 | Issue: | North America I 2015 |
| Article no.: | 3 | |
| Topic: | Securing our connected world | |
| Author: | Olivier Piou | |
| Title: | CEO | |
| Organisation: | Gemalto | |
| PDF size: | 272KB |
About author
Olivier Piou, CEO, Gemalto
Olivier Piou conducted the merger of Gemplus and Axalto which formed Gemalto in 2006, and has been its CEO since then. Before that he was CEO and Board member of Axalto (2004-2006), which he introduced to the stock market, and Director of Smart Cards with Schlumberger (1998-2004). He previously held a number of positions with that company across technology, marketing and operations in France and the US (1981-1998). He was a Board member of INRIA, the French national institute for research in computer science and control (2003-2010), and President of Eurosmart, the international organization representing the chip card industry (2003-2006). He is a Knight of the Legion of Honor in France.
Article abstract
It is crucial for businesses, governments, banks and individuals to identify risks specific to each of their use cases, and mitigate them through secure product design and simple best practices. In order to trust in the connected world, we need to ensure that today’s innovations – from mobile wallet applications to virtual computing units and network node applications – are each thoroughly reviewed to reduce easy access points for cyber security threats.
Full Article
We live in an exciting age where the landscape of our digital life is expanding and evolving at unprecedented speed. With smartphone penetration on the rise, the latest mobile security survey by US publication InformationWeek found that almost eighty percent of companies have some employees who bring their own devices to work. This growing trend is part of the interconnectedness of our digital lives and highlights the need for security across all points of the ecosystem, from enterprise data and payments to personal privacy.
People and enterprises need trust to ensure that their data, mobile devices and other connected objects are protected against cyber attacks and identity theft. Large-scale breaches have captured the attention of people and companies alike that is leading to a growing understanding of the importance of protecting data and all access points that interact with connected devices. Some of the world’s largest, most renowned retailers and entertainment brands have paid an enormous price for recent hacks resulting in lasting damage to the brand’s reputation in terms of reduced profits, lost customers and missed business opportunities.
Security by design
As we stand at the tipping point of a new digital era and data takes its clear place as the golden resource of the 21st century, it has never been more important to safeguard that data by carefully planning end-to-end security architecture. The key to success is managing the complexity of our increasingly connected world, and taking a set of basic measures toward keeping our digital data and identities secure. It’s much more expensive to fix a security breach or data loss after the fact versus planning for it in advance and designing structured systems that mitigate risk.
It is first crucial for businesses, governments, banks and individuals to identify risks specific to each of their use cases, and mitigate them through secure product design and simple best practices. In order to trust in the connected world, we need to ensure that today’s innovations – from mobile wallet applications to virtual computing units and network node applications — are each thoroughly reviewed to reduce easy access points for cyber security threats. Additional considerations to enhance security are to properly identify all users, ensure golden data sets are properly encrypted with strong digital keys, separate the keys from the customers’ data and identity and properly secure information in transit as well. Ignoring today’s digital security mandate can only lead to financial disaster and a tarnished brand image.
As our world becomes more connected and people increase the use of their personal mobile phones and messaging systems, and as connected homes, smart cities, connected cars and smart objects become mainstream, more information is exposed to potentially critical risk. Popular “Bring Your Own Device” to work programs pose a unique challenge because now the data on your cell phone, tablets and PCs contains both personal and business information that is difficult to separate and valuable and attractive to hackers. Similarly, modern connected car environments with 4G infotainment systems, mobile Wi-Fi, embedded payment solutions and NFC-enabled entry and ignition systems provide desirable new connectivity, and at the same time, significant new potential threats. Connected device OEMs, implementers and end users need to ensure that new features don’t become wide open doors to malicious cyber attacks.
Securing the edge: Provisioning, identity and access authentication
To initiate any type of trusted connected world communication, the first step must always include secure service provisioning. If initial registration and credential delivery cannot be trusted, the device cannot be trusted. Whether for a smart card, a smart home appliance or an mHealth device, all end points must be provisioned with credentials stored in the device that can be securely exchanged digitally. Ideally these credentials are stored in a removable subsystem such as the SIM card of a mobile phone, a secure corporate badge carried by the user, or a security-certified USB or MicroSD key. To issue and manage these, enterprises and governments need trusted partners with a proven track record of facilitating secure features without ever physically handling the in-device secure element or the card. Secure software platforms for Over the Air provisioning (OTA) and On-Demand Connectivity (ODC) exist to provide flexibility while ensuring the specific credentials are securely transmitted and critical data properly stored inside the secure element of a device,
From there, users must be able to have their identity authenticated to gain access to the application. For decades, user names and passwords were utilized to log on to computers, gain access to secure websites or to facilitate banking transactions. However, as digital connections multiply and cybercrime continues to become more sophisticated, this method is simply not strong enough to keep attackers at bay. The best way to protect your personal and enterprise data is to provide two simple additional layers of protection: two-factor user authentication and data encryption to reduce its value if obtained.
There are a variety of two-factor authentication security solutions, both connected and unconnected, including ID tokens, smart cards, in-device applications such as mobile One Time Passwords (OTP) and mobile authentication, each offering varying levels of protection against threats. The best solutions provide flexibility for IT administrators to support different authentication devices based on the user’s needs. They should also support a smooth and cost effective migration path to a more expansive public key infrastructure (PKI) solution as needs evolve and include a high-grade security system without having to change the underlying security architecture. Other multi-factor authentication systems such as contextual keys and biometrics, including fingerprints and iris scans, can be more intrusive in terms of privacy and complex in terms of personal data management (biometrics for instance cannot be changed, if compromised). These are primarily reserved for highly sensitive government applications.
What’s essential when planning security architecture is to match the right type of two-factor authentication to the level of assurance needed to address the risk and threat. For example, financial transactions and mobile banking applications require strong authentication such as in-device mobile generated tokens or OTP credentials to protect sensitive financial data and account information. Users can log on to a mobile banking application using a simple password, however when accessing more sensitive applications, a second layer of authentication using an OTP or mobile token is necessary. OTPs are sent OTA to the secure element in the smartphone and authenticated directly by the application, without user intervention, to ensure only authorized users have access to account information.
A different authentication solution is necessary for IoT (Internet of Things) objects that tie into next generation smart home automation systems such as smart metering hubs. In this type of application, connectivity is automatic and only small amounts of data are exchanged, usually continuously. Adding an embedded secure element and software, the Machine Identification Module (MIM), can ensure that consumers’ personal energy consumption information is protected. The information is only be accessible to the consumer and smart energy provider making sure the smart home doesn’t become a gateway to access other personal information or hack Wi-Fi networks. On the other side of the system, utilities have confidence in the data in these protected information streams, and trust that their infrastructure is protected against system intrusion that could lead to catastrophic fraud or damage to the overall energy grid.
Securing the core: Authentication, encryption, crypto management
Securing the edge is only the first half of the best practice equation. Evolving business needs around cloud applications, mobile devices and IoT connected objects, combined with rising threats and the need to reduce costs, require entirely new considerations for data access and control. Moreover, employees and contractors account for 64 percent of reported breaches, according to a report by Verizon. An airtight solution needs to assume that a security breach can also occur from within an organization, and properly conceal sensitive data via encryption.
Data resides in more places than ever before and threats are not always obvious. Handsets, the cloud, our vehicles and even home appliances are all moving and storing data. Enterprises need to carefully analyze where their data resides — in physical networks, the cloud or on mobile networks — and encrypt it so that when intrusion occurs, vital information is obscured and has little value to the fraudster.
Encryption requires keys to lock and unlock data and far too often, management of these keys is overlooked. In the digital world, crypto keys become the treasure map to data gold. Additional steps must be taken to protect them from threats. Enterprises today have access to advanced crypto key management platforms (called HSMs) that store keys in a digital vault away from any encrypted data. These platforms define protocols to limit access, rotate, revoke and reissue keys to continuously keep them safe. File separation, encryption and crypto key management ensure each owning group has access to only the data needed, and that safety and privacy is maintained at all levels.
Keep calm and connect on
Some things are certain: security breaches will happen. In today’s world, there are two types of companies: those attacked every day, and those who don’t realize they are attacked every day. It sounds dire, but the good news is we don’t need to fear cyber attacks if we have the right security solutions in place to protect identities and secure data. With these simple protections, attackers will get little and quickly go elsewhere.
Today’s most successful enterprises have trusted and experienced partners to help them balance the risk and rewards of our connected world. Security is always a matter of balancing risk and threat with investment or insurance – an investment today is well worth its value considering the potential damage. A strong security strategy has to start with thorough assessment, and from the risks evaluation, move to deploying appropriate security elements to keep users and data safe. Two well proven sets of best practices are essential to implement: identifying users, computers and communicating devices at the edge of the network; and authenticating, encrypting and managing crypto keys at the core of the network. The security architecture, solutions, platforms and services already exist today and they are flexible and able to evolve over the long life span of connected objects, allowing stakeholders to be ready today for the hacks of tomorrow.
