from the regular app store and they were ordered to put it on their personal phones is sketchy as hell.

 

Ehhhh...not necessarily. It all depends on how you're user profile is configured. The same app that serves up non-FedRAMP services can also serve up FedRAMP services. Different user profile can just be pointed to different servers. Microsoft's own Office365 apps served up in any app store can point to anything from their commerical cloud tenant in Azure to Azure Gov to Azure DoD.

Link to comment
Share on other sites

1 minute ago, Ghost_MH said:

 

Ehhhh...not necessarily. It all depends on how you're user profile is configured. The same app that serves up non-FedRAMP services can also serve up FedRAMP services. Different user profile can just be pointed to different servers. Microsoft's own Office365 apps served up in any app store can point to anything from their commerical cloud tenant in Azure to Azure Gov to Azure DoD.

 

In my experience there needs to be some kind of secured container on the device which means that secure apps have to come from inside the container. That means nothing considered secure comes from the regular app store. It doesn't sound like you're saying anything different? 

Link to comment
Share on other sites

14 minutes ago, Anathema- said:

 

Doesn't sound like it. The fact that this came from the regular app store and they were ordered to put it on their personal phones is sketchy as hell.

 

It immediately made me think of the Fancy Bear attack by Russia on Ukraine. 

 

https://www.reuters.com/article/us-cyber-ukraine/russian-hackers-tracked-ukrainian-artillery-units-using-android-implant-report-idUSKBN14B0CU

Link to comment
Share on other sites

19 minutes ago, Anathema- said:

 

In my experience there needs to be some kind of secured container on the device which means that secure apps have to come from inside the container. That means nothing considered secure comes from the regular app store. It doesn't sound like you're saying anything different? 

 

Well yes, but that's a case of how the app, itself, works. What app store you can get it from is irrelevant. For instance, I bought Kiteworks last year for securely sending files of varying security levels. The app can be acquired from either Google's or Apple's app stores. However, the local file store is locked down and our instance is FedRAMP authorized. An end user would have no idea, because the app works the same regardless of the security level. Where their data is stored and at what level is entirely dependant of the server and database their account is configured for.

Link to comment
Share on other sites

25 minutes ago, Ghost_MH said:

Well yes, but that's a case of how the app, itself, works. What app store you can get it from is irrelevant. For instance, I bought Kiteworks last year for securely sending files of varying security levels. The app can be acquired from either Google's or Apple's app stores. However, the local file store is locked down and our instance is FedRAMP authorized. An end user would have no idea, because the app works the same regardless of the security level. Where their data is stored and at what level is entirely dependant of the server and database their account is configured for.

 

Given the backgrounds of the people involved, I would be inclined to assume this wouldn't be a news story if the way they were told to get the app followed normal procedures. Plus, they were told to install this on their personal smartphones, which by itself makes it sound really strange.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...