Identity – the new security perimeter

FEATURE ensure they can be implemented in close co-ordination between the IT and security staff. UÊ 7…iÀiÊÀiµÕˆÀi`ÊvœÀÊÃV>i]ʈ“«i“i˜ÌÊ an electronic governance, risk management, and compliance system (eGRC) to monitor security controls and compliance to policy and procedures. UÊ œ˜`ÕVÌÊÀi}Տ>ÀÊ«i˜iÌÀ>̈œ˜ÊÌiÃ̈˜}Ê of security controls by an outside party to assess effectiveness. UÊ œ˜`ÕVÌÊLÀ>˜`Ê>˜`ÊiÝiVṎÛiʈ˜Ìiˆgence surveillance of the organisation to help identify threat actors, quantify their risk to the organisation, and assess vulnerabilities to these threat actors’ capabilities.

UÊ ˜ÃÕÀiÊ/Ê>˜`ÊÃiVÕÀˆÌÞÊÃÌ>vvÊ>ÀiÊ involved in merger and acquisition processes, and develop a plan for integrating the newly acquired IT infrastructure into the parent organisation security plan. UÊ “«i“i˜ÌÊ>ÊÃiVÕÀˆÌÞÊV…iVŽˆÃÌÊvœÀÊ̅iÊ software development lifecycle (SDLC) internal to the organisation. Ensure application development considers security and the risk accepted during the SDLC is transparent so security staff can reduce the residual risk.

About the author Rafe Pilling is a principal security consultant at Dell SecureWorks. He is

an experienced information security consultant and has worked at Dell SecureWorks for seven years. In this time he has built up expertise in digital forensics, security incident response and malware analysis. He has a key role in advising businesses how to protect their networks and infrastructure. Pilling architects complex solutions to threat scenarios and provides consultancy on a variety of cyber-security threats.

Reference 1. Ruggero Contu, Christian Canales, Lawrence Pingree. ‘Forecast Overview: Security Infrastructure, Worldwide, 2010-2016’. Gartner, 8 Aug 2012.

Identity – the new security perimeter Chris Edwards

Chris Edwards, Intercede The consumerisation of IT has fuelled a dramatic increase in the use of mobile devices in the workplace. Whether in the office, travelling, working from home, or just in a conference room, the employee expectation is to have immediate access to information via voice, chat, text or email. If their corporate device does not allow this, they can, and will wherever possible, use their personal device to access corporate data. According to a recent survey by YouGov, nearly half of British employees are adopting the Bring Your Own Device (BYOD) trend – using their personal devices for work purposes.1 Businesses too are embracing this trend soUÊthat they can seize the productivity and efficiency gains it promises to deliver. However, if employees are using their own devices to access sensitive data from the corporate network, companies need to ensure that they protect it from harmful distribution or possible intellectual property (IP) leakage. That’s why they need to link an appropriate identity to the device – ensuring only a trusted individual can access sensitive information and applications from a mobile device is a fundamental requirement for both corporate issued and personal mobile devices. 18

Computer Fraud & Security

concurrently with work activities. If an employee leaves, IT can simultaneously terminate access from their mobile device. Importantly, an IT organisation must be able to erase all of the work data, without touching the former employee’s personal files.

One device, multiple identities

Identity is the new perimeter

For work use, an email client and a secure browser for accessing corporate portals are among the apps that a typical employee will need to complete their daily tasks. The corporate IT department needs to ensure that the digital identity used to enable access to these resources is securely linked to the correct person, as well as ensure they can disable that access when appropriate. Organisations now realise that users need a place on the mobile device for personal apps and data that can function

This increased mobility also has been a major driver in the shift away from ring-fencing intellectual property and sensitive data such as customer information and financial details. Reducing the risk of compromise from threats, such as organised crime, overseas espionage, hacktivists and simple unintentional human error, by keeping the data contained within the company premises is no longer a realistic approach. The firewalled ‘corporate boundary’ has traditionally been seen September 2013

FEATURE as the security perimeter. However, the perimeter needs to be redefined following the advent of the BYOD trend as it enables users to access data beyond the protection of the firewall. An emerging view is that identity is the new perimeter. The set of applications used with a work identity and the associated credentials on a mobile device define a perimeter that an employer needs to manage and secure. This perimeter needs to be visible to the employee. It has to be very clear if they are sending a personal or professional email – security is as much about making it easy for the user to do the correct thing as it is about technical enforcement. Since email may contain enterprise confidential information, apps will be secured with some kind of lock, a PIN or possibly a biometric check if the phone has the capability. Fingerprint scanners are already built in for some devices, and can be added on for others. There are also other biometric options in development, such iris scan or voice recognition. Once unlocked, the user can interact with data and applications using their work identity as though they are on a workstation inside the company.

Beyond passwords While the security perimeter is being redefined, it is becoming increasingly apparent that passwords are no longer a sufficiently secure means of proving an identity. Fortunately, the mobile device presents a robust platform for adding security layers to ensure that the person accessing the data really is the person they claim to be. Virtually every mobile device has one or more secure elements that can be

September 2013

used to securely store keys and perform cryptographic operations. This capability can be used to enhance the security of digital identities. The credentials are stored in the secure element, and critical functions of cryptography are performed inside the secure element without exposing the keys.

Looking to the future Modern smartphone and tablet operating systems have support for device, application and identity management. Looking forward, the industry can see that the functionality operating systems provide will become richer, providing enhanced features and better security. Enhanced security features in the hardware will significantly improve the security of mobile device use and will increase the isolation between personal and professional identities. Several handsets already support the ARM Trusted Execution Environment, which provides hardware protection to prevent malware on the phone stealing secrets or interfering with the security of apps. Investments are being made in operating systems to provide higher levels of support for credential management to support Bring Your Own Identity (BYOI) and to strengthen the security of the platform. In 2013, the BlackBerry 10 is adding support for dual personas with the Balance application, and SE Android is the platform for solutions like the Samsung Knox that also offer separate containers for personal and work applications.

Conclusion While the focus this year is on managing two identities securely on one device, as

the market matures, there will be a trend to support additional identities, each with its own perimeter. A person might have a second job, or want to use a suite of healthcare apps that link securely to their healthcare provider. In each of these cases, the device holder will want to enable a set of apps to use a strongly authenticated identity that is separate from others. As user mobility continues to increase, devices become more powerful and mobile device usage becomes the norm, Bring Your Own Identity is a critical piece in increasing productivity and maximising value.

About the author Dr Chris Edwards is chief technical officer at Intercede where he was responsible for the initial design of the MyID product and retains overall responsibility for the architecture and use of technology within it. He has over 30 years’ senior level experience within the IT industry, 12 of them within the security sector. Edwards was instrumental in making MyID the first electronic personalisation system to achieve FIPS 201 accreditation as part of the US HSPD-12 PIV Approved Products Scheme, and has substantial experience of working on both US and UK government security projects.

Reference 1. Wilson, Evelynne. ‘Bring your own device? Still the company’s responsibility’. The Guardian, 19 Mar 2013. Accessed July 2013. www.guardian.co.uk/media-network/ media-network-blog/2013/mar/19/ bring-your-own-device-byod-datarisk-security.

Computer Fraud & Security

19