I Security solutions for mobile as an endpoint
financial services & retail enterprise
I Table of Contents
The challenges of mobile security . . . .1
Mobile security solutions: Introducing Strong Authentication . . . .3
Secure all mobile devices fast with OTP . . . .4
Move up to digital certificate-based identities and credentials . . . .5
The future of mobile security: The Secure Element . . . .6
Implementation: Mobile security made simple . . . .8
Summing Up . . . .9
Mobile Security | Security solutions for mobile as an endpoint
A complex environment
to deploy secure solutions
the use of mobile devices in the workplace is an unstoppable trend, according to analysts at Gartner inc., driven by employees who want to choose and use their own technology and executives seeking higher productivity, anytime/anywhere access and increased job satisfaction for their mobile workforces.
Whether you think of it as bring your own device (bYoD), the consumerization of it or enterprise mobility, the trend is pervasive. according to iDc, 40.7% of devices used by information workers to access business applications are ones that they own themselves including home pcs, smartphones and tablets such as apple’s ipad.1 Furthermore, organizations underestimate the number of information workers using consumer devices for work by 50%, according to a recent north american survey conducted by the boston research Group.2 For it teams, however, enabling access to enterprise and governmental infrastructures and information using customer-supplied mobile devices creates a complex environment in which to deploy secure solutions.
the goal of this white paper is to give an overview of problems associated with mobile security—and potential solutions— from the perspective of the mobile device as an endpoint, smart phones and tablets connected to the internet in place of the conventional company-issued laptop or desktop pc.
as the global leader in digital security, last year alone Gemalto shipped more than six billion smart secure devices and supplied a wide range of software and services to hundreds of the world’s largest enterprises and government agencies. our solutions help banks and mobile network operators ensure that billions of transactions every day are securely conducted between the right parties. they power iD documents that are practically impossible to forge. and they let people exchange information and access networks without fear of being spied on or hacked.
Drawing from our extensive knowledge and experience, we will explain what is needed to maximize security for mobile endpoints and how it can be implemented successfully in the rapidly changing and— from an it standpoint— technologically immature mobile enterprise market.
We hope the information shared in this guide will empower you to find actionable ideas that you can use to achieve a high level of mobile security that empowers your organization to take full advantage of the productivity gains while ensuring protection for your own employees, customers, networks and information.
The challenges of mobile security
it teams responsible for securely implementing mobile device access and applications must consider a wide range of security risks and implementation challenges.
1 iDc, “2011 consumerization of it study: closing the consumerization Gap,” July 2011.
2 boston research Group, “2012 mobile security study,” Feb. 2012. survey of 365 it network security professionals in north america with more than 1,000 employees.
> Lost or stolen devices: americans alone lost about $30 billion worth of mobile phones last year3 and with
half of them using the same device for both business and personal activities, there is an evident risk that these devices can contain confidential company information or be used by hackers to gain access to it systems.
> Mobile malware: according to Juniper research, mobile malware more than doubled in 2011. it grew by
155% across all platforms – apple’s ios, research in motion’s blackberry and symbian. note this does not include the Google android platform, which in the last seven months of 2011 grew by an astounding 3,325%. Hackers are targeting the mobile os, the web browser, the means of communications, the client applications and the user behavior. mobile malware uses all of the same techniques as with desktops or laptops: trojans, dialers, phishing, malicious sites, spoofing, and man-in-the-middle. the malicious attacks may result in identity theft, unauthorized access to confidential data, altered data, unwanted phone calls or denial of service.
> Rogue apps: the fact that people can choose their own apps, many at no charge, is a dream for hackers
and a nightmare for it security; Get safe online, a public service organization backed by the uK’s office of cyber security and information assurance, found malware apps aimed at mobiles grew by 800% in just four months of 2011, and russian security researchers at Kapersky labs found 34% of android malware tried to steal personal information.4
> Remote Access: inherent in the concept of the mobile enterprise is the need to connect securely over
the internet to internal or cloud-based resources, bringing with it the challenges of Vpn software, identity management and authentication.
several other factors complicate finding effective solutions to these problems when contrasted with conventional desktop and laptop solutions.
> Hardware limitations due to the small size of the device
> relative immaturity of mobile operating systems, software architecture and device layers
> High rate of technology change with a constant onslaught of new mobile devices, operating software and apps > security based on sandboxing, leading to problems explained below
> lack of standardization, particularly in digital security standards
comparing the pc and mobile device markets for digital security solutions, the pc market has reached a maturity level with strong and established players both on the hardware and software side. the mobile market is still evolving for both mobile phone and tablet manufacturers and the mobile operating system developers. sandboxing and the lack of standardization make the design and the deployment of security solutions more difficult. in pcs, software applications address various external libraries (dll’s) that can be deployed separately. this architecture is efficient in terms of interoperability and portability, allowing apps to be architected to run on various platforms and enabling the extensibility of the platform with new peripherals and layers.
3 “lost cellphones added up fast in 2011,” roger Yu, usa toDaY, april 23, 2012, http://www.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1
4 “protect yourself against mobile malware in 2012,” by John oates, pc advisor, november 30, 2011, http://www.pcadvisor.co.uk/features/security/3321985/protect-youself-against-mobile-malware-in-2012/#ixzz1ytpWv6k0
Mobile Security | Security solutions for mobile as an endpoint3 these factors are evident shortcomings for the implementation of digital security in the mobile environment. in pcs for example, strong multi-factor authentication based on smart card technology can easily be designed to run on various pc operating systems (microsoft Windows, linux, apple ios) and hardware platforms, and can address several types of smart cards and readers. this can be achieved because of standards adopted over the last 15 years.
the mobile environment has not adopted those digital security standards yet. some new standards are under creation by the standardization organizations such as Globalplatform, simalliance, trusted computing Group, nFc Forum and iso. Governmental organizations will also release updates of security specifications taking into account the new mobile ecosystem, notably the national institute of standards and technology (nist) for the u.s. government personal identity Verification (piV) and common access card (cac) cards, and ants– Gixel for the european ias-ecc cards.
in light of this, today digital security in mobile apps must be designed from the beginning to embed all the required layers and drivers. it is then deployed to the end user through the application store of the targeted mobile operating system. should a second application be deployed, it cannot share the same elements as the first one and need to embed them again. the user experience, provisioning and management will vary across these applications, creating complexity for it teams and users alike.
the rapid rate of technology change and proliferation of new devices and software multiply these problems.
Mobile security solutions: Introducing Strong Authenticationagainst these security risks, the main mitigation
methods can be classified in the six categories shown here. these solutions are best used in combination, providing comprehensive layered mobile security.
user education is essential. according to one survey, only about one out of every three people knows that their mobile phone can get a virus.5 mobile Device management (mDm)
solutions are a core solution for mobile security that can help make sure devices are kept up-to-date, remotely wipe data from lost phones and manage apps. mobile anti-virus software is a best practice; however, like on pcs, hackers are constantly creating new viruses that avoid detection until they are discovered and the anti-virus is updated, leaving mobile devices vulnerable to these “zero-day” attacks.
Mobile Device Mgmt (MDM)
Data encryption and signature Education and
awareness anti-spam softwareAnti-virus and
access and VPN authenticationStrong
mDm and anti-virus however do not address these additional layers required to fully implement layered mobile security for access and data protection:
> Strong authentication based on two or three authentication factors to prove his identity
> Data encryption to keep the data secret even in the event of a data breach
> Digital signature to provide non-reputiable, internationally accepted legal signatures on electronic documents
plus confirm the information hasn’t changed after it was signed
> Secure web access and VPN to securely connect to the enterprise network and applications
these additional layers of mobile security can be achieved by adding a personal security device that is independent of the mobile phone. two options available immediately are:
> one-time password (otp) tokens
> smart card iD credentials with digital certificates
authentication is proving your identity to an information system or service provider. For many organizations accessing mobile or Web services, this is usually done with a login iD (username) and password. strong authentication provides much higher levels of mobile security by using a digital security device in addition to the login iD and password. this is also referred to as two-factor or multi-factor authentication, because you use two or more things to prove your identity. it combines something you have, the device, with something you know, your login iD and password.
an everyday analogy that illustrates this idea of strong authentication, or two-factor authentication, is how you withdraw cash at an atm. Your atm card (something you have) and your pin code (something you know) are the «two factors» that provide you with strong authentication.
What makes strong authentication more secure for mobile devices is that both factors are required for a transaction. in the banking example, if someone knows your pin code but does not have your bank card, they cannot steal money from your account. in the case of a mobile device, if someone steals your login iD and password or even your phone but does not have your security device, they cannot access your network, Web apps or information.
Secure all mobile devices fast with OTP
one time password (otp) solutions allow for secure remote access from a mobile endpoint and are commercially available, turnkey, proven and work from an internet browser on any type of smart phone, tablet, laptop or desktop. a one-time password generated by a dedicated token can secure remote access from any tablet or smart phone. it can also be used to secure access to browser based e-mail clients and cloud-based services, such as Google apps, amazon Web services management console, and others.
While a mobile device itself can be used as an otp token, in the context of mobile security it is recommended that the otp token be a separate device that operates independently from the smart phone or tablet.
securing access to your network with otp provides an additional layer of security to username and password and presents a very high barrier to hackers. When the user needs to access corporate data resources using a mobile device, they simply enter their username and the numeric code provided by the otp device (see illustration).
Mobile Security | Security solutions for mobile as an endpoint
the authentication server validates the code and access is granted to appropriate network resources. this increases the security of the login process by ensuring that the person accessing the network is in possession of two factors of identity verification-- something you have, the otp token, and something you know, the username and potentially a password. this means that someone cannot simply steal a password from malware on your mobile device for example and use it to log into your it systems; they need to have the otp device to gain access.
there are many advantages to using otp tokens for mobile security:
> supports any mobile device including android smartphones and tablets, apple ios devices including iphones and ipads and others > requires no changes to the mobile device
hardware or software
> easy and fast implementation at the device and system level
> simple and intuitive for users, who enter the otp through a browser window
another important benefit to it teams that implement otp-based security is that it can work with either a Vpn client or microsoft Windows 7 Direct access for pc remote access.
in addition, standards-based otp enables organizations to have full ownership of their key management through self- provisioning using recognized methods such as the ietF reference standards for open authentication organization (oatH) key provisioning. this means that there are no dependencies on the vendor maintaining the confidentiality of the keying material.
Move up to digital certificate-based identities and credentials
While otp authentication for mobile security is a significant step up from username and password, digital identity certificates on smart card-based identity credentials raise the mobile security bar even further and enable many other applications such as digital signature and e-mail and file encryption.
a digital identity certificate is a software token issued using public key infrastructure (pKi) technology. Digital iD certificates are widely used to secure identities in information systems and supported by all leading it infrastructure providers.
The enterprise employee is prompted to create a
one-time password (OTP)
for authentication to the enterprise network and applications.
The enterprise employee
creates an OTP by simply pushing a button on the OTP device.
The OTP appears on the device, and the enterprise employee enters it along with his/her username.
The username and OTP is verified, and
the enterprise employee has secure access to the enterprise network and applications.
by putting a digital iD certificate on a smart card, you not only create a very powerful mobile security authentication device, you also get a highly secure iD credential for secure visual identity verification and physical access control.
to use a smart card iD with a mobile device you must connect a special reader device that is connected to the mobile device with a cable, as a sleeve around the mobile device, or via bluetooth wireless technologies. (see illustration). the nFc interface, when available on the mobile, can also be used with Dual interface cards.
once the pin code is accepted unlocking the card, there is an encrypted authentication exchange between the smart card and the host system. What makes this approach so secure is that the smart card uses its own processor and software independent of the pc to authenticate the user. since this authentication is isolated from the mobile device and is unique with each login, users are protected from any threats on the end user device, the network or the internet.
The future of mobile security: The Secure Element
as the mobile industry advances and standards mature, more security options are becoming available to store digital iD credentials directly in a hardware-based «secure element» that is part of a smart phone or mobile tablet architecture. the secure element is based on smart card technology such as a sim/uicc card, a microsD card or an embedded secure element chipset.
in all these cases, the secure element is the key security factor that generates and stores cryptographic secrets and performs the associated algorithms needed for strong authentication and other digital security services.
since the secure element is based on the same security chips as smart cards, it offers a superior level of protection that cannot be matched by software, only approaches. What makes a secure element an effective mobile security solution is that it has its own processor, data storage and operating software so it can operate independently of the mobile device processor and operating software.
The employee badge contains a secure contact smart card.
The enterprise employee inserts his/her badge into the reader, and
enters his/her PIN.
The smart card provides advanced authentication for secure access to the enterprise network and applications. I. M. SAMPLE POLI CE I. M. SAM PLE Enterprise Inc I. M . SAMP LE
Smart card technology uses a computer
and software with 100s of built-in security features.
The whole piece is embedded into a plastic card or hard token. outside inside
The contacts on the surface of the device are connected...
...to wires running from a computer chip under the surface.
Mobile Security | Security solutions for mobile as an endpoint7 smart cards are a well-established digital security technology that today protects more than two billion mobile phones and one billion smart credit cards worldwide from fraud. the technology is also the basis of a global standard for electronic passports to strengthen security and prevent counterfeiting.
in addition to strong authentication, the secure element can also sign documents and emails digitally, encrypt the data on the mobile devices, providing protection against data loss, and perform other functions to ensure mobile security. a pure software application that is not based on a secure element can be attacked by a variety of proven malware techniques similar to those used in pc environments, and will not provide adequate mobile security. the chart below summarizes the main characteristics of different secured element options.
CONTACT SMART CARD DuAL SMART CARD SeCuRe MICROSD eMbeDDeD SeCuRe eLeMeNT uICC-SIM CARD
SeCuRe eLeMeNTS MAIN CHARACTeRISTICS
standard contact smart card with digital iD certificate (pKi) and/or otp functions and visual information. optional contactless card bodies are available for physical access control and epurse functions.
a smart card with both contact and contactless (wireless) communication interfaces based on industry standards (iso 14443 and near Field communication - nFc).
secure microsD card comprising a micro-controller, a smart card chip and a Flash memory chip (2 Gb for example).
smart card chip in an integrated circuit form factor, which is mounted directly on the mobile device motherboard or embedded in the nFc component.
the sim card or newer uicc replacements containing smart card chips and provided by the telecom operator; these devices manage the subscriber identity and rights and could also be used as a secure element.
security solutions for mobile devices can be complex to deploy due to the wide variety of mobile operating systems, the rapid rate of change in software and apps, and the lack of standardization in maturity in digital security aspects of their hardware and software. the big advantage of a secure element is that it can be used for mobile security independently of the mobile device. this means over time, these devices can be easily adapted for use with any mobile device and in some cases across families of devices without any change to the mobile device software. another emerging concept is to a put a secure software architecture directly in the mobile platform that can be used as a trusted execution environment (tee). the tee is embedded in the mobile device during manufacturing and delivers a greater level of mobile security and protects users by isolating secure applications from malware which might be downloaded inadvertently. the tee is a secure area that resides in the main processor of the phone and guarantees that the digital credential is stored, processed and protected in a trusted environment. the tee is designed to work with or without a secure element and helps to create a trusted user interface for applications such as pin entry for example.
Globalplatform, an organization which standardizes the management of applications on secure chip technology such as smart card-based sim/uicc mobile phones and emV bankcards, is currently working to standardize the technology to ensure an open and interoperable ecosystem for mobile services.
Implementation: Mobile security made simple
While the mobile security market has certainly not reached its maturity level yet, one bit of good news is that because of the maturity of the smart card technology underlying the secure element as well as otp technology in the it space, implementing either otp or a digital iD is very straightforward today and eliminates many of the implementation complexities and unknowns.
all leading it infrastructure suppliers, including microsoft, ibm, Hp, computer associates, citrix, adobe and many more are already fully supporting the use of otp tokens and smart card-based advanced authentication. in fact, many of these it leaders already use smart card iD credentials internally themselves. if your organization is primarily operating a microsoft environment, you can be assured your core infrastructure is ready to evolve into advanced authentication security. Key microsoft components that support smart card-based credentials and certificates include:
> active Directory, active Directory Federated services (aDFs), and ForeFront identity manager (Fim): tools for certificate issuance, authentication and access control for credentials, and identity management
> Windows desktops and server operating systems: Full support for desktop logins, terminal services and security policy enforcement, as well as self-service provisioning and maintenance with Fim for everyday tasks like pin resets
> applications including outlook, sharepoint, office: login, digital signature and encryption capabilities
For linux and apple infrastructures, implementation at the desktop level is also readily achieved using off-the-shelf resources. provisioning and the life cycle management of the credentials can be accomplished using microsoft’s Fim or solutions from other providers.
Mobile Security | Security solutions for mobile as an endpoint9 to provide the advanced authentication service for either otp tokens or smart cards, you will need to add a Versatile authentication server, a system that connects into your core infrastructure to handle the authentication process initiated from end user personal security devices and secure elements.
You also will need to establish a thorough provisioning process that strongly binds credentials to an individual user, and to develop secure and thorough exception processes and backup access methods for common user situations such as forgotten, lost, and stolen credentials.
Finally, as in any significant process change, implement change management and user training and education initiatives.
every week brings new stories of leading companies whose reputations—and their customers’ personal or financial
information—are damaged by data breaches, a problem that can be prevented by using advanced authentication. it is evident that username and password authentication is simply not a secure way to protect it systems being accessed from mobile devices. making an otp token or certificate-based smart card iD credential part of your mobile protection procedure can prevent data loss and protect confidential information.
using these technologies in these times of criminal hackers, hackitivists and potentially cyber warfare, strong authentication and data protection for mobile devices is now an essential layer for information security in every organization.
Thank You for Reading
the purpose of this brief is to give you an overview of the available solutions to solve many of the problems associated with mobile security and the bYoD trend.
We hope these ideas can help you start planning new possibilities for a mobile security it strategy to better protect your organization.
What did you find most useful? What would you like to know more about? We look forward to hearing your
feedback and questions.
Where do you go from here? to start, we hope you share this brief with you colleagues. Work with your
management to make sure they understand the threats and rationale for implementing strong authentication in conjunction with the other elements of your mobile security strategy, and what that will do to strengthen the security of your it infrastructure. and in the case of smart card iD credentials, dramatically increasing your identity and physical access control security as well.
Making an OTP token
smart card ID credential
part of your mobile
can prevent data loss
and protect confidential
The world leader in digital security
www .gemalto .com
© 2012 Gemalto. All rights r
eserved Gemalto, the Gemalto logo ar
e trademarks and service marks of Gemalto NV and ar