Sunday 29 April 2012

Back from Infosecurity Europe: Highlights from Europe’s largest Information Security show


I think a kayak would have been a more suitable mode of transport in getting to Infosecurity Europe 2012 this year. Europe’s largest information security trade show, held each year in London, certainly drew in the crowds despite the deluge of rain that greeted them each day.

I have been coming to Infosec for far too many years to count, both as an information security professional and latterly as an industry analyst and even to my trade show-weary eyes was impressed with the buzz that emanated from the show.

This blog is my take on the show with an emphasis on mobile security.

Focus not on technology but people and process
I always enjoy my regularly catch-up meetings with William Beer, Director, One Security, PWC, and our meeting at Infosec was no exception. It was a great start to the first day of the show and pulled me back from just concentrating on the technology – an easy trap at such a technology-dominant show. 

We both agreed that the trend of mobile BYOD was here to stay and that organisations were well down the road to building this into IT strategy. As with all emerging trends there will be mistakes made and technology that may solve one immediate problem may be shelved as business owners and IT functions begin to understand some of the new dynamics that face them. 

We both agreed that organisations need well informed and balanced advice on how to support mobility and in particular the conundrum that employee-owned mobile devices can introduce to organisations large and small.

I look forward to my next catch up with William and I am sure that, as always, there will be plenty to discuss.

Smart ways to authenticate on smart mobile devices – the next wave of mobile authentication/identity solutions

I am always on the lookout for new and innovative methods of authenticating people on mobile devices and was lucky to catch up with three innovative vendors operating in this space. ActiveIdentity (part of the HID Global), BehavioSec, and Live Ensure

ActiveIdentity
I have been speaking with ActiveIdentity since first researching the market for mobile device-based authentication solutions back in 2009 and have been keeping a close eye on them ever since. They are now part of HID Global, a leader in physical access control. 

I caught up with Alan Davies, Vice President Identity Assurance Sales EMEA, to get an update on their mobile solutions and to see how far they had come with enabling both physical and logical access control using a mobile device (something that their smart card solutions have been enabling for some time now).  The pairing of ActivIdentity and HID Global has created solutions that allow mobile phones to be used to enter physical buildings and to gain access to computer services. NFC is being leveraged to enable this to happen and I was pretty impressed with the NFC sleeve that they are using to enable iPhones to benefit from this technology (come on Apple get NFC on iPhone 5 please). This technology is not just the preserve of the enterprise and government user; the lock manufacturer Yale (owned by ASSA ABLOY) showcased NFC-enabled locks for the consumer market at CES 2012. Definitely a technology to watch and something that could even be ported to cars.

BehavioSec
I met Hans Bergman and Olov Renberg from BehavioSec at their stand and was given a demo on their mobile product, Behavio Mobile. Up until recently, I feel that have we seen mobile authentication v 1.0, where existing, non-mobile, authentication solutions have been ported to mobile phones without a great deal of thought as to a. the uniqueness of the form factor and b. how to authenticate the mobile channel, e.g. in-app. With solutions such as Behavio Mobile we are now entering the second stage of authentication on mobile devices where the design of the authentication solution is centred on mobile – not solely shoehorning a smartcard or a token solution onto a mobile phone.

Behavio Mobile uses a technique that the guys at BehavioSec are calling Behaviometrics (behavioral biometrics). Behavio Mobile collects behavioural statistics of the normal usage pattern of using a mobile device, e.g. entering or swiping a PIN-code on a touch-screen and then comparing this with previous usage to decide if the users is who they say they are. Based on these biometric inputs it can then accurately determine if the person tapping/swiping away on their smart mobile device is the legitimate owner of the device or the correct mobile bank customer is attempting to access their account details. The solution has another great feature in that it can interact with BehavioSec’s own risk engine or interface with third-party risk solutions, for example RSA’s Adaptive authentication product. This could be a really interesting solution for the type of ‘step-up’ verification that online banking is crying out for.

Live Ensure
I had previously met up in London with the UK team of Live Ensure for an introduction to the company and their mobile authentication solution. As their CTO, Christian Hessler, was in town for Infosec it was a good opportunity to drill down further into their product and business model. Christian is an infectious technology evangelist who really gets the reasons why authentication has to change and knows why the mobile device, in combination with ease-of-use and a true cloud experience, is its future.

In a similar manner to BehavioSec’s mobile solution, Christian and his team have developed an authentication solution that is agile and easy to use. Live Ensure is a non-persistent solution that uses a technology called Digimetrics. This features three key technologies; the first is a ‘touchless’ deep-device fingerprinting solution, the second is a one-time disposable signature and the third is a ‘smart-channel’ communication that does not user the browser, something that is prone to man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks. In addition to the usual suspects, banks, government and healthcare, I can really see this being used in large social networks such as Twitter and Facebook. 

How to enable mobile BYOD in the enterprise – without compromising security and usability?
One of the biggest current challenges that face information security professionals is how to deal with the mobile BYOD trend. How to manage and securely control employee-owned mobile devices that are being used for business purposes. The recently published Goode Intelligence report, the GI mSecurity survey report, discovered that well over two-thirds, 71 percent, of organisations are allowing their employees to use their own mobile devices for business use.

This trend is turning into a major headache for information security professionals. There are many ways in which an organisation can manage this threat; mobile device management (MDM) is one. However, this solution may not be the best solutions for all organisations and I met up with three vendors that are enabling mobile BYOD in distinct ways. Cryptzone with their Director’s Portal and the partnership of Echoworx and Nitrodesk (TouchDown) for secure email on Android devices. 

Cryptzone
Cryptzone consider that, in network security, data is the key asset that needs to be protected and have developed a solution that can be used by executives on their iPad’s, the Directors Portal. 

I met up with Cryptzone’s Peter Davin to discuss the launch of the Director’s Portal solution. Peter stated that executives including board members are notoriously ‘unsavvy’ and lax when it comes to transferring, sending and reading sensitive information. This is especially the case for the new breed of Gucci kit, iPad et al, that C-level execs have brought into the boardroom. The Director’s Portal is a web-based, on-line, workspace devoted exclusively to the board to use on their iPads.  It offers directors secure access to confidential materials and is based on Cryptzone’s experience of securing collaboration and file sharing technology, in particular Microsoft’s SharePoint solution.

Echoworx / Nitrodesk
I retired to the sanctuary that was the Infosec press room (complete with door marked “Dark Room”) to speak with Michael Ginsberg, President and CEO, Echoworx, and Ronald Goins, Chief Operating Officer, Nitrodesk (Ron’s CV includes being a bicycle patrol officer in downtown Seattle and a Supreme Court-certified expert witness on interpreting body language – so I was very careful in how I presented myself to him).

These two technology companies have teamed up to develop a solution that supports secure email on Android devices (although the Echoworx mobilEncrypt ENDPOINT solution works across all major mobile platforms including iOS). Echoworx supply the cloud-based credential management solution (using PKI and digital certificates) and Nitrodesk, through the excellent TouchDown product, provide the email client.

TouchDown provides a true enterprise messaging solution that also supports a wide range of MDM solution providers (we also had an excellent discussion on the state of the MDM industry and who we thought would led the pack and who would be acquired in 2012 – I shall leave that debate to another blog – maybe).