I think a kayak would have been a more suitable mode of
transport in getting to Infosecurity Europe
2012 this year. Europe’s largest information security trade show, held each
year in London, certainly drew in the crowds despite the deluge of rain that
greeted them each day.
I have been coming to Infosec for far too many years to
count, both as an information security professional and latterly as an industry
analyst and even to my trade show-weary eyes was impressed with the buzz that
emanated from the show.
This blog is my take on the show with an emphasis on mobile
security.
Focus not on technology
but people and process
I always enjoy my
regularly catch-up meetings with William Beer, Director, One Security, PWC, and
our meeting at Infosec was no exception. It was a great start to the first day
of the show and pulled me back from just concentrating on the technology – an
easy trap at such a technology-dominant show.
We both agreed that the trend of
mobile BYOD was here to stay and that organisations were well down the road to
building this into IT strategy. As with all emerging trends there will be
mistakes made and technology that may solve one immediate problem may be
shelved as business owners and IT functions begin to understand some of the new
dynamics that face them.
We both agreed that
organisations need well informed and balanced advice on how to support mobility
and in particular the conundrum that employee-owned mobile devices can
introduce to organisations large and small.
I look forward to my
next catch up with William and I am sure that, as always, there will be plenty
to discuss.
Smart ways to authenticate
on smart mobile devices – the next wave of mobile authentication/identity solutions
I am always on the lookout for new and innovative methods of
authenticating people on mobile devices and was lucky to catch up with three
innovative vendors operating in this space. ActiveIdentity (part of the HID Global),
BehavioSec, and Live Ensure.
ActiveIdentity
I have been speaking with ActiveIdentity since first
researching the market for mobile device-based authentication solutions back in
2009 and have been keeping a close eye on them ever since. They are now part of HID Global, a
leader in physical access control.
I caught up with Alan Davies, Vice
President Identity Assurance Sales EMEA, to get an update on
their mobile solutions and to see how far they had come with enabling both
physical and logical access control using a mobile device (something that their
smart card solutions have been enabling for some time now). The pairing of ActivIdentity and HID Global
has created solutions that allow mobile phones to be used to enter physical
buildings and to gain access to computer services. NFC is being leveraged to
enable this to happen and I was pretty impressed with the NFC
sleeve that they are using to enable iPhones to benefit from this
technology (come on Apple get NFC on iPhone 5 please). This technology is not just the preserve of the enterprise and government
user; the lock manufacturer Yale (owned by ASSA ABLOY) showcased NFC-enabled
locks for the consumer market at CES
2012. Definitely a technology to watch and something that could even be ported to cars.
BehavioSec
I met Hans Bergman and Olov Renberg from BehavioSec at their
stand and was given a demo on their mobile product, Behavio Mobile.
Up until recently, I feel that have we seen mobile authentication v 1.0, where
existing, non-mobile, authentication solutions have been ported to mobile
phones without a great deal of thought as to a. the uniqueness of the form
factor and b. how to authenticate the mobile channel, e.g. in-app. With
solutions such as Behavio Mobile we are now entering the second stage of
authentication on mobile devices where the design of the authentication
solution is centred on mobile – not solely shoehorning a smartcard or a token
solution onto a mobile phone.
Behavio Mobile uses a technique that the guys at BehavioSec
are calling Behaviometrics
(behavioral biometrics). Behavio Mobile collects behavioural statistics of the
normal usage pattern of using a mobile device, e.g. entering or swiping a
PIN-code on a touch-screen and then comparing this with previous usage to
decide if the users is who they say they are. Based on these biometric
inputs it can then accurately determine if the person tapping/swiping away on
their smart mobile device is the legitimate owner of the device or the correct
mobile bank customer is attempting to access their account details. The
solution has another great feature in that it can interact with BehavioSec’s own
risk engine or interface with third-party risk solutions, for example RSA’s
Adaptive authentication product. This could be a really interesting solution
for the type of ‘step-up’ verification that online banking is crying out for.
Live Ensure
I had previously met up in London with the UK team of Live
Ensure for an introduction to the company and their mobile authentication
solution. As their CTO, Christian Hessler,
was in town for Infosec it was a good opportunity to drill down further
into their product and business model. Christian is an infectious technology evangelist who really
gets the reasons why authentication has to change and knows why the mobile device,
in combination with ease-of-use and a true cloud experience, is its future.
In a similar manner to BehavioSec’s mobile solution,
Christian and his team have developed an authentication solution that is agile
and easy to use. Live Ensure is a non-persistent solution that uses a technology
called Digimetrics. This features three
key technologies; the first is a ‘touchless’ deep-device fingerprinting
solution, the second is a one-time disposable signature and the third is a ‘smart-channel’
communication that does not user the browser, something that is prone to
man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks. In addition to the usual suspects, banks, government and healthcare, I can really see this being used in large social networks such as Twitter and Facebook.
How to enable mobile
BYOD in the enterprise – without compromising security and usability?
One of the biggest current challenges that face information security
professionals is how to deal with the mobile BYOD trend. How to manage and securely
control employee-owned mobile devices that are being used for business
purposes. The recently published Goode Intelligence report, the GI
mSecurity survey report, discovered that well over two-thirds, 71 percent,
of organisations are allowing their employees to use their own mobile devices
for business use.
This trend is turning into a major headache for information
security professionals. There are many ways in which an organisation can manage
this threat; mobile device management (MDM) is one. However, this solution may
not be the best solutions for all organisations and I met up with three vendors
that are enabling mobile BYOD in distinct ways. Cryptzone
with their Director’s Portal and the partnership of Echoworx and Nitrodesk (TouchDown) for secure email on
Android devices.
Cryptzone
Cryptzone consider that, in network security, data is the key
asset that needs to be protected and have developed a solution that can be used
by executives on their iPad’s, the Directors Portal.
I met up with Cryptzone’s Peter
Davin to discuss the launch of the Director’s Portal solution. Peter stated that executives including board members are notoriously ‘unsavvy’ and lax
when it comes to transferring, sending and reading sensitive information. This
is especially the case for the new breed of Gucci kit, iPad et al, that C-level execs have brought into the boardroom. The Director’s Portal is a web-based, on-line, workspace devoted exclusively
to the board to use on their iPads. It offers directors secure access to
confidential materials and is based on Cryptzone’s experience of securing collaboration
and file sharing technology, in particular Microsoft’s SharePoint solution.
Echoworx / Nitrodesk
I retired to the sanctuary that was the Infosec press room
(complete with door marked “Dark Room”) to speak with Michael Ginsberg,
President and CEO, Echoworx, and Ronald Goins, Chief Operating Officer, Nitrodesk
(Ron’s CV includes being a bicycle patrol officer in downtown Seattle and a
Supreme Court-certified expert witness on interpreting body language – so I was
very careful in how I presented myself to him).
These two technology companies have teamed up to develop a
solution that supports secure email on Android devices (although the Echoworx mobilEncrypt ENDPOINT solution works
across all major mobile platforms including iOS). Echoworx supply the
cloud-based credential management solution (using PKI and digital certificates)
and Nitrodesk, through the excellent TouchDown product, provide the email client.
TouchDown
provides a true enterprise messaging solution that also supports a wide range
of MDM solution providers (we also had an excellent discussion on the state of
the MDM industry and who we thought would led the pack and who would be
acquired in 2012 – I shall leave that debate to another blog – maybe).
No comments:
Post a Comment