NSA suggests using virtualization to secure smartphones

The U.S. National Security Agency is now suggesting government departments and businesses buy smartphones secured using virtualization, a technology it currently requires only on tablets and laptops

The change comes about with the arrival of the first virtualization-based smartphone security system on the U.S. Commercial Solutions for Classified list.

CSFC is a program developed by the NSA to help U.S. government agencies and the businesses that serve them to quickly build layered secure systems from approved components.

An HTC A9 smartphone security-hardened by Cog Systems using its D4 virtualization platform is now on that list, alongside devices without virtualization from Samsung Electronics, LG Electronics, and BlackBerry.

In the modified A9, communications functions are secured by running them in separate virtual machines on the D4 virtualization platform.

It’s the first smartphone on the CSFC list to use virtualization, which the NSA has only required on more powerful devices such as tablets and laptops until now.

“If virtualization technology was commonly available in the smartphone, we could leverage it for some solutions. To date, the devices that have been considered did not offer that technology,” the NSA’s technical guidance reads.

Cog Systems’ position on the list isn’t definitive yet: It’s still seeking certification for the D4/A9 combination against the National Information Assurance Partnership’s mobile platform and IPSec VPN Client protection profiles. Vendors typically have six months to obtain the certification in order to remain on the list. For now, D4’s validation is ongoing at Gossamer Security Solutions’ Common Criteria Testing Laboratory.

Vendors don’t seek certification lightly, according to Carl Nerup, chief marketing officer at Cog Systems. “It’s a very expensive process,” he said, between US$500,000 and $700,000 for each new model.

Somehow, though, Cog Systems is eating the additional cost of certification: The price for its security-hardened A9 is the same as HTC’s list price for an unmodified phone, said Nerup. “We have multiple groups within the U.S. Department of Defense that have procured the device,” he added.

A commercial off-the-shelf (COTS) smartphone like the modified A9 isn’t only of interest to government customers, though, Cog Systems CEO Dan Potts pointed out. “In the oil and gas industry, they want to buy COTS. They want it to be at a competitive price, but with a greater concern for security.”

Once certification for the modified A9 is in the bag, Potts is looking forward to seeking certification for D4 virtualization on other smartphones. The first time around takes time because there is a lot of preparatory work to do, but much of that work will also apply to other smartphones. Potts expects certification of D4 on other hardware to go more quickly.

Eric Klein, director for mobile software and enterprise mobility at analyst firm VDC Research, has had his eye on Cog Systems since meeting the company at Mobile World Congress.

He sees the broadest opportunity for Cog Systems in the enterprise market — and expects that its approach to endpoint security could even take some business away from enterprise mobility management vendors.

Let us know about this change on our Facebook page.