39 A SURVEY OF ID TECHNOLOGY - FALL 2014 - ISSUE 39
IDENTITY, SECURITY & THE
INTERNET
OF THINGS
INNOVATION KEEPS YOU ONE JUMP AHEAD
90 countries 2014 Clay by SALTO
1,500,000 + locks
13,000 + projects
15,000,000 + people use SALTO products every day
We’re driven by innovation. Guided by our insights into customer needs, we deliver industry-leading, next-generation electronic locking solutions without wires and without mechanical keys. Since 2001, SALTO has been redefining the access control world by continually being first to anticipate market needs in a rapidly evolving marketplace. We set new standards in security, manageability and scalability. With SALTO say goodbye to mechanical keys. SALTO hardware and software can be networked without wires to provide real-time intelligence and instant control, enabling integration with existing systems to improve manageability and enhance end-user experience.
SALTO SYSTEMS WORLDWIDE: Australia, Belgium, Canada, Czech Republic, Denmark, France, Germany, Italy, Mexico, The Netherlands, Norway, Poland, Portugal, Singapore, Slovak Republic, South Africa, Spain, Sweden, Switzerland, UAE, UK, USA.
www.saltosystems.com
RELIABILITY DELIVERED DEPEND ON CONSISTENT CARD PRINTING WITH DATACARD SECURE ID SOLUTIONS ®
Our printers, supplies and software are engineered and tested to work together so you can dependably deliver IDs on time and on budget. Our commitment to Secure Issuance Anywhere™ means that you can count on Datacard Group to deliver superior reliability and proven technology — anytime and anywhere you need it. Demand the performance you need. Demand Datacard® secure ID solutions. Get started by contacting an authorized Datacard partner near you. Call 1-800-995-0503 or visit www.datacard.com/id
Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2014 DataCard Corporation. All rights reserved.
CONTENTS
24 Cover Story: Identity and the Internet of Things These days there cannot be a conversation in the identity world without mention of the Internet of Things. The devices and the people connecting to them need to be securely identified, controlled and protected. The potential to use the data as attributes for authentication is tremendous. Standards work is already underway but we find ourselves in another technology-inspired Wild West.
6
Editorial: Forecasting the catastrophic breach Will only disaster bring change?
8
ID Shorts News and posts from the web
24
Identity, security and the Internet of Things On the Internet nobody knows you’re a toaster 26
30
Bolstering borders New technologies create 52 virtual fences
4
Fall 2014
50
52
54
Emmental hack exposes holes in two-factor authentication
56
Should prox replace passwords in Health care? A step back, rather than a security upgrade
58
Doodling your way to secure access Free form gesture biometrics may be new key to authentication
Forecasting the Internet of Things Enabling access with the Internet of Things
Study defines state of ‘Bring Your Own Identity’ Bolstering borders New technologies create virtual fences
59
60
Researchers find gesture has high security, ease of use
GlobalPlatform: Balance security, usability in standards 61
GlobalPlatform’s core security specs
Doodling your way to secure access 58
Emmental hack exposes holes in two-factor authentication 55 32 The future of digital ID
50 BYOID
What will online identity and authentication look like in five years? In this issue AVISIAN staff as well as a panel of industry experts peer into various crystal balls in pursuit of a glimpse. Prepare yourself for adaptive and continuous authentication, trust battles, user control … and flying cars?
Bring Your Own Device is old hat. The latest and greatest is Bring Your Own Identity. Business-to-consumer sites are starting to explore the use of outside identities such as Facebook and Google. At the same time, the enterprise world is considering use of these identities as a new factor of employee authentication.
62 Collision course: Privacy, payments and digital identity 64 Trusted NFC tags expand authentication applications 66 Vascular biometrics for the eye New ‘eye vein’ modality unlocks mobile, apps
32
The future of Identity Defining a new converged identity
*
42
Abandoning identity in favor of attributes
36
Digital identity in 2019: A vibrant identity ecosystem
44
37
How we democratized identity, took back control and changed the world
Whither cards? Secure identities move to smart devices
45
The future of the identity ecosystem is mobile
46
Certificates, trusted identities and the Internet of Things
49
Digital identity is closer than you think
*
38
What hydrogen-powered flying cars tell us about the future of digital identity in 2019
40
Keys to ensuring a federated future
Fall 2014
*
5
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2014 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
6
Fall 2014
FORECASTING THE CATASTROPHIC BREACH WILL ONLY DISASTER BRING CHANGE? ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
This spring my wife and I welcomed our first child into the world. There’s a good chance that there will only be one “Finula Ann” when she starts school in a few years, but this had me thinking about the future of digital identity and what it may look like when she starts to brave the online frontier. I look at the August credential breach where hackers stole 1.2 billion user names and passwords, the Heartbleed vulnerability from earlier in the year and countless others before that, and I wonder if she’ll have to worry about juggling usernames and passwords. There are a lot of interesting predictions in this issue on what identity will look like in five years. Our editorial team’s vision might be a bit on the optimistic side, but the hope is that passwords are deprecated in the future as other attributes take leading roles in identity and authentication. The Internet of Things is going to play a role in this future as well, with devices not only consuming identity information but providing it as well. Driving to the office in a connected car will be one of hundreds of attributes of authentication. So, too, will be routine behaviors like coffee making and even tooth brushing. A lot has to happen to make all these systems communicate in a secure and private way but the technologies already exist to make online identity more secure and convenient. Our challenge is assembling the puzzle pieces. Hopefully when these systems are available relying parties will step up and start to deploy them. The latest identity breach has consumers once again rushing to change passwords across multiple sites. Still relying parties don’t seem to be taking these breaches seriously. Part of the reason is that they’re not feeling the pain. LinkedIn had 6.5 million passwords stolen in 2012 but it’s still the biggest jobnetworking site out there. Heartbleed affected many major sites but you haven’t heard of mass customer migrations.
PERSPECTIVE
This latest breach is impacting more people; still the reaction is downright predictable. A breach happens, people post about it on Twitter and Facebook, passwords are changed – or they aren’t – and people move on with their business. There is the occasional story about a bank account being emptied or purchases being made but those are few and far between. Consumers are tired of changing passwords, but few take their business elsewhere. If 1.2 billion compromised accounts is not enough to influence change, what might it take? My fear is that only the catastrophic breach will bring transformation. Something along the lines of financial accounts wiped out, government records erased or Social Security numbers released en masse.
Relying parties seem all too willing to sit back and wait for the big one to hit and then deal with it after the fact. Change has to be on the horizon. I know it’s just a matter of time before Finula wants to start playing on my tablet but it will be years before she signs up for any parent-approved accounts. I hope the authentication technology is better than an eight-character password … that I will likely have to remember for her.
Do you know...
who has proper authorization to be in your secured facility? C
B
s
us a h SCA!
h #513
SAFE
SAFE is a p is s ftwa s luti ha abl s d al ag ci s, D D aciliti s, a d h high s cu i y g a as alig wi h FICAM a d s a li h i physical s cu i y p ati s as i la s physical acc ss. Ou s luti c aliz s id titi s, su s c plia c , a d p id s c ti u us isk ass ss wi h u ha i g ip a d plac xisti g s cu i y i as uc u whil p idi g PIV, CAC, PIV-I alidati pl y s a d c ac s, ID au h ticati , a d physical acc ss audi abili y. Wi h h SAFE s luti , s cu i y a s ca w si pli y h c l pl y s, isi s, d s a d h hi d-pa y id titi s ac ss a gl bal ga izati su ach id ti y has h igh acc ss, h igh a as, h igh l g h ti . Visi
u w bsi
l a
: www.quantumsecure.com/government
Fall 2014
7
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
TOUCH ID-ENABLED APPS STARTING TO APPEAR Apple is opening up the APIs for Touch ID so the fingerprint scanner can be used for access to specific apps, and some authentication companies are preparing for the feature. A handful of companies announced plans to take advantage of the biometric scanner for access. IdentityX, a Daon affiliate, launched a system update with
8
Fall 2014
support for Apple’s Touch ID fingerprint technology. IdentityX’s universal authentication platform for mobile devices – the Infinity Platform – enables users to mix and match security factors of the past such as passwords and hard tokens with modern factors such as voice, facial, vein and iris recognition. Infinity already supports fingerprintenabled Windows devices and is currently being integrated with fingerprint readers on Android-based devices such
as the Samsung Galaxy S5. With the integration of Apple’s Touch ID, IdentityX is positioned for support of fingerprints to authenticate enterprise applications, regardless of the type of mobile device employees or customers own. The Infinity Platform with support for Touch ID is available in open beta and will be formally released with iOS 8 this fall. Nok Nok Labs also integrated its Multi-Factor Authentication Client with the Touch ID API. It took Nok Nok engineers just two days to add Touch ID to the FIDO Alliance client, so that any existing application integrated with the FIDO iOS client will be able to use the feature, according to a blog post from Nok Nok Labs. Nok Nok was critical of the deployment though, saying it only provides two capabilities: the ability to determine if the user was successfully authenticated to the device using the fingerprint sensor and the ability to unlock iOS keychain data with successful fingerprint authentication for access to apps. They suggest that enabling Touch ID to be used for authentication to remote servers would be a welcome addition.
ID SHORTS
TOOPHER ENABLES TWO-FACTOR ‘INVISIBLE AUTHENTICATION’
SEPTEMBER
2014 Biometric Consortium Conference & Global Identity Summit September 16 – 18 Tampa Convention Center Tampa, Fla. NFC Mobile Money Summit 2014 September 22-23 W Hotel Atlanta – Midtown Atlanta, Ga.
NOVEMBER
OCTOBER
ASIS 2014 September 29 – October 2 Georgia World Congress Center Atlanta, Ga. Smart Card Alliance Government Conference October 29 – 30 Walter E. Washington Convention Center Washington D.C. Security Industry Association’s Securing New Ground October 29-30 Millennium Broadway Hotel New York, New York CARTES Secure Connexions November 4 – 6 Paris Nord Villepinte Exhibition Centre Paris, France ISC East November 19 – 20 Javits Center New York, New York
2015 FEB.
The North American Electric Reliability Corporation (NERC) has proposed guidelines to improve the physical security of the power grid. NERC is the regulatory authority that works to ensure the reliability of North America’s bulk power system. NERC’s Physical Security Reliability Standard (CIP-014-1) was submitted for consideration by the Federal Energy Regulatory Commission (FERC). On March 7, 2014, the Commission issued a Physical Security Order that gave NERC 90 days to draft reliability standards that address physical security risks and vulnerabilities. The proposed standard would require owners and operators of
2014
2015 Payments Summit February 3-5, 2015 Grand America Hotel Salt Lake City, Utah
MARCH
NEW STANDARDS TO INCREASE PHYSICAL SECURITY OF CRITICAL POWER GRID
CALENDAR
NACCU 2015 March 8-11 Sheraton New Orleans New Orleans, La.
APRIL
Toopher is touting invisible authentication but also may have one of the coolest tag lines for an identity company out there: “cool enough for James Bond and your mom can use it too.” Once an enterprise enables a site for Toopher, a user’s mobile device can serve as a second factor of authentication, says Roman, Gonzalez, marketing director at the company. A consumer logs in to a Toopher-enabled site and opts to enroll their mobile device. They are asked to download the Toopher app to their mobile, if they have not already done so. A message is sent to the app, detailing the site to be added to the user’s Toopher chain. The consumer can choose to allow or deny the site. After approving the login request the individual would be logged on to the site. After this enrollment has been completed, the invisible authentication takes over. Toopher uses the geolocation feature of the mobile device, learning where a user typically logs in to various sites. If a login comes from a location that is not typical, a request is sent to the mobile to further authenticate prior to allowing the transaction. The system can also be used to authorize only specific transactions from a provider’s suite of services, Gonzalez explains. For example, if an individual is transferring funds or doing another high-risk transaction, Toopher can be used to authenticate the identity. The idea is to make transactions more secure without having to pull out the mobile device for every login, Gonzalez says. “It’s an invisible user experience,” he adds. Toopher is focusing on the financial services market for account access and also has a product that enables consumers to validate payment card transactions. The company also has products available for employee and enterprise access control.
RSA Conference 2015 April 20-24 Moscone Center San Francisco, Calif.
Fall 2014
9
ID SHORTS
critical power facilities to identify and protect those locations that would result in widespread outages if damaged by physical attack. The Commission suggested that owners and operators should take at least three steps: 1. “Perform a risk assessment of their systems to identify their ‘critical facilities’ 2. Evaluate the potential threats and vulnerabilities to those identified critical facilities 3. Develop and implement a security plan designed to protect against attacks based on the assessment of the potential threats and vulnerabilities to their physical security.” NERC’s proposed CIP-014-1 standard responded by outlining six requirements for transmission stations, transmission
10
Fall 2014
substations and their associated primary control centers. These include: 1. Owners must perform risk assessments on a periodic basis to identify their critical transmission stations and substations as well as the primary control center for each 2. An unaffiliated third party must verify the risk assessment performed above 3. Transmission owner must notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification and its resulting obligations 4. Transmission owners and operators must conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each identified critical facility
5.
Transmission owners and operators must develop and implement a documented physical security plan that covers each of its identified critical facilities 6. An unaffiliated third party must review the physical security plan developed by the owner and operator. Key to the requirements is the physical security plan that must be developed for each facility. While it does not make specific directives regarding technologies or systems to deploy, it will likely result in a review of PACS/LACS and identity management systems across the massive power grid. It does establish that the security plan should include: Security measures designed collectively to deter, detect, delay, assess, communicate and respond
ID SHORTS
THE NEW SYSTEM WORKS BY ALLOWING EACH SMART CARD HOLDER TO OBTAIN FIVE LOAVES PER FAMILY MEMBER PER DAY – A NUMBER THAT OFFICIALS HOPE CAN BE REDUCED OVER TIME
to potential physical threats and identified Law enforcement contact and coordination information Timeline for executing the physical security enhancements and modifications specified in the physical security plan Provisions to evaluate evolving physical threats and corresponding security measures. The standard specifically lists security measures including security guards, video cameras, fences or ballistic protections. Certainly, it seems likely that the intent would also encompass other critical PACS technologies, components, identity management and credentialing solutions, visitor management solutions and more.
EGYPT TURNS TO SMART CARDS FOR BREAD DISTRIBUTION A new a smart card system for the distribution of subsidized bread is cutting wheat consumption and alleviating government waste and foreign services. The pilot started last year in an attempt to find a solution to Egypt’s bread subsidy system that has been plagued with corruption and waste. The bread
subsidy represents nearly two-thirds of the country’s $5 billion per year food subsidy costs. The new system enables the government to monitor individual consumption of bread via smart cards, which replaced the country’s previous paper credentials and were already in use for other subsidized goods including rice and sugar. Egypt is the world’s largest importer of wheat, purchasing an estimated 10 million tons each year – largely the result of the estimated 210 million loaves of subsidized flat bread consumed each day. According to a Reuters report, statistics compiled from the initial stage of the new bread subsidy program, located in the Suez Canal city of Port Said, suggests a noticeable drop in wheat consumption – 30%, in fact. Under the old system, there was no limit on the amount of subsidized bread citizens could get. The new system works by allowing each smart card holder to obtain five loaves per family member per day – a number that officials hope can be reduced over time. To facilitate this, the system also features a points system that enables citizens who consume less than their quota to spend their savings on other commodities. As of July 2013, Egypt began limiting its subsidy cards to citizens whose
monthly income is below 1,500 Egyptian pounds, or U.S. $209. Resembling a cash-transfer system, each smart subsidy card carries a certain number of points depending on the number of family members, with each commodity or foodstuff worth a specific number of points. While holders of subsidy cards are accustomed to monthly rations of cooking oil, sugar and rice, the restriction on the amount of subsidized bread is a new one. Egyptian officials expect the program to spread beyond Port Said and be implemented countrywide in the coming months. Based on the success with foodstuff subsidies, Egypt is planning a similar initiative that will issue smart cards to Egyptian drivers in order to monitor fuel consumption. This system is yet to go live, but is another example of how the country intends to use identity technology to reform its subsidy programs.
GARTNER: HACKERS WILL TARGET MOBILE DEVICES Hackers are going to focus more on smart phones and tablets and less on laptops and PCs, according to a report from Gartner Inc. Some 2.2 billion smart phones and tablets will be sold in 2014 making
Fall 2014
11
ID SHORTS
BY 2017, 75% OF MOBILE SECURITY BREACHES WILL BE THE RESULT OF MOBILE APPLICATION MISCONFIGURATION it an enticing target for fraudsters. While security incidents originating from mobile devices are rare, Gartner said that by 2017, 75% of mobile security breaches would be the result of mobile application misconfiguration. Most of these hacks will originate with misconfigured apps or devices. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” says Dionisio Zumerle, principal research analyst at Gartner. While these methods enable users to access certain device resources that are normally inaccessible, they also put data in danger. This is because they remove app-specific protections provided by the operating system. They can also enable malware to be downloaded to the device
12
Fall 2014
and open it up to all sorts of malicious actions, including extraction of enterprise data. Rooted or jailbroken mobile devices also become prone to brute force attacks on passcodes. The best defense is to keep mobile devices fixed in a safe configuration by means of a mobile device management policy, supplemented by app shielding and “containers” that protect important data. Gartner recommends that IT security leaders follow a mobile device management and enterprise mobility management baseline for Android and Apple devices as follows: Ask users to opt in to basic enterprise policies, and be prepared to revoke access controls in the event of changes. Users that are not able to bring their devices into
basic compliance must be denied, or given extremely limited, access. Require that device passcodes include length and complexity as well as strict retry and timeout standards. Specify minimum and maximum versions of platforms and operating systems. Disallow models that cannot be updated or supported. Enforce a “no jailbreaking/no rooting” rule, and restrict the use of unapproved third-party app stores. Devices in violation should be disconnected from sources of business data, and potentially wiped, depending on policy choices. Require signed apps and certificates for access to business email, virtual private networks, Wi-Fi and shielded apps.
ID SHORTS
IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.
SMART CARD ALLIANCE OFFERS GOVERNMENT PHYSICAL ACCESS CONTROL TRAINING The Smart Card Alliance launched a GSA-approved training and certification program for engineers implementing ICAM standards-based physical access control systems. The “Certified System Engineer ICAM PACS” training and certification program will be available for systems engineers to receive training on how to set-up and test PACS to align with government specifications. Commercial organizations looking to bid on GSA acquisitions for access control systems will be required, under new contracting terms to be announced this fiscal year, to have certified engineers. The Alliance has established a classroom curriculum and hands-on training, to teach engineers best practices for setup and testing PACS. Once launched, the program will provide:
A three-day program including two days of instructed training and review, and one day for a written and hands-on practical exam A set of course materials addressing how PACS work, how PKI is managed within the system and how the PIV/PIV-I credentials interface with the security system Hands-on training using PACS listed on the GSA Approved Products List to provide real-world set up, test and configuration of PIV/ PIV-I access control features within the security system An online directory of certified PACS engineers that can be used by federal contracting agents to verify if commercial organizations meet the minimum requirements to be a bidder or be awarded a contract The new training and certification center is an expansion to the Smart Card Alliance’s CSCIP/Government (CSCIP/G) training and certification programs which concentrate on smart cards for government identity and access control. Certification through these programs demonstrate that individuals have advanced knowledge of smart card technology and applications, and it sets
individuals apart as industry experts able to compete on a global scale.
VERIDU: ASSESSING A CONSUMER’S OVERALL ONLINE PRESENCE Adding extra layers of security to the username and password world adds friction, something enterprises – especially retail sites – want to avoid. Veridu wants to make the consumer authentication process as painless as possible for the consumer and retailer by using a system that looks at the overall quality and depth of the consumer’s online footprint – Facebook, LinkedIn, Twitter, etc. – and generates a score on the credibility of the consumer’s identity. To use this system the merchant embeds one of Veridu’s verification widgets on the site and presents it to the user at an appropriate time – usually at the end of the checkout process. The consumer then connects with the different social media accounts, cell phone for text message verification and an authentication step the company calls “spot a friend.” This feature has different Facebook, LinkedIn
THE CONSUMER CONNECTS WITH THEIR DIFFERENT SOCIAL MEDIA ACCOUNTS IN AN AUTHENTICATION STEP THE COMPANY CALLS “SPOT A FRIEND”
Increase your conversion rates with a simplified login process, while instantly verifying your
INSTANTLY VERIFY USERS
Fall 2014
Social Sign On + automatically runs Veridu’s unique fraud fighting algorithms to verify the identity of users, fake profiles, accounts that
13
ID SHORTS
STAR EMS USES THEIR BRIVO CLOUD-BASED SYSTEM TO MANAGE 233 ACTIVE FULL AND PART-TIME EMPLOYEES, LONG-TIME VENDORS AND GUESTS WHO ARE KNOWN AND PRE-CLEARED
and Google friends show up on the screen and has the consumer identify them. The consumer decides how many of these profiles to identify in order to lift the Veridu score – going from 0-100 – to the merchants desired level. The consumer only needs to do this once to generate a score and a unique Veridu-ID that is sent to the merchant when a transaction is performed. Merchants can decide how high or low they want the score to be as well as define which transaction would be subject to the Veridu score. That could include transactions from other countries or transactions over a certain amount of money.
BRIVO SECURES ACCESS FOR EMS COMPANY Star EMS, in Pontiac, Mich., had a problem. The company, which has 34 ambulances, was receiving more than 100 intercom requests per day for access to its facility. “Years ago, we were pretty much an open building. But we’re in a heavy pe-
14
Fall 2014
destrian area, so to increase safety and security, we locked all our external doors and garage doors and put in an intercom system,” said David Miller, vice president of Operations for Star EMS. “With this system, people had to buzz in and we had to question them before we allowed access to the building.” The company decided to look into a physical access control system and opted for Brivo OnAir cloud-based access control management to provide 24/7, 365 security for its ambulance and EMT operations base. National Technology Management is the Brivo dealer and installer for this project. After deciding on Brivo, Miller worked with another vendor so that employees’ access cards would serve as time and attendance cards as well. Now, employees swipe into the building and wave the same card in front of the time and attendance terminal. Access to the building and time and attendance recording are now automatic. Star EMS uses their Brivo cloud-based system to manage 233 active full and parttime employees, long-time vendors and
guests who are known and pre-cleared. Access is managed for the facility’s four external doors and an internal door to the main records room. Staff, vendors and visitors are divided into 12 groups, each with specific and different day, time and location access privileges. Miller and the dispatch staff carefully monitor the system’s weekly reports, reviewing all users and activity for anything out of the ordinary. Miller is pleased with the system’s control and flexibility and he especially appreciates the ability to deactivate an access card immediately. The Brivo system is programmed to send Miller and other staff automatic alerts in the event of any failed entry through improper card use. “Now we know who is in our building and who isn’t. Our dispatchers can focus on their primary functions and not buzzing people in a hundred times a day. We still have the ability to question people without cards on their need to enter our building,” Miller added.
PRODUCTIVITY PRODUCTIVITY AND AND COST-EFFICIENCY COST-EFFICIENCY FOR FOR YOUR YOUR CAMPUS. CAMPUS. Schools, colleges and universities are increasingly measured by their ability to: Schools, colleges and universities are increasingly measured by their ability to: - simplify the registration process -- simplify process create a the saferegistration environment for students and staff -- create a safe environment for students and staff manage real-time access control to campus residence halls -- manage real-time access control to campus residence halls provide innovative payment options for students at campus - cafeterias provide innovative payment options for students at campus and bookstores cafeterias and bookstores
Secure Student ID Cards Secure Student ID Cards With the ZXP Series 7™ you can create staff, student and visitor ID cards With the ZXP Series 7™ you can create staff, student and visitor ID cards and manage access to the entire campus. and manage access to the entire campus. Thanks to its high performance and fast throughput, the ZXP Series 7 Thanks to its high performance and fast throughput, the ZXP Series 7 provides crisp image quality and more productivity with low cost per card. provides crisp image quality and more productivity with low cost per card. Learn more at www.zebra.com/zxpseries7. Learn more at www.zebra.com/zxpseries7. ©2014 ZIH Corp. All rights reserved. ©2014 ZIH Corp. All rights reserved.
Explore Zebra’s Explore Zebra’s SMART Campus SMART Campus from Security to from Security to Mobility, Tracking and Mobility, Tracking and Registration Management. Registration Management. zebra.com/smart-campus zebra.com/smart-campus
ID SHORTS
EXOSTAR, SAFE-BIOPHARMA PARTNER FOR CREDENTIAL ISSUANCE Exostar and SAFE-BioPharma Association announced a partnership that will enable Exostar to issue non-public key infrastructure identity credentials at Levels of Assurance two and three to its community of life sciences and health care customers via SAFE-BioPharma’s government approved Trust Framework Provider service. Life sciences and health care companies are faced with the challenge of securely enabling business processes in the cloud while ensuring regulatory compliance. The partnership will enable Exostar to issue identity credentials, under the SAFE-BioPharma Trust Frame-
16
Fall 2014
work. Companies can leverage identity credentials to provide secure and trusted access to proprietary toolsets, analytics, and other internal/external applications in the cloud to their business partners, outside researchers, government agencies, or even competitors. The potential benefits of the partnership include: Accelerated development of solutions, increasing profit potential. Use of a single credential with all partners, eliminating the need for multiple digital identities and passwords. Reduced costs by replacing physical identity credentials with cloudbased credentials that can be accessed and used from any Internet connection.
Elimination of paper audits. Faster organization and individual on-boarding. Increased agility by eliminating site-to-site Virtual Private Networks while maintaining privacy and security. Smoother operations resulting from Web single sign-on.
TRAVELERS WILL GIVE UP BIOMETRICS FOR EXPEDITED ACCESS Using biometrics for expedited access to security lines and border crossings isn’t a new trend, and 89% of travelers from six countries would be willing to give up biometric data to cross borders, according
ID SHORTS
to a survey from Accenture. However, 69% of the 3,000 survey respondents say they have not shared any biometric information to date. Survey respondents – from Australia, France, Germany, Japan, the United Kingdom and the United States – believe biometrics can play an important role in facilitating expedited access and more secure travel while protecting borders. More than 60% of those surveyed are willing to share biometric information to make their country’s borders more secure, 58% to speed up customs and border control processing and 56% to make travel more convenient. Nearly 60% of those surveyed said they would share their biometric details to enable participation in Registered Traveler Programs that enable pre-registered passengers to have expedited access and easier processing through customs and border control. The U.S. has had its PreCheck program in place since late 2011. Travelers submit to a background check, including fingerprints, and are given expedited screening at 118 airports and most major airlines. Along with quicker screening PreCheck members don’t have to remove jackets, shoes, belts or liquids from carry-ons. The survey also found that 71% of citizens support the use of biometrics to verify the identities of all persons crossing borders and 73% say that using biometrics to verify the identity of everyone crossing the border would make countries more secure. When asked about the use of automated border clearance solutions, such as e-gates at airports and border crossings, 23% of respondents said they had used an e-gate in the past. Of those who have used an e-gate, the majority said they would do so again if they had the option, and 85% of e-gate users found them faster than manual border clearance checkpoints managed by a border patrol officer.
U.S. findings: 87% of respondents were willing to share biometric details with border agencies for expedited access to facilitate travel. However, only 19% say they have shared any biometric information to date 65% say they would be likely to share biometrics if it meant making the country’s borders more secure Some 61% say they would be likely to share their biometrics to secure faster processing through customs and border control and 59% would be willing to achieve more convenient travel Only 15% say they have used an e-gate at an airport, but 54% say they would use an e-gate, if given an option Some 64% say they are likely to participate in a registered travel program, even if that required submitting biometric information to participate.
MASS. CREDIT UNION TAPS DIGITALPERSONA FOR LOGICAL ACCESS Workers’ Credit Union in North Central Massachusetts is using DigitalPersona Inc. U.are.U 4500 Fingerprint Readers to authenticate employee identities. With 15 branches across the state, WCU’s 240 employees now use DigitalPersona biometrics-based technology to confirm identity when accessing online applications and websites. WCU selected the DigitalPersona solution to increase its security, eliminate password resets and improve employee workflow. This solution is suited for credit unions and community banks that require password-based authentication to access financial information. Passwords can be shared, creating the potential for fraud. They can also be stored on paper and left in the open for others to mis-
use. If an employee misplaces or forgets their password – which commonly occurs since passwords must be long and changed frequently to meet industry security standards – calls for password resets distract IT personnel from more critical business-driven activities. WCU considered software to automate password resets, but ultimately determined that implementing biometricsbased technology would be easier for both its employees and back office administrative staff. With the DigitalPersona solution, WCU employees simply touch the fingerprint reader to gain access to online applications and websites. WCU employees have recovered two to three percent of their time that used to be lost to remembering and keying in passwords. In turn, the credit union’s IT help desk has gained two to three percent of its time back since they no longer have to contend with password resets. The solution has also helped streamline WCU’s member services. Members no longer have to wait for the help desk to reissue an employee’s password before receiving assistance. With the success of biometrics for logical access to online applications and websites, WCU is planning to expand its use of biometrics-based technology for physical access to its buildings and networks.
HID PROVIDES NORWAY POST WITH MULTI-APP SMART CARD Norway Post sought a new physical access control system to increase security, future proof systems and add functionality to the employee ID. Headquartered in Oslo, Norway Post has more than 20,000 employees and more than 1,400 points of sale via traditional post offices and instore post offices in retail outlets such as supermarkets. Because they had worked with HID Global since the mid-90s, they looked to the company for guidance.
Fall 2014
17
ID SHORTS
The new system, focused on the Robsrud Terminal where more than 60% of all the country’s mail is handled, had the following requirements: Offer a card solution that was interoperable with various HID card readers and Norway Post’s three different access control systems Provide the ability to upgrade readers but not require upgrades to all existing controllers Support multiple applications such as time and attendance, canteen payment and secure printing Support multi-technology cards, enabling them to migrate from existing legacy technologies to newer technologies Enable Norway Post to keep their established Corporate 1000 format whilst upgrading to higher security Enable sustainable material to be added to cards and extend the lifetime of cards used in harsh environments. They selected HID Global’s multiclass SE readers that support multiple technologies including standard iCLASS and HID Prox as well as new cards manufactured with a high-durability composite material. The cards are being used for secure access control, discounts on railways, payments in canteens, access to vehicles,
18
Fall 2014
secure printing and scanning in offices as well as time and attendance. “It has improved our security and lowered our costs, since it is much easier to replace a card than a key if you lose it,” said Arnfinn Nordheim, security director at the Norway Post.
ESTONIA ISSUING DIGITAL IDS TO NON-RESIDENTS National ID cards got a boost with the announcement that Estonia – a tiny Baltic state that’s home to 1.3 million people – will begin issuing digital IDs to non-residents this year. Estonian citizens have gone largely digital in their dayto-day dealings with private businesses and the public sector, and now this convenience is extending to others. A study on the use of digital identity by the Information Te c h n o l o g y and Innovation Foundation in S e p t e m b e r 2011 noted that many countries in Europe, Asia and the Middle
East were investing in national electronic identification, or e-ID, systems. The report summarized that such systems offer a variety of benefits, like reducing identity theft and enabling secure transactions in industries like banking and health care. It also singled out Estonia as a leader in this effort – where citizens were already signing their names electronically, authenticating online transactions and voting online. Upwards of 10 million people worldwide are expected to take advantage of an Estonian e-identity. “This creates a unique opportunity to create a new set of remotely usable global services,” says Taavi Kotka, Estonia’s chief information officer. He says the digital card will be a catalyst for economic growth, enabling foreign entrepreneurs and investors to easily conduct business inside the country. “E-residence provides a unique opportunity to create a globally innovative suite of public and private services that are usable irrespective of location,” Kotka wrote. “The state intends to create a fundamental platform for new business opportunities in this area.”
DATACARD PRINTERS ISSUE VIETNAMESE DRIVER LICENSES Datacard Group announced the deployment of more than 150 desktop card printers to the Vietnam Road Authority to issue driver licenses to citizens in all the 63 provinces throughout the country. The Directorate for Roads of Vietnam decided to make a transition from paper-based documents to plastic cards for their driver licenses to increase security and durability. In addition to ad-
ID SHORTS
dressing forgery and alteration concerns that are common with paper licenses, officials wanted to issue more durable documents with a national centralized database of driver licenses. So far, more than 3 million licenses have been issued nationwide. The program has expanded to all provincial issuance offices throughout Vietnam, making it more convenient for citizens to receive their licenses. In addition, by printing the driver licenses on plastic cards, the Vietnam government is now able to offer high quality images with retransfer printing technology. Retransfer allows for over-the-edge printing of high-resolution photos, logos, text and background images.
BRAZILIAN AIRPORT TAPS QUANTUM SECURE São Paulo – Guarulhos International Airport in Brazil implemented Quantum Secure’s SAFE for Aviation software suite. The airport was preparing for a surge of travelers for the World Cup and the 2016 Summer Olympics. Brazil relies heavily on its smaller airports as a means of mass transportation, and with the influx of tourism and growth there was a huge push to modernize airport operations and security management. Among the applications the facility has deployed are the following aviationrelated SAFE modules: Privilege Management Application provides the ability to define
credential types and associate these credentials with necessary privileges and security checks needs, including the lifecycle management of these relationships. Integrated Watch List Management Application enables the user to manage the internal/external watch lists and update the TSA No-fly selectee list to search for a possible match and highlight the same during the enrollment process. Aviation Mobile Infraction Management gives complete capability to the user to perform tasks and take actions on their smartphones and tablets.
LEADER in IDENTITY SOLUTIONS
ePassport Inlay
Identity Cards
Ebooster® Technology The Highest Reliability Inlay or eCover Compliant with all chips and OS Teslin® or paper Security Guaranteed Dual, Hybrid and Contactless Cards Decrease your Time to Market Unique Security Features www.s-p-s.com 85 avenue de la Plaine ZI de Rousset-Peynier 13790 France Tel : +33 4 42 53 84 40 - Fax : +33 4 42 53 84 48 - Email : contact@s-p-s.com
Fall 2014
19
ID SHORTS
Aviation Visitor Management manages the complete lifecycle of visitors, including creation of an audit trail of visits and visitors checking in and fingerprinting schedule management for authorized signatories.
IRIS-ENABLED WATCH SEEKS CROWD FUNDING A crowd funding campaign on indiegogo. com for the FiDELYS, a biometric smart watch, calls it the perfect form factor for iris biometrics because people are so used to glancing at their watches. Rather than simply using the biometric to unlock the watch itself, the FiDELYS is being touted as an authentication mechanism for external devices and services. Additionally, it will enable encryption of files and control launch of applications such as bank apps, picture galleries and emails. The watch will have a clicking bezel, not a touchscreen, to interact with the device. The watches are expected to cost $250 when released but can be pre-ordered now for $200.
20
Fall 2014
HID, ASSA ABLOY DEPLOYED AT WORLD CUP Access control products from HID Global and with door-opening solutions from parent company ASSA ABLOY were used in various solutions across six of the 12 stadiums in Brazil during the 2014 FIFA World Cup football matches. Products range from locks, door closers, knobs and handles to master key systems and HID Global’s iCLASS access control system cards and readers. HID Global and ASSA ABLOY products were used at new stadiums in Fortaleza, Natal, Recife, Curitiba, and Brasilia, as well as at the Maracanã Stadium in Rio de Janeiro, which hosted the World Cup final and will host both the opening and closing ceremonies for the 2016 Olympics.
FACEBOOK GAINS GROUND AS DOMINANT SOCIAL MEDIA LOGIN Password fatigue is leading more Web surfers to log in to various sites using their social network identities. More than half of us are doing it, according to a
report by identity management provider Janrain. The Q2 2014 report found that Facebook is gaining ground again as the dominant social login of choice after a steady decline over the last six quarters. During the same period, Google consistently increased its share. While other social networks remain far behind the top two, LinkedIn commands a nearly 30% share of social logins on B2B sites. Amazon and Instagram IDs have a 10-25% share on sites where they are enabled. Jamie Beckland, vice president of Marketing and Customer Success at Janrain, says consumers are getting more comfortable with the idea of using their favorite social media login for multiple sites. “They’re starting to understand better the privacy and security benefits, and they also are starting to understand the user experience benefits,” he adds. It helps that more sites are getting better at explaining how personal data is used. “On the permission screen, they have all been experimenting – especially over the last 18 months – with new ways of disclosing to the user what information is being shared,” Beckland explains. Facebook, for example, recently started offering line-by-line controls to consumers. “So you have the ability to check or uncheck any particular data point that you want to share with the brand,” Beckland says. “It’s interesting that during the time they made this announcement, Facebook actually started to regain some market share.” Beckland thinks this may be an early indicator that consumers are more apt to trust sites that enable them to control use of their personal data. “Twitter is interesting because they give up very little data about the user,” Beckland says. Twitter surpassed Yahoo and became the #3 most popular site for social media logins in Q2. “They have stuck with this idea that they’re going to offer a different
Taking Down the Wall at SNGTM Sometimes Walls Don’t Make for Good Security
Oct. 29-30, 2014 Millennium Broadway Hotel New York City Register now and SAVE $300* SIA Members Nonmembers
Thru 10/3 $1,095 $1,495
After 10/3 $1,395 $1,895
*SIA Members save $300 if they register by Oct. 3.
For additional registration categories and conference updates, visit securingnewground.com
Securing New Ground® (SNGTM), SIA’s executive conference, is taking down the wall between security suppliers and security practitioners. Now when you attend SNGTM, you’ll find the C-suite of security manufacturers, integrators and dealers sitting alongside end users. Sessions about and for end users include: • Putting Value into the Channel • The New World of Security: Where CSIOs & CSOs Converge • Strategy Before Technology: Building Your Tech Roadmap • Assessment to Investment: How Does Your Enterprise Security Program Measure Up? • Listening to the Customer
Event Sponsors
Industry Partner
Media Sponsor
Security Industry Association
securityindustry.org
EXECUTIVE CONFERENCE
ID SHORTS
kind of data sharing than other identity providers, and – at least in this last quarter – it was helpful for them.”
PING IDENTITY SEES A POST-PASSWORD WORLD Ping Identity announced the launch PingID, a security solution for oneswipe mobile authentication, aimed at deprecating the use of passwords for authentication. “Our customers are facing challenges because passwords are still the most user friendly approach to authentication,” says Loren Russon, vice president of product management and design at Ping Identity. “Trying to carry around something else can be painful and people don’t want to constantly re-authenticate.” PingID is designed to make all this easier by using a person’s mobile device for authentication. With the PingID app, end users swipe their smart phone for authentication as a
22
Fall 2014
primary or second factor to access applications and services. Built on an adaptive authentication framework, PingID can deliver access policies to applications based on geolocation, a challenge response or a unique swipe pattern. Employees download the app and register it by scanning a QR code that enables the app to be used for access. How it’s used beyond that depends on the enterprise. One of Ping’s clients is a large electronics company that had acquired another company with a strict password policy already in place for access to its portals. To ease the authentication burden, the company deployed PingID along with a federation product. “This enables a single authentication event leveraging federated identities to access private and public cloud resources,” explains Russon. A basic use case has employees logging in to a portal. They enter a user name and password and then a request is sent to their mobile device. Once the app is opened and swiped on the mobile they are granted access to a dashboard of all available applications. A retailer in Silicon Valley is using PingID as a second factor of authentication. Employees login to active directory with their usual credentials, and then de-
pending on what they are accessing, may have to use the app on their device for additional authentication. The plan is to eventually add contextual authentication to PingID as well, says Russon. Depending on the geo-location on your device or what an employee is trying to do, different authentication events might be triggered.
FREQUENT FLYERS TEST NFC TECHNOLOGY IN FRANCE A few hundred Air France frequent flyers are getting six months to test near field communication’s ability to help them breeze through the Toulouse-Blagnac Airport using smart phones as boarding passes. It’s the first end-to-end trial from the airport entrance all the way through boarding, though SITA, a specialist in air transport communications and IT, has conducted limited trials in Toulouse and the Schiphol Amsterdam Airport. The pilot is a team effort: Mobile network provider Orange is supplying the NFC infrastructure and SIM cards Eligible passengers flying from Toulouse-Blagnac to Paris-Orly will use the Touch&Pass app provided by Air France SITA developed the NFC specifications for the technology to work in the airport, a toolkit for mobile integration and the boarding pass delivery infrastructure RESA – supplier of airport data systems – handles check-in, boarding and fast-lane processing. The process begins when the passenger checks in online and opts to receive the boarding pass via mobile. An NFC boarding pass is automatically sent in a three part sequence: the data is sent from Air France to SITA in a generic format using the Boarding Pass API; SITA adapts the data and sends it to Orange
ID SHORTS
through a Trusted Service Management infrastructure; Orange sends the boarding pass data with an SMS that is not visible to the passenger but processed by the smartphone. The passenger sees a pop-up window when the boarding pass is received on the smart phone, which is stored on the SIM card and can be seen with the Air France Touch&Pass app.
A sign tells the passenger to tap the phone on the self-entry gate of the security fast lane. The boarding pass is automatically read and processed, the gate opens, and the passenger can zip through to security. Then, the passenger taps the smartphone on a dedicated reader, and a screen tells the security agent whether the boarding pass is valid.
When entering the airport lounge, the agent invites the passenger to tap the smart phone on the reader to validate access to the lounge. At the boarding gate, the passenger taps the phone on the reader, and the data is read automatically and validated by the airport system. A green light appears, and the passenger can board the plane. The trial runs through the end of the year.
IT’S THE FIRST END-TO-END TRIAL FROM THE AIRPORT ENTRANCE ALL THE WAY THROUGH BOARDING
Fall 2014
23
IDENTITY, SECURITY & THE
INTERNET
OF THINGS ON THE INTERNET NOBODY KNOWS YOU’RE A TOASTER ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
There’s an electric toothbrush that will communicate with a smart phone to record how long an individual brushes their teeth. Let that sink in for a moment. On the list of world necessities, a Webconnected toothbrush that counts down from 120 ranks pretty low. It falls somewhere above the Internet-enabled hairbrush but below the coffee maker that can be controlled from a smart phone.
24
Fall 2014
Proponents of this onslaught of connected devices suggest that the Internet of Things will revolutionize daily life. The future portends a wholly connected home and office as well as interactive retail, dining and community environments. Connected families and social circles can access and make choices based on data elements – from who ate the last candy bar or how far Fido was walked … to auto-
matic reordering of groceries or the normal Tuesday evening pizza order. While some of these new devices and elements might seem trivial, connecting them all to the Internet of Things creates interesting problems. The devices need to be securely identified, controlled and protected. Work is already underway to create standards but it’s early days. Today we find ourselves in another technologyinspired Wild West environment.
Still while the Internet of Things poses challenges for securing data and devices, there is another potential upside. Internetenabled devices and wearables can serve as an additional factor of authentication to give enterprises and Web sites greater certainty in the identity of employees or consumers.
THE PROBLEMS The ill-fated Fox television show “Almost Human” had an episode in which a home security system turned on its owners killing them both. The culprit was a hacker who gained access to the system and used it against the unsuspecting couple. This scenario is far fetched now but there are very real concerns surrounding proper security and authentication of individuals to these new devices. The Internet of Things is an enormously broad concept, encompassing everything from smart water and gas meters to wearable technologies such as Google Glass and the Jawbone UP. IDC defines the Internet of Things as a network of networks of identifiable endpoints that communicate without human interaction using IP connectivity – be it local or global. The consultancy predicts enormous growth in the market as well, jumping from $1.9 trillion in 2013 to $7.1 trillion in 2020. A June 2014 survey from Fortinet asked 1,801 tech-savvy homeowners questions relating to the Internet of Things as it pertains to the connected home and also found that consumers are not unaware of the issues. In the U.S., 61% of respondents say that the connected home – where the household appliances and home electronics are seamlessly connected to the Internet – is extremely likely to happen in the next five years. Fear of data breach on the Internet of Things is widespread with 70% of global respondents expressing concern about the issue. To address these concerns, it must be ensured that only those authorized can access the data these devices produce.
THE INTERNET OF THINGS HAS AN
IDENTITY PROBLEM.
AT THE END OF THE DAY THERE IS A DEVICE CONNECTED TO THE INTERNET, MEANING MORE THAN ONE PERSON CAN BENEFIT FROM IT. HOW DO YOU MAKE SURE ONLY AUTHORIZED PEOPLE HAVE ACCESS TO THIS
INFORMATION?
What if data harvested from Web-enabled toothbrushes pinpointed those users not brushing adequately. Could a toothbrush manufacturer, app developer or even a hacker sell the data to insurance companies looking to determine individual rate increases? On the other hand, should good brushers be empowered to voluntarily share this data in pursuit of lower rates? Privacy and control of data is a moving target with these systems but this challenge does not mean that the onslaught of devices will await fixes, regulations and policies.
WHAT’S BEING DONE WITH THE DATA? At first blush, the information that these various connected devices collect might seem innocuous to the average consumer. Who cares when my Nest Thermostat kicks on or what’s on the grocery list of my Webenabled refrigerator? But hackers could use the thermostat data to monitor homeowner schedules and determine ideal times for burglaries. Health insurance companies could track grocery lists to evaluate if an individual is eating too many processed foods and subsequently raise premiums based on dietary habits. “There are huge privacy implications,” says Steve Shoaff, CEO and founder at
UnBound ID. “The Internet of Things has an identity problem. At the end of the day there is a device connected to the Internet, meaning more than one person can benefit from it. How do you make sure only authorized people have access to this information?” Shoaff admits to be an early adopter for the Internet of Things, but he has concerns about how the data is secured and used. The access to data from the set-top box and Nest thermostat alone can be enough to cause problems. “You would be able to tell that someone is in the house and that they’re watching Nickelodeon,” he says. “This could be valuable information to somebody.” The dangers are largely being ignored, Shoaff says. “The issues surround who controls the flow of data and how an individual can manage implicit and explicit preferences,” he explains. The Nest Thermostat has sensors that could detect when a person is in the home as well as learn about a user’s preferences over time. In the future these capabilities will certainly increase, and it’s what Google will do with those preferences that has Shoaff concerned. “I want to control that data,” he says. “I don’t want Google knowing how much body mass index it detects, let alone what it will do with that information.”
Fall 2014
25
Forecasting the Internet of Things According to a Cisco Systems report, the number of internet-connected devices exceeded the number of people on Earth in 2008. In the time since, the number of internet-connected devices has exploded, with Cisco forecasting 50 billion devices on the global Internet of Things by 2020. Equally impressive to the breadth of the Internet of Things, is the vast array of devices that now comprise it. Everything from wireless cardiac monitors to sensors on cattle that tell when a cow is sick or pregnant, are now connected to the Internet. In just one possible permutation, Cisco imagines a scenario wherein the Internet of Things could improve the daily commute.
As Gartner’s report explains, Internet of Things encompasses hardware, embedded software, communications services and information services associated with the connected devices. Gartner also sees the emergence of an entirely new market, as the companies that provide the hardware, software and services would essentially become Internet of Things suppliers. By the year 2020, the revenue contribution from Internet of Things suppliers is estimated to reach $309 billion globally. Gartner also forecasted the economic valueadd – the aggregate benefits that businesses
26, 50, OR 75 BILLION DEVICES
SECURING THE ACTUAL DEVICES
THOUGH PREDICTED TOTALS VARY GREATLY ACROSS STUDIES, EACH IS SIGNIFICANT AND MASSIVE IN ITS OWN RIGHT
Control of the data produced by these new devices in the Internet of Things is important but also paramount is making sure the devices are secured properly. “The goal is to protect these devices, any identity-related details as well as make sure that any information sent back is safe,” says Johan Sys, managing principal for identity and access management at Verizon Enterprise Solutions. WiFi-enabled light bulbs were hacked earlier this year by Context Information Security. LIFX bulbs connect to a WiFi network in order to enable a user to control them using a smart phone application. In a situation where multiple bulbs are available, only one bulb will connect to the network. This “master” bulb receives commands from the smart phone application and broadcasts them to all other bulbs across the wireless network. After spending some time with the bulbs, researchers were able to sleuth out the encryption algorithm and gain an understanding of the network protocol. With some additional work they were able to capture the WiFi network details and decrypt the credentials without authenticating or alerting the user to their presence. It’s likely that attacks such as these will increase as Web-connected devices and
Assume your morning meeting is pushed back by 45 minutes. This information could be pushed to your alarm clock, buying you that extra 5 minutes of sleep. From there, your alarm clock talks to your coffee maker, telling it to brew a pot while simultaneously telling your car to start melting the morning frost on the windshield. As Cisco sees it, the car could well be a hub of information, gathering data from traffic cameras and connected road signs as it maps your route to the train station. Your car could automatically be informed of any accidents along your morning route and suggest alternates on the fly. Likewise, if your train is delayed, that information could be waiting for you in the driveway before you even push the ignition button. In its “Forecast: The Internet of Things, Worldwide, 2013” report, Gartner takes a more conservative stance saying the Internet of Things will grow to 26 billion devices in 2020. This number excludes PCs, tablets and smart phones, which they predict to hit 7.3 billion units in 2020. Gartner expects enterprises to make extensive use of Internet of Things technology, including advanced medical devices, factory
26
automation sensors, industrial robotics and sensor motes in agricultural applications.
While authentication to these devices is important, the bigger issue is the flow of data, where it goes and who controls it. “The identity needs to be decoupled from the applications,” Shoaff says. Rather than shove a bunch of identities into every application, Shoaff suggests applications should consume identity attributes on an as needed basis. In this model the user’s identity is stored in a high-security platform and the applications are granted access to specific identity information. All identity and personal information is also secured and encrypted. “This is the consumer-centric view of identity in which the individual is a customer who enables specific services and subscriptions,” Shoaff explains.
Fall 2014
reap through the sale and usage of Internet of Things technology – to be $1.9 trillion across sectors in 2020. The verticals leading adoption are manufacturing (15%), health care (15%) and insurance (11%). Morgan Stanley estimates that the global installed Internet of Things base will reach a whopping 75 billion devices by the year 2020. More impressive still, the company suggests that there could be as many as 200 unique, Internet-connected consumer devices yet to be released to the public. Morgan Stanley provides some insight for those looking to cash in on the Internet of Things explosion, naming sectors to keep an eye on, such as microcontrollers, sensors, wireless connectivity and software. Though predicted totals vary greatly across these studies, each estimate is significant – and massive – in its own right. Big Data providers and other stakeholders wait in eager anticipation, champing at the bit for the flood of new data streams. Still it will be important societally to consider the ramifications of an increasingly connected daily life. One thing remains certain; we’ve only seen the tip of the iceberg when it comes to the Internet of Things.
BECAUSE YOU’RE WEARING SOMETHING, IT’S INTIMATE AND IT COLLECTS PERSONALLY IDENTIFIABLE INFORMATION. DEVICE MANUFACTURERS SHOULD BE ON THE FOREFRONT OF GIVING CONSUMERS ROBUST ACCESS CONTROL. systems become more prominent. “We have seen less than 1% of what’s going to happen with identity and the Internet of Things,” says Sys. “It’s the biggest growing focus by far.” On one hand, securing identities for these devices is easy as compared to doing it for employee or consumers. “Employee’s change identities throughout the course of a day,” Sys says. “These identities remain static.” But there are a lot more of these devices out there than people and not all of them have the ability to handle cryptography. The attacks are also new. “We understand the attack vectors against the enterprise,” Sys says. “With the Internet of Things it’s more complex, we know these attacks have consequences but we don’t yet know what they are.”
STANDARDS NASCENT The standards that enable all these devices to securely communicate are still developing, says Paul Madsen senior technical architect in the CTO’s office at Ping Identity. Madsen has a FitBit scale that enables the device to communicate with the home’s WiFi network and keep track of a user’s weight. Once the scale is enabled on the home network the information is sent to the cloud. “There’s no standard to how messages are authenticated as belonging to a given user,” he explains. “There are no best practices for how you get data from the thing to the cloud, they all have different mechanisms to how the user’s identity is bound.” Still, because the Internet of Things market is developing and changing rapidly,
28
Fall 2014
it’s difficult to get device manufacturers to agree upon standards. Think VHS vs. Betamax. Madsen adds that new industry groups pop up every week to tackle different issues with the Internet of Things, and coordinating efforts amongst all the various groups is a challenge. Still he sees that challenge as fertile ground for the expansion of the ongoing work in human identity realm. “Our opportunity in the identity world is to drive the standards for the Internet of Things,” Madsen says. While the machine-to-machine and other device-centric industries are developing their own approaches to standardize communication and protection on the Internet of Things, Madsen and other human identity realm see no reason to reinvent a wheel. Instead they want to see the device realm adopt the privacy-enabling, strong authentication approaches already in place. As an example, OAuth tokens are being used to enable native apps to view and analyze the information, Madsen says. Communication between the third-party sites is secured via OAuth because it enables permissions-based sharing between different sites, so interoperability is important, Madsen says. The cloud and native app could use OAuth as well, but because the same provider owns both pieces, there is less motivation to use a standard, Madsen explains. Communication between the devices and gateways are up for grabs when it comes to standards, Madsen says. It can be any variety of protocols such as Bluetooth, NFC, Zigbee or other. Thankfully, OAuth is a well-suited standard for authentication. “The concepts of OAuth, namely user control over identity and attribute sharing fits in every seg-
ment,” Madsen adds. Thus, it seems it could be an ideal extension from the realm of human authentication standards to the world of devices. Work is underway to build on top of the OAuth tokens and add more security, said Eve Maler, vice president of innovation and emerging technology at ForgeRock, during an online panel discussing identity and the Internet of Things. Authorizing access to these devices is also important and a standardized way to do that is still in the works, Maler says. “All of these need to be on boarded to a household and authorized so one or many in a family can control them from any number of devices,” she adds. Maler is a proponent of User-Managed Access to enable this authorization and management. User-Managed Access is a specification that puts the control of these devices, along with the data they produce and receive, completely into the hands of the consumer. Wearable devices record a lot of data and the device’s owner should decide who can access that data, Maler says. “Because you’re wearing something, it’s intimate and it collects personally identifiable information,” Maler says. “Device manufacturers should be on the forefront of giving consumers robust access control.” What happens if your health insurance provider finds out you haven’t been taking the prescribed 10,000 steps a day or that your auto insurer detects unsafe driving? “There needs to be proactive control of where the data is shared,” Maler says. “People need to have the right and ability to monitor the sharing of the data.”
We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.
gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm
© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. January 2014 - Credit photos: Thinkstockphotos - CC
Trusted and convenient digital services for billions of individuals
Enabling access with the Internet of Things Eve Maler first became concerned with the Internet of Things when she heard about an inventor creating solar roadways that can be updated to route people away from accidents. “What about hackers gaining access and leading people off a cliff?” asked the vice president of innovation and emerging technology at ForgeRock.
CONNECTED DEVICES IDENTIFYING OWNERS While there is concern over securing data and devices on the Internet of Things there also is great interest in using the wearables and other connected devices for authentication online and in the physical world. The general theory is that Internet of Things-enabled devices will communicate with back-end authentication services so to aid in adaptive and continuous authentication. Did the Web-enabled coffee pot brew this morning? Did the Jawbone UP record a workout? Did you drive your connected car or use a mobile device to pay a fare on public transportation? All of this can feed into a system that enables continuous, adaptive authentication. Adaptive authentication isn’t a new idea. Checking the IP address against the geo-location provided by a mobile device before enabling someone to login is available today, says Mark Diodati, technical director in the CTO’s office at Ping Identity. Enterprises can place an app on a mobile device that will “fingerprint” the device and check information from it. That along with a user name, password and token can all be used for authenticating to resources, Diodati says. Adding data from wearable devices may be the next step but there are concerns about how these devices connect to backend systems and overall privacy issues, Diodati explains. He notes that there are strong efforts underway to utilize modern identity protocols such as OAuth and Open ID Connect. “It’s still up in the air, however, how you take these protocols and use them on the Internet of Things,” he adds.
30
Fall 2014
But then she realized that this could also be used to inform an individual and give them access. If solar roadways and driveways emerge with connected cars, a homeowner could know when someone is approaching and even grant access. Rules can be put in place so that as the homeowner approaches the garage its door automatically opens, the house unlocks and the air conditioning kicks on. Access can also be provisioned to others, but if a stranger pulls into the driveway an automatic message can be sent back ask them for more information. With home automation, wearable devices and the Internet of Things there are endless possibilities for authentication and authorization. A friend’s Jawbone UP could be provisioned to the front door to unlock so they can water the plants while the homeowner is on vacation. There are also a variety of products in the works that would leverage wearable devices as additional factors of authentication for access to mobile devices, laptops and web sites. While the Internet of Things is not a new phrase, it is being redefined as more devices and applications emerge.
Brivo Labs is working to enable wearable devices for physical access, says Lee Odess, general manager at the company. Depending on the level of security the system would consume different authenticators. To walk into the front door of an office it might be enough to have the Nike Fuelband that is transmitting using Bluetooth Low energy but to get into a specific office the employee might also need a mobile device with NFC where they authenticate using a biometric. “A wearable with a phone and biometric is a pretty strong form of authentication,” Odess says.
DOG, MAN OR TOOTHBRUSH? The identity management world is under siege. Data breaches are rampant and trying to figure out a better solution than user names and passwords alone is imperative.
The introduction of wearable devices and emergence of the Internet of Things poses both a daunting challenge and an enormous opportunity to an identity industry that already has a lot on its plate. Adding factors to the authentication process was always viewed as a difficult proposition. The additional cost of deploying tokens and scanners was cumbersome, but when employees or consumers already have these devices it’s the matter of adding them to an identity management system. The famous cartoon stated, “On the Internet nobody knows you’re a dog.” Soon nobody will know if you’re a dog, a teenager, a government employee or even a toothbrush. There are many obstacles to overcome in this new Internet of Thingsenabled world but once some of these issues are solved the possibility of a more secure, connected world does exist.
EXHIBIT HALL & SIA EDUCATION@ISC:
November 19-20, 2014
Javits Center North | New York, NY www.isceast.com
SIA WITH ISC SUPPORTING THE SECURITY INDUSTRY SPONSORED BY
Your LOCAL Connection to the WORLD of Security • Special offers from your local distributors
- ADI, Tri-Ed, Brooklyn Supply & More
• Direct access to technical reps from 200+ brands • The ONLY industry event offering FREE accredited
education through SIA Education@ISC
• Special events and celebrity
appearances on the exhibit floor
Register for Free Today at www.isceast.com
ISC East is endorsed by:
Fall 2014
31
The future of Identity *
*
DEFINING A NEW CONVERGED IDENTITY
In the pages that follow, we asked a series of identity industry leaders to peer into a crystal ball and look five years into the future of digital identity. Our editorial team decided to take the same opportunity. We attempted to chart our vision of what the identity ecosystem will look like in the future. How will we authenticate to the myriad sites, apps and services that define our personal and professional lives at the close of the decade? Here goes. Converged identity has been defined as using a single credential for both physical and logical access, but it’s taking on a new meaning. Imagine one credential accepted across all sites and
32
Fall 2014
services – trusted by relying parties from corporate, government, financial, education and beyond. It will be powered by attributes collected from multiple sources such that user privacy is protected and the majority of authentication transactions can occur in the background with no action required on the part of the user. This is our future for digital identity. In the future, when you walk into the office to start your day, a large part of the
authentication picture will have already taken place. Did your thermostat pick up your movement at your house in the morning? How about the fitness tracker recording the morning workout? Did the Internet-enabled coffee maker brew a pot or is it set to away mode? And if it’s not your connected car, maybe it’s the mobile device that you used to pay for your public transit fare feeding location data into this giant mesh of indicators. All of these data points – each little more than insignificant blips on their own – will come together in the future of adaptive authentication. All this metadata will help determine what happens when you sit down at your computer. If everything is normal
*
*
and your pattern is typical, you’ll need only enter a PIN, a simple password or an unobtrusive biometric. This low assurance approach will be sufficient because the secure authentication has taken place in the background. Eventually you may not enter anything at all. At the same time, your mobile or wearable device will communicate with external systems as an extra factor of authentication just as webcams periodically check physical biometrics and other peripherals take behavioral biometrics from mouse movements, keystrokes and swipes for continuous authentication. Authentication with five data points or adaptive authentication indicators might not be good enough, but what about 50 or even 500? Online identity in the future won’t leverage a single component, but will consist of hundreds of components, most occurring in the background as a part of our regular, ongoing activities. Some may say five years is ambitious for this type of a system, but the individual components exist toady. It’s a matter of putting the pieces together. Of course, privacy will be a chief concern and the data will have to be diligently protected. Thieves can’t be allowed to hack connected devices or the data they create in a way that could link behaviors, indicators or patterns to individuals. Safeguards will need to be put
in place to protect the various points in this new ecosystem. I know what you’re thinking. But Avisian, what happens if you’re traveling and your normal patterns are altered? These systems will adapt and quickly redefine acceptable authentication scenarios. For example, if you land in San Francisco the GPS on your mobile device will note your location. Your home automation, wearables, connected car and coffee pot will behave differently suggesting an out of norm situation. Your home networks will quickly restrict access knowing you are away while external accesses from your newly identified location are enabled. At first, you may be asked for an extra factor of authentication when logging on, but as you move throughout the day and con-
duct various tasks the system will adapt. There will be many layers of safeguards. Perhaps a universal one-time passcode app or text messaging service will offer a next line of defense for those rare instances when the mesh of adaptive indicators left uncertainty. With a universal option, consumers would only need one service that could be consumed by multiple relying parties on an as needed basis. It won’t be easy putting this kind of system together but a lot of work has already been done. The pieces are in place, now it’s just a matter of putting everything together for consumers to use in a functional, privacy-enhancing way. That’s our crystal ball vision. Read on to see what others see in our digital future.
Or we could be wrong … Every year password databases are breached bringing about calls for greater security and better forms of authentication and yet little or nothing happens. In August it was reported that 1.2 billion user names and passwords had been stolen from 420,000 Web sites. There are the naysayers who say passwords are easy so why change? But the prevailing wisdom suggests consumer reuse usernames and passwords across multiple sites. So if the hacker has a credential from one site it may also be good for access to a Bank of America financial account. If these breaches are leading to this type of fraud it’s going underreported. If consumers and relying parties were experiencing this type of fraud and it was costing money we would see multi-factor authentication. Target expects to pay $138 million related to the credit card breach – an amount that equates to just a portion of a single day’s revenue. But what’s the cost – other than reputational – with an identity credential breach? Even if this breach impacts Facebook, Amazon, Bank of America, Chase or Google, consumers will not stop using these sites. Putting these new authentication services in place will take time and money, and if relying parties don’t see the value it won’t happen. Instead they will rework their password policies requiring them to be more complex and cumbersome. The winners in this situation will be the hackers who will continue to go after databases and the new password management tools that consumers will have to use to keep track of all these extra-complex passwords.
Fall 2014
33
The future of Identity
PANELISTS
* Jeremy Grant SENIOR EXECUTIVE ADVISOR, IDENTITY MANAGEMENT, NIST
*
34
Fall 2014
Grant joined NIST in February of 2011 to lead the establishment of a National Program Office to implement the National Strategy for Trusted Identities in Cyberspace. His career began as a legislative aide in the U.S. Senate, where he drafted the legislation that laid the groundwork for the Department of Defense and GSA smart card and PKI efforts. He later joined MAXIMUS, where he played a role in a number of federal identity and security programs.
Julian Lovelock
Steve Wilson
VICE PRESIDENT OF PRODUCT MARKETING
PRINCIPAL ANALYST,
FOR IDENTITY ASSURANCE, HID GLOBAL
CONSTELLATION RESEARCH
Lovelock is responsible for defining and bringing to market products across the Identity Assurance portfolio. He is based in Fremont, Calif., having relocated from London in 2006. He joined ActivIdentity in 2005 as part of the acquisition of ASPACE Solutions where he was CTO and co-founder.
Wilson works at the intersection of digital identity, privacy, cryptography and policy. He has worked in identity R&D and strategy for 18 years with his current research applying Darwinian thinking and cultural ecology to understand how identities evolve in real world business.
*
* Dan Blum
Alan Goode
Tom Smedinghoff
CHIEF SECURITY AND PRIVACY ARCHITECT,
FOUNDER AND MANAGING DIRECTOR,
PARTNER, EDWARDS WILDMAN PALMER LLP
RESPECT NETWORK
GOODE INTELLIGENCE
Blum is an expert in security, privacy, cloud computing and identity management. At Respect Network, he focuses on architecture, business development and consulting. Blum has authored two books, written for numerous publications and participated in standards groups such as OASIS, Kantara Initiative and others. His articles appear regularly at http://security-architect.blogspot.com.
Goode has 10 years of research and analysis experience with Juniper Research, Market Mettle and Goode Intelligence in addition to 17 years of technology management experience. Good has been head of Information Security at T-Mobile UK, security practice manager at Atos Origin, head of Digital Security at De La Rue Identity Systems and security analyst for Citibank.
Smedinghoff focuses on the emerging field of information law and electronic business activities. He has been actively involved in developing e-business, e-signature, ID management, and data security legal policy both in the U.S. and globally. He also serves as chair of the Identity Management Legal Task Force for the ABA Business Law Section, and co-chair of its Cybersecurity Committee.
Neville Pattinson
Joshua Jabs
Andre Boysen
SENIOR VICE PRESIDENT, GOVERNMENT
VICE PRESIDENT OF STRATEGIC MARKETING,
EXECUTIVE VICE PRESIDENT, MARKETING,
SALES, GEMALTO NORTH AMERICA
ENTRUST, PART OF DATACARD GROUP
SECUREKEY TECHNOLOGIES
In addition to his position at Gemalto, Pattinson is the technical vice-chairman of the Smart Card Alliance and sits on the board of NSTIC’s Identity Ecosystem Steering Group. He previously served a five-year term on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
Jabs joined Datacard in 2009 as vice president of government vertical. Prior, Jabs directed investor engagements as an equity analyst in the Security and Financial Technology sectors at Roth Capital Partners and Piper Jaffray and held roles within the U.S. government in areas dealing with new technology investments and security research.
Boysen serves as SecureKey’s digital identity evangelist and is responsible for positioning the company’s growth strategy and cultivating opportunities in new and existing markets. Prior to joining SecureKey, Boysen co-founded and served as chief technology officer of 724 Solutions Inc.
Fall 2014
35
DIGITAL IDENTITY IN 2019: A VIBRANT IDENTITY ECOSYSTEM JEREMY GRANT, SENIOR EXECUTIVE ADVISOR, IDENTITY MANAGEMENT, NIST
*
In the year 2019, consumers will think it’s quaint when online service providers ask them to create a new account – or more likely, many will simply abandon the site, deciding that it’s not worth the hassle. The marketplace availability of secure, privacy-enhancing digital credentials that can be used across the Internet in lieu of passwords will prompt most
their services, as well as inspire trust by assuring that as a service provider, they too value security and privacy. A comprehensive Identity Ecosystem Framework – essentially a set of standards, policies, and operating rules that ensure interoperability of credentials across sites, as well as a consistent experience for consumers and service providers alike – will enable this new paradigm for online identity. Crafted by the privately-led Identity Ecosystem Steering Group (IDESG), this framework will also be backed by a Trustmark program that allows credential issuers to demonstrate their compliance with the Framework. This will enable the easy creation of new Trust Frameworks that span numerous sectors, making it easier for organizations to trust credentials issued by others. The authentication ceremony itself will look very different than it does with today’s authentication tools that require significant work on the part of the end-user. We will see new easyto-use technologies that do the work for us. In simpler terms: we will move from systems that challenge the user to prove they are who they claim to be, to ones that “recognize” us. This shift
WE WILL MOVE FROM SYSTEMS THAT CHALLENGE THE USER TO PROVE THEY ARE WHO THEY CLAIM TO BE, TO ONES THAT “RECOGNIZE” US
consumers to trust one – or a handful – of credential service providers instead of managing 25-30 passwords. The value to consumers will not only be convenience, but also the knowledge that the security and privacy of their transactions is enhanced. Moreover, online service providers will be eager to reduce friction for consumers accessing
36
Fall 2014
to recognition will be enabled by the ever-increasing array of capabilities and sensors built into the devices we use to go online. That may sound scary, but it will only be problematic if we don’t make an effort as technology progresses to make sure we get privacy right. With these new capabilities, it will be more important than
*
ever to ensure that there are standards in place – both technical and policy – to ensure that this future state of identity is one that enhances privacy. This will be accomplished by embedding a default set of privacy protections in the Identity Ecosystem Framework, as well as by taking advantage of new privacy-enhancing technologies that are starting to appear. Major cloud service providers will embrace these privacy enhancements as a way to address potential liabilities and inspire trust among a broader swath of customers. This future state of identity will have been developed and led by the private sector, though it will have been heavily inspired by the National Strategy for Trusted Identities in Cyberspace, issued by President Obama in 2011. While published by the government, the NSTIC set forth a vision that appealed to a wide range of companies, advocates, academics and individuals, bringing them together to collaborate on a way to fundamentally remake online identity. At a time of tremendous change in identity technology, the strategy served as a guidepost for the private sector, reminding everyone that privacy, security, ease-of-use and interoperability are each essential for an Identity Ecosystem to flourish. As for the National Program Office, by 2019 it will be a blessed memory, having been absorbed back into NIST. With a vibrant, NSTIC-aligned Identity Ecosystem becoming pervasive, the need for a dedicated government office to assist the private sector will wane. Technologies and markets evolve, and government must as well. There will no doubt be new challenges in 2019 that are deserving of our time, energy and resources.
*
HOW WE DEMOCRATIZED IDENTITY, TOOK BACK CONTROL AND CHANGED THE WORLD DAN BLUM, CHIEF SECURITY AND PRIVACY ARCHITECT, RESPECT NETWORK
DATELINE 2019 – Today is the fiveyear anniversary of Respect Network’s launch and I’ve been asked to write this post as if describing the identity management landscape to our younger selves in 2014. To contemplate the time shift, I’ve re-created the state of our topics five-years ago and hyperlinked various references back to old archives. Remember 2014? Many people had not heard of personal clouds and I’d have to describe it to them as “the first global, private personal cloud network in which individuals manage their relationships with other people and businesses under a trust framework that protects ownership, privacy, and control of personal information.” There was a social media campaign with the hashtag #TakeBackControl and though the network started with minimal functionality, its vision was clear and the architecture well specified. In 2014, online personal empowerment seemed an audacious concept even in the free world where it belonged – and to which I’ll constrain my generalizations of the present time. Few outside the initial movement for privacy thought personal clouds would have much im-
pact. But now, almost everyone has a personal cloud with one of the many service providers on the network, an ecosystem partner, or with a competing network. As for identity management, where do I even start? In 2014, you could still talk about digital identity separate from individual rights to privacy and control – as if our identity was a thing that should be primarily managed for us by organizations. No one could have foreseen the degree to which the world would move towards “Bring Your Own Identity” (BYOID) with tools like safe social sign-on. That democratization of identity has not only been great for people, but also good for business. When it came to digital identity standards, there was no consensus in 2014, and there is no consensus now. The “Internet identity layer” is still like the meta-system Kim Cameron wrote about in the 1990s. Digital identity defies standardization because it is as individual as the people it’s trying to serve, not to mention that people, organizations, applications and wearable or implantable device technologies just evolve too fast to pin down the interfaces. The old saying – “the wonderful thing about standards is there’s so many of them” – certainly applies here. For example, government ID card initiatives generally proved unsuccessful or limited in scope. Today, most organizations outsource what we used to call identity management. Old standards based on centralized authentication and authorization services are fading away as distributed systems increasingly consume meta-data and make contextual, riskbased decisions (as envisioned in the
*
original Global Identity Foundation, but much more de-centralized). That’s right, personal and business clouds often connect as peers. Personal clouds are portable so that your digital identity, just like your biological one, belongs to you for life. Few would raise their eyebrows in 2019 anymore if you called the personal cloud your “digital self.” And as we built our reputations and keychains, personal clouds became increasingly viable for BYOID as well. Personal clouds with third party identity providers, claims providers and payments providers now form the dominant architecture pattern for online authentication, authorization, reputation and commerce. Because most personal clouds are implemented as semantic graphs, multiple standards can be used even within a single trust network. Despite widespread use of biometrics and other forms of “strong” authentication, there’s still a cybercrime problem. Aggregate identity theft levels are much lower for personal cloud users, but when a compromise does happen the consequences can be serious. Fortunately, the decentralized architecture of trust networks means you don’t suffer really big breaches, nor do most people allow spam on secure, relationship-based channels. Unfortunately, next generation cybercrime continues to
DIGITAL IDENTITY DEFIES STANDARDIZATION BECAUSE IT IS AS INDIVIDUAL AS THE PEOPLE IT’S TRYING TO SERVE evolve as bad actors try to game reputation systems and infiltrate or sabotage self-governing parts of trust networks. It’s a constant battle but de-centralized trust networks are holding their own.
Fall 2014
37
*
THE USE OF MOBILE DEVICES FOR AUTHENTICATION PURPOSES IS NOW COMMONPLACE, WITH SMART PHONES AND TABLETS BEING USED AS THE PRIME AUTHENTICATOR FOR A WIDE RANGE OF SERVICES INCLUDING BANKING, PAYMENT, CLOUD-BASED SERVICES AND THE ENTERPRISE As an enabler of personal empowerment and mutually profitable business relationships, personal cloud networks totally rock. They’ve become the authoritative source (or at least the conduit) not only for identity but for personal information in general. People are incentivized to maintain their cloud because they get a share in the relationship fee model. How the personal cloud expresses oneself is becoming increasingly important; newer personal clouds constantly change their “skins” and behavior depending on our schedules, states or moods. Businesses are getting major sales, marketing and logistical efficiencies from the new model. The change of address process had caused businesses to lose touch with customers, but not anymore. It’s way beyond BYOID, the expansion of the semantic graphs’ community registries and dictionaries seems endless and continues to scale with the latest OASIS Extensible Data Interchange (XDI) 3.0. What Doc Searls called “the Intention Economy” is here and growing much faster today than the old advertising and surveillance economy. You see use cases in every industry including ubiquitous personal RFPs, micropayments, smart homes and grids, patient-controlled health records transfer and so much more. Change identity, change the world!
*
38
Fall 2014
WHAT HYDROGENPOWERED FLYING CARS TELL US ABOUT THE FUTURE OF DIGITAL IDENTITY IN 2019 ALAN GOODE, FOUNDER AND MANAGING DIRECTOR, GOODE INTELLIGENCE
In an article that aims to predict the future, one must not be tempted to paint an improbable picture. We may well be travelling around in autonomous hydrogen-powered flying cars someday but that looks unlikely for 2019; it is, after all, only five years away. As someone who earned a Bachelor’s in History, I always believe that we should look back in time to see what the future will give us. If we cast our minds back five years to 2009 we can see what has changed in a five-year timeframe. The iPhone was two years old and its arrival heralded the start of the smart mobile device revolution where digital services are delivered to a wide range of always-
connected devices from a mixture of tightly controlled enterprise or highly agile cloud-based services. In terms of digital identity for 2009, the consumer space was dominated by passwords and the enterprise was a mixture of passwords and two-factor authentication hardware options – onetime-password tokens or smart cards – where the higher cost of deployment was matched with the associated risk. In the enterprise, digital identity was largely managed internally with limited examples of federated identity. As a result of the combination of smart mobile devices and cloud-based services, by 2009 we were starting to see evidence of change. Authentication and identity solutions designed to work within a closed network were missing in this new world of agile IT. We started to see identity solutions leverage the capabilities of the smart phone to democratize stronger two- and multi-factor authentication. The emergence of SMS-delivered OTPs and soft tokens, where OTPs are generated in a mobile app, was a notable trend in the years from 2009 onwards. This adaptation of existing authentication technology for mobile – both the phone as an authenticator for IT services and for mobile app authentication – may not be ideal but is a necessary compromise until we develop new methods of delivering strong authentication to new platforms.
Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or smartcard cannot provide alone. Only biometric authentication verifies who is present... and only multispectral imaging from Lumidigm provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose Lumidigm.
www.lumidigm.com | sales@lumidigm.com | +1 (505) 272-7057
Now, new authentication and digital identity technology is being developed and is starting to filter through into the mainstream; both for consumer and enterprise users. Today’s emerging authentication technology has a good chance of being widely deployed by 2019.
SO WHAT WILL DIGITAL IDENTITY LOOK LIKE IN 2019? I believe that there are currently a number of mini-trends in digital identity that are fusing together to form the future of authentication. In 2019, digital identity will have the following characteristics: Fewer credentials – identity service providers to the rescue We have too many credentials and credential management has become a major headache. I must have at least 40 unique credentials and that means 40 separate passwords to manage. This problem is amplified when accessing accounts via a smart mobile device. Passwords and other strong authentication solutions are fine when I have a handful of accounts to manage but are poor in today’s world where I access multiple accounts from many different endpoints. By 2019, we shall have fewer credentials to manage. Not as a result of fewer accounts, but with the adoption of password management and use of identity service providers offering us a service for credential management and federation.
*
Authentication standards to assist interoperability and a common experience The emergence of identity and authentication technology standards including FIDO, SAML and OpenID will enable service providers to deploy interoperable solutions that share a common user experience.
40
Fall 2014
It’s my identity and I choose to assert it here! Then there’s Bring Your Own Identity (BYOID). This enables users to create identities that can be asserted by their owners with a variety of service providers. Frankly, I can’t really see the situation where we have a single digital identity by 2019. Merging of consumer and enterprise Consumer and enterprise IT is rapidly merging and by 2019 the silos that demark our personal and business digital lives will be eroded. To support this trend we need a digital identity architecture that can be trusted and shared across both personal and business sectors. Mobile and wearable – the emergence of universal authenticators The use of mobile devices for authentication purposes is now commonplace, with smart phones and tablets being used as the prime authenticator for a wide range of services including banking, payment, cloud-based services and the enterprise. OTP mobile apps and SMS delivery solutions are starting to be replaced by smarter identity solutions that include technology such as biometrics, contextual awareness and behavioural analysis, as well as functions from other security tools including threat intelligence and malware detection. By 2019, smart mobile identity will be a reality and next generation wearable devices will emerge as universal authenticators. Smart authenticator- even smarter authentication engine The link between mobile devices and cloud services is a common attribute of modern IT and digital identity in 2019 will embrace this symbiosis. The mobile device will be used to collect behavioural and personal information to inform backend services that there is very good evidence that the device is in the hands of its authorised user.
*
This information will be processed by risk-based authentication services using the latest machine-learning algorithms to ensure that service providers have a high level of assurance that the authorized user is attempting to perform a particular action.
THE BUILDING BLOCKS OF 2019 DIGITAL IDENTITY ARE ALREADY HERE We already have the building blocks that will create digital identity services for 2019. They are being designed and integrated into next-generation authentication solutions creating a more flexible and natural way of authenticating millions of users and ensuring that cyberspace is safe and easy to enter.
KEYS TO ENSURING A FEDERATED FUTURE THOMAS J. SMEDINGHOFF, PARTNER, EDWARDS WILDMAN PALMER LLP
The concept of federated identity management has been discussed and developed in various forms for more than 20 years. During that time, we have witnessed an ever-evolving progression of new ideas and concepts along with much debate and work on standards, policies, trust frameworks and certification requirements. But has there been real progress? In the next five years, will federated
*
identity management be a ubiquitous reality for most businesses and users? Or will it simply advance to the next stage of an interesting but largely theoretical discussion, punctuated only by isolated sector-specific implementations and proof-of-concept pilot projects? The answer may depend on whether a shift in focus is possible. Today’s development efforts focus primarily on the specifications and policy issues that must be addressed to build so-called “trustworthy” identity systems. This has generated a great deal of discussion regarding the very concept of “trust,” as well as extensive work on issues such as levels of assurance, identity proofing, trust elevation, certification, trustmarks, privacy, security and interoperability. But these efforts largely ignore a critical prerequisite to success – finding a business model that will provide appropriate incentives for businesses and users to participate in such a trustworthy system in the first place. Imagine the year is 1900 and we’re trying to promote the recently invented automobile as the future of transportation. While developing standards for building safe and reliable cars might seem to be the primary challenge, that may not be the best approach. At that early stage in the development of the automotive transportation ecosystem, what was truly required were incentives for manufacturers to build cars and users to buy them. And to do that, we needed an infrastructure of roads, gas stations and repair shops. In that early environment, focusing on standards for building safe and reliable cars would most likely not provide the needed incentives. Likewise, efforts focused on requirements for ensuring trustworthy federated identity systems, while important, will not succeed without commensurate attention to the need to incentivize businesses or without users making the investments and commitments necessary to participate in such systems. This requires addressing two key pre-
*
WE CAN’T OPERATE ON THE ASSUMPTION THAT FEDERATED IDENTITY IS SUCH A GREAT IDEA THAT MERELY DESIGNING REQUIREMENTS FOR A TRUSTWORTHY SYSTEM WILL INCENTIVIZE WIDESPREAD IMPLEMENTATION conditions for the development of such incentives: Identifying business models that provide an economic justification for all parties to participate in federated identity systems. Providing a legal framework that enables and supports such business models. We can’t operate on the assumption that federated identity is such a great idea that merely designing requirements for a trustworthy system will incentivize widespread implementation. Until we address this fundamental issue of incentives, federated identity systems will likely not be a widespread reality, regardless of how many trustworthy and privacy-enhancing standards, policies and certification processes are developed. What incentives will motivate businesses and users to participate in federated identity systems? Short of government compulsion that mandates compliance notwithstanding cost (e.g., regulatory requirements), they will likely involve business models that enable identity information providers to make money – either directly or incidentally – relying parties to save money or extract other value from the process and users to simplify their online access requirements. In all cases, the value received by each role must be sufficient to justify the cost or hassle involved in participating. Facebook has apparently figured this out, and has deployed a business model – login with Facebook – that is arguably the most successful, by volume,
federated identity system in use. It flourishes notwithstanding that it operates with a very low level of trust, and largely ignores many of the key identity issues. Instead, it leverages the Facebook business model in a manner that provides economic incentives for itself, its relying web sites and its users. The challenge is to find one or more such incentivizing business models for systems providing higher levels of trust. Establishing a climate conducive to the development of such value-generating business models also requires an appropriate legal framework. Such a legal framework may take the form of public law, statutes or regulation, but can also come from private law in the form of contracts among participants. Most likely it will be a combination of both. Regardless of structure, the goal is to provide a legal framework that removes inappropriate legal barriers where and to the extent they exist. This then enables the deployment of viable business models, consistent with appropriate public policy. Doing this will require providing a satisfactory level of legal certainty regarding the rules governing those who participate and fairly addressing allocations of responsibilities, risks and liabilities among the various roles. At the same time, the legal framework must not restrict the development of viable economic models, such as by imposing burdensome legal structures, requiring parties to execute complex contracts every time they engage in a transaction or allocating liability in a manner that unduly inhibits participation. Instead,
Fall 2014
41
it should be designed to encourage and support the market-based experimentation needed to develop an approach to online identity that incentivizes all involved. At the end of the day, making Internet scale federated identity a reality in the next five years will require addressing more than just the issue of trust. It will require finding viable business models that provide sufficient benefits to all participants to incentivize them to participate while at the same time implementing an appropriate legal framework to support those business models.
*
ABANDONING IDENTITY IN FAVOR OF ATTRIBUTES STEVE WILSON, PRINCIPAL ANALYST, CONSTELLATION RESEARCH
Identity online is a vexed problem. The majority of Internet fraud today can be related to weaknesses in the way we authenticate people electronically. Internet identity is terribly awkward too. Unfortunately today we still use password techniques dating back to 1960s mainframes that were designed for technicians, by technicians. Our identity management problems also stem from overreach. For one thing, the information era heralded new ways to reach and connect with people, with almost no friction. We may have taken
42
Fall 2014
too literally the old saw “information wants to be free.” Further, traditional ways of telling who people are, through documents and “old boys networks” creates barriers, which are anathema to new school Internet thinkers. For the past 10-to-15 years, a heady mix of ambitions has informed identity management theory and practice: improve usability, improve security and improve “trust.” Without ever pausing to unravel the rainbow, the identity and access management industry has created grandiose visions of global “trust frameworks” to underpin a utopia of seamless stranger-to-stranger business and life online. Well-resourced industry consortia and private-public partnerships have come and gone over the past decade or more. Numerous “trust” start-up businesses have launched and failed. Countless new identity gadgets, cryptographic algorithms and payment schemes have been tried. And yet the identity problem is still with us. Why is identity online so
*
person. Different transactions carry different risks, and identification standards are varied accordingly. Conversely, if a provider cannot be sure enough who someone is, they now have the tools to withhold or limit their services. For example, when an Internet customer signs in from an unusual location, payment processors can put a cap on the dollar amounts they will authorize. Across our social and business walks of life, we have distinct ways of knowing people, which yields a rich array of identities by which we know and show who we are to others. These Identities have evolved over time to suit different purposes. Different relationships rest on different particulars, and so identities naturally become specific not general. The human experience of identity is one of ambiguity and contradictions. Each of us simultaneously holds a weird and wonderful ensemble of personal, family, professional and social identities. Each is different, sometimes radically so. Some of us lead quite secret lives, and I’m not thinking of anything salacious,
WHY IS IDENTITY ONLINE SO STRANGELY RESISTANT TO THESE WELL-MEANING EFFORTS TO FIX IT? IN PARTICULAR, WHY IS FEDERATED IDENTITY SO DRAMATICALLY EASIER SAID THAN DONE?
strangely resistant to these well-meaning efforts to fix it? In particular, why is federated identity so dramatically easier said than done? Identification is a part of risk management. In business, service providers use identity to manage the risk that they might be dealing with the wrong
but maybe just the role-playing games that provide important escapes from the humdrum. Most of us know how it feels when identities collide. There’s no better example than what I call the High School Reunion Effect: that strange dislocation you feel when you see acquaintances for the
first time in decades. You’ve all moved on, you’ve adopted new personae in new contexts – not the least of which is the one defined by a spouse and your own new family. Yet you find yourself re-winding past identities, relating to your past contemporaries as you all once were, because it was those school relationships, now fossilised, that defined you. Frankly, we’ve made a mess of the pivotal analogue-to-digital conversion of identity. In real life we know identity is malleable and relative, yet online we’ve rendered it crystalline and fragile. We’ve come close to the necessary conceptual clarity. Some 10 years ago a network of “identerati” led by Kim Cameron of Microsoft composed the “Laws of Identity,” which contained a powerful formulation of the problem to be addressed. The Laws defined Digital Identity as “a set of claims made [about] a digital subject.” Your Digital Identity is a proxy for a relationship, pointing to a suite of particulars that matter about you in a certain context. When you apply for a bank account, when you subsequently log on to Internet banking, when you log on to your work extranet, or to Amazon or PayPal or Twitter, or if you want to access your electronic health record, the relevant personal details are different each time. The flip side of identity management is privacy. If authentication concerns what a Relying Party needs to know about you, then privacy is all about what they don’t need to know. Privacy amounts to information minimization; security professionals know this all too well as the “Need to Know” principle. All attempts at grand global identities to date have failed. The Big Certification Authorities of the 1990s reckoned a single, all-purpose digital certificate would meet the needs of all business, but they were wrong. Ever more sophisticated efforts since then have also failed, such as the Infocard Foundation, Liberty Alliance and the Australian banking sector’s Trust Centre.
*
44
Fall 2014
Significantly, identity federation only works within regulatory monocultures – for example the US Federal Bridge CA, or the Scandinavian BankID network – where special legislation authorises banks and governments to identify customers by the one credential. The current National Strategy for Trusted Identities in Cyberspace has pondered legislation to manage liability but has balked. The regulatory elephant remains in the room. One of the most promising identity developments today is the Open Identity Foundation’s Attribute Exchange Network, a new architecture seeking to standardise how identity claims may be traded. The Attribute Exchange Network resonates with a growing realization that, in the words of Andrew Nash, a past identity lead at Google and at PayPal, “attributes are at least as interesting as identities – if not more so.” If we drop down a level and deal with concrete attribute data instead of abstract identities, we will start to make progress on the practical challenges in authentication: better resistance to fraud and account takeover, easier account origination and better privacy. My vision is that by 2019 we will have a fresh marketplace of Attribute Providers. The notion of “Identity Provider” should die off, for identity is always in the eye of the Relying Party. What we need online is an array of respected authorities and agents that can vouch for our particulars. Banks can provide reliable electronic proof of our payment card numbers; government agencies can attest to our age and biographical details; and a range of private businesses can stand behind attributes like customer IDs, membership numbers and our retail reputations. In five years time I expect we will adopt a much more precise language to describe how to deal with people online, and it will reflect more faithfully how we’ve transacted throughout history. As the old Italian proverb goes: It is nice to “trust” but it’s better not to.
* WHITHER CARDS? SECURE IDENTITIES MOVE TO SMART DEVICES JULIAN LOVELOCK, VICE PRESIDENT OF PRODUCT MARKETING FOR IDENTITY ASSURANCE, HID GLOBAL
Within the next five years, users will be carrying multiple secure identities on a single card or phone – a move that could replace all previous mechanical keys and dedicated one-time password (OTP) hardware for physical and logical access control. This single card or device will be part of an access control ecosystem that provides a seamless user experience and can flexibly scale and adapt, while also delivering growing value to the organization. The technologies for realizing this vision already exist and are poised to change how we use secure identities for many applications. Any smart device – whether a traditional card or a device with wireless technology such as Bluetooth or NFC – now has the potential to become a trusted credential that can be used for authenticating individuals. Meanwhile, advances in converged back-of-house technologies are enabling strong authentication and card management capabilities for computer and network logon. These advances also ensure that physical and logical identities can be managed on a combination of plastic cards and smart phones. The objective
is not simply to substitute one credential form factor for another across isolated use cases. Rather, the goal is to leverage mobile technologies to build unified solutions that ensure secure access to the
*
THE SAME CARD OR PHONE USED FOR BUILDING ACCESS WILL BE USED TO AUTHENTICATE TO CLOUD- AND WEBBASED APPS, SINGLESIGN-ON CLIENTS OR OTHER IT RESOURCES door, to data and to cloud applications. Today’s access control platforms deliver more sophisticated credentials and new credential form factors including mobile devices. They also support open standards so that organizations can evolve beyond their current capabilities, add features and adapt to changing security threats. With the proper foundation and planning, organizations can solve today’s challenges, as well as prepare for new capabilities such as mobile access control. Moreover, this foundation can allow for a diverse range of new applications when needed, and pave the way for integrated, multi-layered physical access control and IT security solutions that span all of the organization’s networks, systems and facilities. One of the biggest developments in the coming years will be growth in mobile access adoption. Within five years, we should also see smart phones becoming an integral part of the ecosystem for the creation, management and use of secure identities. In some instances phones will replace cards, but in many others they will supplement cards to
enable a more secure and user-friendly experience. The use of smart phones to receive digital credentials and “present” them to readers will cooperate with existing capabilities to generate one-time passwords for accessing network or cloudand web-based applications. Users will simply take the same card or phone they use for building access and use it in conjunction with a personal tablet or laptop to authenticate to a VPN, wireless network, corporate intranet, cloud- and web-based applications, single-sign-on clients or other IT resources. Within this environment, strong authentication will continue to grow in importance in the face of a rapidly changing IT security threat environment – and will also move to the door. There will be increasing use of other authentication factors including biometrics. In the federal space, meanwhile, widely adopted Public Key Infrastructure-based strong authentication methods will arrive at the door using both cards and mobile phones. Smart phones using Bluetooth Low Energy for their short-range connectivity technology will also have long enough reach that users can open doors with a simple movement of the device as they walk up to a mobile-enabled reader. This new gesture-based capability offers a new user experience and new ways to open doors and parking gates, while laying the foundation for a wide range of additional future applications. The latest secure identity technologies enable organizations to use smart cards and other smart devices in a growing ecosystem of interoperable products and applications. Within the next five years, our customers will be able to use these cards and phones as a replacement for all previous mechanical keys, physical access cards and dedicated OTP logical access authentication hardware. And accompanying this transition will be an extremely flexible, centralized access and identity management system that can adapt to evolving threats and
*
requirements, improve the user experience, and deliver steadily growing value over time.
THE FUTURE OF THE IDENTITY ECOSYSTEM IS MOBILE NEVILLE PATTINSON, SENIOR VICE PRESIDENT, GOVERNMENT SALES, GEMALTO NORTH AMERICA
According to the Pew Research Center, 90% of American adults have a cell phone and 58% have a smart phone. To take it a step further, 63% of adult cell owners use their phones to go online and 34% of cell Internet users go online mostly using their phones rather than a computer. There is even a word to describe the fear of being without a mobile device: nomophobia. Our identities, both figuratively and technologically, are tied to our mobile phones. Although most of us recognize that mobile phones are not the most secure way to exchange information and access content, the convenience factor reigns supreme. Even President Obama, when he assumed office, wouldn’t give up his BlackBerry. So what’s the solution? How do we maintain the freedom and convenience of using one’s own personal device while upholding high security standards? Can it even be done? The short answer is ‘yes,’ no doubt in part to our country’s awakened fervor exemplified in NSTIC.
Fall 2014
45
The current lack of assurance that we are all who we say we are affects both businesses and governments, as they are left unable to allow employees certain communications online via personal devices due to inadequate authentication mechanisms. This is ironic and unfortunate given the growing move toward BYOD workplaces. The Identity Ecosystem, as envisioned by NSTIC, is an online environment that will enable people to validate their identities securely and with minimal
*
WITHIN THE BYOD PLAYING FIELD, WE NEED TO FIND A COMMON DENOMINATOR AND STANDARD IMPLEMENTATION FOR SECURE CREDENTIALS
disclosure of their personal information and perform trusted interaction and transactions. This is something we all need and will all benefit from. Today employees work outside the office and must access secure corporate data to conduct daily tasks. A Nasscom/ Deloitte report suggested that the global enterprise mobility market opportunity is expected to grow by a compound annual growth rate of 15% to $140 billion by 2020. Perhaps even more telling, the line between the personal and enterprise sectors is blurring. An Ipsos MORI/ Huddle study found that nearly three quarters (73%) of U.S. office workers using enterprise-owned tablets download personal software and apps, while 52% use personal laptops, tablets and smartphones to store and work on enterprise content. Employees want to access corporate resources – regular mail, encrypted mail, online corporate services – through their mobile phones, and they are doing so whether CIOs and CSOs like it or not.
46
Fall 2014
Similarly, corporations and institutions don’t want to constrain their employees by imposing restrictive policies. As many employees are using mobile phones in place of laptops, security solutions on these devices must be on par with security solutions on laptops and desktops. But the ecosystem is highly fragmented. There is a multitude of smart phones on the market and there is no one method for authentication currently in use.
At the low end of authentication are unmanaged soft credentials, known more commonly as usernames and passwords. Then we have managed soft credentials, like software certificates. Moving on up, there are derived online credentials, such as a secure server in the cloud. Fourth are derived credentials, found on a Universal Integrated Circuit Card (UICC), embedded secure element, or Trusted Execution Environment. Finally, the most secure credentials are smart card credentials. These are just a few of the choices. But within the BYOD playing field, in order to be the most effective, we need to find a common denominator and standard implementation for secure credentials. One test bed to consider is the government. Federal employees require secure hardware for handling highly sensitive information. As such, a handset-embedded secure element with a trusted execution environment is the best fit for government employees’ enterprise security applications. Based on GSMA, Java Card & GlobalPlatform Standards, the UICC is the
*
only common denominator for strong credentialing on mobile devices. The most logical choice, therefore, for the government’s BYOD policy is a Common Access Card and/or Personal Identity Verification (PIV) Card in the UICC smart card for a mobile phone. Importantly, this solution is device agnostic. The secure UICC can be inserted into various mobile devices and can be moved from handset to handset. The good news is pilot programs using these secure technologies are already underway. Security and authentication are concerns felt by the C-suite, not just the IT department. These are all positive paradigm shifts. Our goal as a society should be to strive for the day when privacy-enhancing technologies are ubiquitous. I’m confident we’ll get there.
CERTIFICATES, TRUSTED IDENTITIES AND THE INTERNET OF THINGS JOSHUA JABS, VICE PRESIDENT OF STRATEGIC MARKETING, ENTRUST, PART OF DATACARD GROUP
Thanks to advances in mobility and cloud infrastructure, we’re all becoming more accustomed to having access to data of all kinds, at any time, and from anywhere. To get an idea of how instant and secure access to data will play out in the future, let’s consider some of the technologies that will help make it a reality.
First, consider the rise of wearable technology. Today, wearables are primarily used for fitness and health care, but the fundamental premise is to use real-time data from the user and his or her surroundings to enhance interactions. We are just beginning to glimpse what is possible. Next, consider the rise of touch screen kiosks that increase the efficiency of engagements that until now have been handled completely by humans. In the next few years, waiting in lines based on the capacity of service staff in retail and chain restaurants will be a vastly different and more pleasant experience. Technology will only be part of the change, as the primary focus will be on enabling the user experience. In order to enhance user experiences, a balance of trust and convenience is needed. An identity in the world of digital security is slightly different from the public’s commonly held belief of the term. Identity enables knowledge of who or what is on either end of a digital transaction. In addition to people, there are identities associated with PCs, smart phones, tablets, apps, wearables, touchscreen kiosks, cars and the list goes on and on. The number of identities will expand massively by 2019 as we embrace the Internet of Things. These identities can, and must, be protected to create truly trusted transactions. While a number of legacy technologies will likely continue to exist in this environment, risk-based approaches and use of certificates will play much larger roles. This trend will be driven by a need for more transparent interaction by the users, smarter devices being able to seamlessly store and share credentials, and a need to scale from millions to billions of identities living in devices. In the end, identity will become transparent, except when the user desires to be in control. Once certificates are in-
*
48
Fall 2014
stalled, there will be no additional work to be done, no need to enter multiple passwords, one time passcodes or need to maneuver through a Q&A security screen to access the network. Moreover, the benefit is this technology is safer than any password or combination of passwords. To think about these technologies in action, let’s consider the brick-andmortar bank branch. In the retail bank of 2019, we will see an increasingly personalized and engaging environment. The branch will be aware of the user providing more personalized services. Rather than a gatekeeper at the end of a queue, the teller will become a consultant helping customers work through options. Here’s how it’ll happen. The “bank of the future” will be equipped with touch screen kiosks that will enable customers to quickly and easily complete even complex transactions, such as deposits or transfers. The wearable technology
*
underpin every transaction, creating trusted interactions between customers and the bank. The tellers will help users work through options as needed as part of the self-service environment, but the role they play will have significantly changed from the transaction processing function we have today. The same scenario holds true in the other arenas. In the next few years, secure technology in the workplace will allow us to quickly and seamlessly enter physical locations, login to our applications, and even sign sensitive documents. As citizens, secure technology will provide the same level of service and access to government services such as the DMV or even as travelers passing through airports. With kiosks, e-gates and automated border control, the experience of travel domestically and internationally could become easier and more secure. Security technology will enable us
IMAGINE WALKING INTO A BANK IN 2019 WEARING A RUBBER BANGLE SIMILAR TO A FITBIT DEVICE, EVERYTHING IN THE BRANCH IS INSTANTLY PERSONALIZED FOR YOU – FROM THE ADVERTISING MESSAGES YOU SEE, TO INSTANT ACCESS TO ACCOUNT INFORMATION mentioned earlier may play a key role in making these transactions quick and simple. Imagine walking into a bank in 2019. Wearing a rubber bangle similar to a FitBit device, everything in the branch is instantly personalized for you – from the advertising messages you see, to instant access to account information. All of this information will be quickly and readily available because security technology – such as certificates – will
to seamlessly do the things we need to do, when we want, which will be made possible by a security architecture. If done correctly, this architecture will allow organizations to trust the identity of all individuals and devices accessing their networks and provide user aware decisioning that keeps the interaction as transparent and convenient as possible.
CONSUMER CHOICE AND PRIVACY MATTER
* DIGITAL IDENTITY IS CLOSER THAN YOU THINK ANDRE BOYSEN, EXECUTIVE VICE PRESIDENT, MARKETING, SECUREKEY TECHNOLOGIES
Passwords are like the Tribbles in the Star Trek episode, “Trouble with Tribbles.” They start out cute and memorable, then they multiply over and over and over. However, the model to a better digital future is already at work. The Government of Canada is providing a beacon of hope for a future without proliferating passwords. A future that makes it easy for citizens to use their established credentials to access the services they need without requiring dedicated credentials for every destination – and still maintaining the privacy that citizens expect. The Canadian identity system, in full operation since April 2012, makes it convenient for people to access more than 85 online services by offering them the choice to sign in using the familiar authentication credentials they use for banking and financial services. The approach is clearly resonating. The service has well surpassed the 1 million credential milestone and now processes approximately 1 million transactions per month, with volumes growing rapidly. This showcases that people are ready for a new way to connect with the online services they need.
Canadians use credentials to access their bank frequently and it is familiar and trusted. Importantly, banks also have the proper credibility and trust for government services as well. In compliance with federal privacy legislation, citizen privacy is respected under the system, as financial institutions and government agencies do not share any information that personally identifies individuals. The service has been an important addition to banks’ ability to expand their reach, and is a great example of how the government and industry can successfully work together.
THE NETWORK EFFECT: UTILITY INCREASES AS MORE COME ONLINE The Government of the Northwest Territories is the first jurisdiction outside of the Government of Canada to adopt the service. According to Dave Heffernan, corporate CIO for the Government of the Northwest Territories, providing easier online access to government services is a central component of the territories Service Innovation Strategy – an initiative to improve service delivery to
*
government on a cloud-based authentication infrastructure for the new Federal Cloud Credential Exchange (FCCX). The FCCX service is designed to enable individuals to securely access online services – such as health benefits, student loan information and retirement benefit information – at multiple federal agencies without the need to use a different password or other digital identification for each service.
THE FUTURE IS NOW Identity is at a fascinating tipping point. The user ID and password model was created decades ago to manage billing for mainframes, without any vision for a connected world like we have today. As such, passwords continue to wreak havoc because each service requires unique, strong credentials. This also turns every service provider into an identity provider – something they don’t want to be! The new approach demonstrates that consumers are ready for a new credentials model to access the online services they want and need. In fact, it is a very safe way to allow users to do what they are doing already – leveraging common credentials across the web destinations they visit. Additionally, it shows what’s really possible when industry and gov-
USING EXISTING BANKING CREDENTIALS, THE GOVERNMENT OF CANADA IS LEVERAGING THE INVESTMENTS MADE BY FINANCIAL INSTITUTIONS IN SECURE ONLINE ENVIRONMENTS residents, businesses and visitors. By enabling citizens to use authentication credentials they already have and trust, the territories will be able to improve online services for things like renewing vehicle registrations. In the United States, the shift is on as well. SecureKey is working the federal
ernment truly work together for the good of citizens everywhere. It’s time to rid the world of the password Tribbles that multiply uncontrollably. The public is ready for it, aren’t you?
Fall 2014
49
STUDY DEFINES STATE OF ‘BRING YOUR OWN IDENTITY’ ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
When an employee starts at a company they are typically given a user name in the form of a corporate email address and told to create a password. Depending on the job and position, other tokens might be assigned but at the minimum they are supplied this initial credential. But a new trend in the enterprise market is starting to emerge as “Bring Your Own Identity” – BYOI or BYOID – takes shape. It’s already being used in the business-to-consumer realm under the moniker of social login, but people often don’t realize this is actually a form of BYOID. When a consumer chooses to use Facebook, Google or other social media credentials to login to a site, that’s BYOID, says Dimitri Sirota, senior vice president of business unit strategies at CA Technologies. “Now we want to make it easier for the employee to login and use technology similar to what they have on the consumer side,” he says. The Ponemon Institute and CA Technologies partnered to survey IT executives on BYOID. The study included two groups from the United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom. The first consisted of more than 1,500 IT practitioners and the second included more than 1,500 business executives. The goal was to understand trends in BYOID, which the study defined as the use of trusted digital or social networking identities. According to the survey, the majority of interest for BYOID is in customer use, with 50% of IT users and 79% of business users showing interest respectively. Employee use is also of interest at 46% for IT and 26% for business respondents, though not nearly as far along, Sirota says. “Employees might use that as a primary factor of authentication and then use another PIN or password as another factor,” he adds.
50
Fall 2014
Respondents have high levels of interest in BYOID, but IT users and business users have different perceptions as to its value. IT sees BYOID’s value in fraud reduction, risk mitigation and cost reduction while the business sees the value in streamlining customer experience and improving marketing efforts. On the IT side of the enterprise, the survey found that the value in BYOID is in strengthening the authentication process at 67%, and reducing the risk of impersonation at 54%. On the business side, the value comes from delivering a better customer experience at 79%, while increasing the effectiveness of marketing campaigns rang in at 76%.
MOBILE IDENTITY Mobile is also driving BYOID. Creating new accounts and entering user names and passwords on mobile device is difficult and can lead consumers to abandon transactions. Almost half of IT respondents and more than 80% of business respondents have high or very high interest in BYOID for mobile user populations. When asked which features would most likely increase BYOID adoption within their organization, there were a few items on the wish list. Some 73% of IT users wanted identity validation processes and 66% want multi-factor authentication. Business users also want identity validation processes and simplified user registration – both at 71%. The study also indicates a significant desire for some level of accreditation for the identity providers. In order to consume identities from various identity providers, organizations want assurance that they can be trusted, and this is where accredita-
MOBILE IS ALSO DRIVING BYOID. CREATING NEW ACCOUNTS AND ENTERING USER NAMES AND PASSWORDS ON MOBILE DEVICE IS DIFFICULT AND CAN LEAD CONSUMERS TO ABANDON TRANSACTIONS
tion comes in. Some 80% of IT users and 75% of business users say accreditation is important or very important. In terms of preferred identity providers, IT ranked PayPal, Google and Amazon as the top three while business named Amazon, Microsoft Live and PayPal. The majority of both IT users and business users would like to have mobile device factors added to the digital identity. IT users would also like 4-digit PINs and riskbased evaluations. Business users prefer to add passive factors such as geo-location tracking. In terms of barriers to adoption of BYOID, IT users cite risk/liability concerns at 34%, followed by complexity at 21% and loss of control at 19%. On the business side 31% cite cost as the largest barrier followed by complexity at 23% and risk/liability concerns at 19%. The Ponemon report suggests three steps to assess if and how BYOID would fit into an organizational strategy: Engage IT and business in collaborative discussion. Organizations may already be utilizing BYOID for some initiatives, but to achieve maximum gain, organizations should conduct an overall assessment of current and future business initiatives to determine potential fit for BYOID. This exercise could include basic simulation/ modeling of a new online initiative with BYOID and without BYOID. This will help
address key questions: Will supporting BYOID increase new customer acquisition? Are the costs of continuing to require users to create and maintain their own accounts more than the incremental value that is generated from BYOID? Conduct a BYOID risk assessment. To start, convene a cross-functional team with business, legal and privacy expertise to understand the underlying risk and liability issues. These discussions could include questions such as, “Is accepting
an identity from identity provider X acceptable?” and “What is minimum level of assurance we’d expect form identity provider X?” Monitor BYOID trends. BYOID continues to be an active area with new developments both from vendors and public/private sectors. Leveraging other industry work in BYOID can help enhance your own efforts and ensure that best practices are always being utilized.
BARRIERS TO BYOID DEPLOYMENT 34%
RISK AND LIABILITY CONCERNS
19% 21%
COMPLEXITY
LOSS OF CONTROL
23% 19% 8% 14%
CONTROL
31% 12%
LACK OF A COMPELLING BUSINESS CASE
18% IT USER
BUSINESS USER
Fall 2014
51
THE BIG QUESTION, PARTICULARLY IN THE U.S., IS WHETHER THE RESOURCES AND POLITICAL WILL EXISTS TO DEPLOY ADVANCED TECHNOLOGIES AND WORK THROUGH THE TECHNICAL CHALLENGES THEY PRESENT
BOLSTERING BORDERS NEW TECHNOLOGIES CREATE VIRTUAL FENCES DAVID SILVERBERG, CONTRIBUTOR, SECURITY INDUSTRY ASSOCIATION
For months, not a word may be heard from the long stretches of baking desert, the muddy rivers and the ports of entry that constitute the borders of the United States. Then, suddenly, there are days of frantic activity and blaring headlines announcing humanitarian crises and threats to the country. Largely overlooked and often unheralded are the incremental efforts to improve border security that fall between these extremes. Often these efforts involve development of new technologies and their careful deployment at key locations or improving identity management systems at air, sea and land ports of entry. It’s not glamorous but it’s essential and it’s having an impact. Among the companies key to this steady improvement are members of the Security Industry Association, and they have made major contributions.
TRACKING VISITORS One of the greatest border identity management programs of all time is US-VISIT (United States Visitor and Immigrant Status Indicator Technology) the program that tracks and verifies all visitors into the United States. It’s an outgrowth of the trauma of the Sept. 11, 2001 terrorist attacks and the recommendations of the
52
Fall 2014
blue-ribbon commission that studied U.S. failings. In a 2013 congressional reshuffle, the program was re-named the Office of Biometric Identity Management (OBIM) within the Department of Homeland Security (DHS), but the task is unchanged. The prime contractor for this undertaking is the consulting firm Accenture, which was involved in the project from its inception in 2004. Accenture coordinated the activities of all the different government agencies involved in US-VISIT, which included not only the offices within DHS but also the departments of State and Justice. Developing the vision for these agencies working together was an important part of developing US-VISIT because it became the underlying guide for a tremendous amount of activity that followed, according to an Accenture account of the program. Before US-VISIT, visitor identity verification was a confusing patchwork of systems and technologies that often didn’t work together and couldn’t be coordinated or accessed across platforms. Accenture created a technological roadmap that enabled administrators to build a single system. It changed custom interfaces and a fragmented, complex architecture into a single, service-oriented architecture based on a “single front door,” as the de-
velopers put it. This enabled stakeholders to access the program quickly and easily. Accenture measures also brought down costs. It delivered software at 8% under the funded amount and introduced automated testing that saved $1 million in costs. By using numerous hardware vendors rather than a single one, the company eliminated the program’s dependence on a single supplier and reduced costs by more than 40%. These changes not only saved money and streamlined the program, it improved its functioning too. As threats emerged and then faded, to be replaced by new ones, US-VISIT was able to adapt. Instead of the nine months it originally took to add another government agency to the program, changes and improvements brought that down to as little as three weeks from the time the agency requested to participate to the time it came on line. Today, OBIM serves nine different kinds of stakeholders and 30,000 authorized users, from 52 federal agencies, local law enforcement offices and foreign governments. It evolves with new events and threats and new technologies, like improved biometric indices and devices. And use of the system has not slackened but is constantly growing. It’s a far cry from the days when US-VISIT could process 75,000 entries a day. Today, every day, OBIM identifies an average of
INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.
5,000 illegal visitors, stops an estimated 50 wanted criminals, detains more than 75,000 wanted felons, completes 13,000 latent fingerprint comparisons, watches for more than 6 million people on the terrorist Watch List and processes up to 400,000 identity matches against a database of over 150 million individuals. The congressional switch from US-VISIT to OBIM and improvements to the program were celebrated by critical observers like Janice Kephart, a former fellow at the Center for Immigration Studies. In an April 13, 2013 posting to the Center’s website, she applauded the switch. “All in all, a small, but significant win for border security leveled by congressional appropriators in the reorganization of USVISIT,” she wrote. “We’ll take it.”
FENCES, REAL AND VIRTUAL When people think of border security, they usually think of a fence that snakes across the US Southwest border. But as people involved in the field know, the sections of physical fence – no fence runs continuously along the border – is only part of the story. As important – if not more important – are the detection, surveillance and alarm systems that make the barrier more than just steel and concrete but alert Border Patrol agents to intrusions and violations. DHS has made repeated attempts to create a comprehensive, automated, hitech border barrier and the names of the programs read like a list of fallen heroes: the Integrated Surveillance Intelligence System, America’s Shield and, most no-
torious of all, the Secure Border Initiative Network (SBInet), which was to have been a “virtual wall” but was abandoned after five years of effort and development. Currently, the follow-on to SBInet is the much more modest Fixed Integrated Tower program. A $145 million contract was awarded to Elbit of America as prime contractor last year. Raytheon, however, protested the award and the General Accountability Office upheld the protest, so the program remains in limbo as of press time. Meanwhile, industry continues its efforts to develop new border security technologies and solutions and if unable to sell them in the U.S., is offering them abroad. For example, DRS Technologies, Arlington, Va., develops and deploys sensors of all kinds. For border security it developed an architecture called Distant Sentry to tie together all forms of sensor surveillance: portable tripods, fixed towers, mobile towers, trailers or vehicles. Built to be flexible and scalable, Distant Sentry can operate with any kind sensor, including radars and cameras, both electro-optical and infrared. It binds this input with wireless communications and computing, all powered by a hybrid power system. Then it can be tailored to a customer’s specific requirements. FLIR, Wilsonville, Ore., makes forwardlooking infrared cameras, extensively used for border security around the world. It has developed its own “Thermal Fence,” which combines thermal cameras, video analytics software and other intrusion detection sensors. It can combine inputs from a variety
of sensors into a single display, providing users with the ability to quickly detect threats and respond. Axis Communications, Lund, Sweden, specializes in video surveillance solutions and complex systems with border security applications. Their products include thermal imaging technology that works in low light or complete darkness and high definition and high resolution cameras that can pan, tilt and zoom and cover long distances.
ANALYSIS Whether in identity verification or perimeter detection, technology that can secure borders is advancing in laboratories and workshops around the world and moving to production. The big question, particularly in the U.S., is whether the resources and political will exists to deploy it and work through the technical challenges they present. Major steps have been made but more always needs to be done and new technological capabilities always raise new possibilities for greater security. The technology is never static but then, neither is the border. As long as there are new threats and new conditions, industry will be working to meet the challenge and governments will be seeking new solutions. David Silverberg was founding editor of Homeland Security Today magazine and most recently served as editor in chief of the Border News Network.
Fall 2014
53
EMMENTAL HACK EXPOSES HOLES IN TWO-FACTOR AUTHENTICATION GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLISHING
`When is a man-in-the-middle attack not a man-in-the-middle attack? When it gains access to bank accounts by skirting textbased two-factor authentication. That’s what’s happening in an international cyber attack known as Operation Emmental. The attack got its moniker from Trend Micro researchers who liken online banking security to Swiss or Emmental cheese – both can be full of holes. The criminals target overseas bank accounts that utilize two-factor authentication. It’s a variation of a man-in-the-middle attack in that the hacker bypasses the session tokens used in the authentication process. In this case, the tokens are usually sent as text messages to mobile devices. “It begins with a spear phishing attack that is specific to a customer of a specific financial institution, and they actually know what kind of institution you conduct business with and what types of emails you’re traditionally receiving
54
Fall 2014
from them,” says Tom Kellermann, chief cybersecurity officer for Trend Micro. The attackers customize the language and the social engineering accordingly, asking each recipient to click on a link. Many customers have been fooled. “Once the email link is clicked on, a Windows binary is installed on the machine that not only obfuscates itself but deletes itself from the registry of the system and then hides itself in image files, which is very elegant and very reminiscent of the intelligence community as a whole,” Kellermann says. The user is unable to authenticate with the bank and is prompted to download what turns out to be a malicious Android app to reinstall the text message authentication system. The new app delivers a one-time use password giving account access to both the user and the hacker. Kellermann says very sophisticated former Soviet bloc computer scientists who’ve
been conducting high levels of reconnaissance on the financial sector are leveraging the attack. He says the hackers have been effective against Swiss, German, Swedish and Austrian financial institutions. “All have greater levels of security than their U.S. counterparts.” Banks in Japan have also been hit. The malware has spread to dozens of financial institutions around the world. The targeted banks are ones that follow the directives of European regulators to implement two-factor authentication via one-time use passwords for their customers. German speaking financial institutions are the primary victims. Kellermann says the hacker crews likely originated in Russia and Romania but are fluent in German. “It’s very difficult to ascertain who’s behind this because many times they utilize compromised devices to leverage these attacks,” Kellermann says. “It really speaks to the evolution of capabilities that
have been created in the arms bazaar of the former Soviet bloc, and that two-factor authentication and encryption alone will not protect you.”
A STRIKE AGAINST TWOFACTOR AUTHENTICATION Emmental is no man-in-the-middle attack, says Pierluigi Paganini, chief information security officer at the digital security firm Bit4id and security researcher for the InfoSec Institute. “The activity detected by experts at Trend Micro was based on a first stage phishing campaign,” Paganini says. “Phishers are concentrating their efforts to break into hosting providers with unprecedented success and abusing their resources to conduct large-scale phishing campaigns. The cyber gang behind Operation Emmental used a malware to install illegitimate certificates to trust the phishing website used in the attack scenario.” Paganini says the malware spread by the Emmental attackers exploits vulnerability
Trend Micro cites the weakness of singlesession token protection strategies as a problem with these attacks. “Banks and other organizations that continue to use these are exposing themselves and their customers to rogue mobile apps,” the report states. Institutions need to use more advanced defenses, which include the use of multiple transaction authentication numbers, photo-transaction authentication numbers and card readers. While these are more complicated to maintain, organizations should determine whether they are worth the investment. Personal responsibility of users aside, Kellermann thinks there’s much more banks can do to protect and educate consumers. “I think that most financial institutions should be deploying breach detection systems,” Kellermann says. Banks can also use Domain-based Message Authentication, Reporting and Conformance (DMARC), an email and domain name authentication standard that can identify non-legitimate emails. “Many
NEITHER EMMENTAL NOR TWOFACTOR IS GOING AWAY While two-factor authentication is good, it needs to be coupled with other systems. “I am a huge proponent of two-factor authentication,” Kellermann says. “There needs to be greater levels of transaction verification and customer verification beyond just two-factor authentication, especially when it relates to the transfer of funds or the transfer of credentials.” Trend Micro researchers recommend better communication between the fraud departments and IT security departments of financial institutions, because bank heists have evolved to cyber-based fraud. Kellermann says 98% of financial fraud and bank heists are occurring in cyber space now. That’s why he wants to see authentication expanded beyond the customers to the financial institutions and their extensions. “Just because you can authenticate that a real domain is a real domain, you should also be allowed to give visibility or transparency into when a fake domain or a fake
THERE NEEDS TO BE GREATER LEVELS OF VERIFICATION BEYOND JUST TWO-FACTOR AUTHENTICATION, ESPECIALLY WHEN IT RELATES TO THE TRANSFER OF FUNDS OR CREDENTIALS in single-session token protection strategies that are still adopted by many financial institutions. “Fortunately, the security industry provides more advanced defensive solutions to avoid such incidents,” he says. “The real problem is that such countermeasures represent a further cost for the organization.” On the other hand, Paganini notes it’s not the bank’s responsibility to protect clients in phishing scenarios, especially when users choose to install untrusted apps or visit questionable Web sites. “Banks have to inform their clients of the risks related to principal cyber threats. But in the majority of cases, customers’ habits enlarge their surface of attack,” he says. “Bad habits, like the installation of mobile apps from third parties, are the principal cause of success for cyber attacks.”
financial institutions and corporations have paid a lot of attention to authentication, but they haven’t paid sufficient attention to the authentication of emails or of the domain names,” Kellermann says. “They’re not appreciative that their reputations extend beyond their given website and beyond their given employees or the credentials that are issued.” He says companies have an extension of themselves in cyberspace that doesn’t exist in the brick and mortar world. “You have to be responsible for the reputation and the personification of your reputation in the wider domain that is cyberspace,” Kellermann says. “So at least provide folks with a way to associate whether something is you or is not you in the greater environment.”
email is not a legitimate financial vehicle for you,” Kellerman says. He expects the evolving Emmental attack to spread to other countries. He points out that even though two-factor authentication is not mandated in the United States for banking customers, it is widely used for employees of financial institutions as well as for partners and high net worth individuals who conduct business with such institutions. “These types of attacks will begin to flourish,” Kellermann says. “What you’ll see is large scale infestations of hackers as they penetrate financial institutions themselves versus merely picking the pockets of the customers as they transact from their mobile device.”
Fall 2014
55
SHOULD PROX REPLACE PASSWORDS IN HEALTH CARE? A STEP BACK, RATHER THAN A SECURITY UPGRADE TERRY GOLD, FOUNDER, IDANALYST
Industries often require different technical approaches to address regulatory requirements and this is certainly true for health care. Executives deal with regulations regarding Protected Health Information, and mandates are evolving and penalties are becoming stiffer in an attempt to increase accountability in the event Protected Health Information is compromised. Passwords are a productive area for improvement as they are both targets for hackers and a major point of vulnerability for even well-intentioned employees. But the industry cannot just implement strong authentication and carry a big stick when patients and providers complain about its usability. It must provide quality care without unnecessary barriers as slowing down a nurse or doctor in the ER by even a few seconds can have serious implications. It’s here, however, that a bad decision is sometimes made when an organization opts to replace existing passwords with proximity cards. Common reasons include: Cost: Stakeholders look to leverage existing investments like the card they have Ease of Use: Users are already familiar with them Security: Prox is assumed to be secure Convenience: Doctors tend to override security in favor of convenience. In these instances, the assumption is that upgrading the authentication to prox cards
56
Fall 2014
results in a significant security improvement. Unfortunately, for organizations where there was a minimally-acceptable password policy before the transition, it’s actually less secure than before.
REPLACING A PASSWORD WITH ANOTHER PASSWORD Most health care organizations have incorporated best practices into their existing password management programs – enforcing longer more complex passwords, forcing users to change them regularly and restricting reuse. Tools automate password resets and help desk processes. Proximity cards store a static binary string of data that is essentially just a numeric password. It is the credential or card number that is used to authenticate at the door access point. Since it is clear text, anyone can verify it. Card providers do sometimes employ attempts to obscure this password, but these can be deciphered in an automated fashion with tools available over the Internet. It is within reach of anyone who wants it and is not reserved for an elite few that have advanced hacking skills. Cards on the 125 kHz frequency, the most common type proximity card, have no protection of their data. When they were designed, the goal was not security but rather reducing the cost and burden of replacing keyed locks. High-frequency contactless smart cards use encryption to
protect stored data, such as the identification number, but prox was never intended for this type of use.
BREAKING OLD RULES AND IGNORING NEW ONES I most cases, this “card number” – or password – is vendor-assigned and encoded in the card at the production facility. When the cards reach their destination, a photo is taken, the card number is entered into the building access system, and finally handed over to the user. Frequently the card number is printed on the card itself to make it easy for the enrollment officer to enter the number into the system. While this process has historically been acceptable for physical access, it breaks fundamental principles in information security. To put this in perspective, consider a different scenario in a similar context. Would it be acceptable If IT ordered new computers from Dell, and they arrived with the passwords printed on them that could not be changed? No information security professional would consider it. An often-overlooked aspect to leveraging physical access cards for IT is that the same password is stored in the physical access control system databases in clear text the vast majority of the time. This means the data: Is not under the control of IT Does not subscribe to the same application security principles, audit or review Is setup using default privileged and administrator passwords – such as “admin”, “Blank” or even “password” – to the system itself Is not properly secured on the network or otherwise Does not undergo adequate penetration testing before release. This reduces IT security to the lowest common denominator practiced by the two departments. It is a systemic, organizational vulnerability.
MISCONCEPTIONS AND FALSE SECURITY The common defense by supporters of proximity cards for authentication in IT is that a PIN is required as well, but this is hardly foolproof. The premise here is that the PIN is unique in that only the user knows it, which makes this a twofactor solution. It shouldn’t, however, earn the confidence of an information security professional. Proximity cards cannot store a PIN, which means it’s stored somewhere else and therefore vulnerable. Even if you agree that this is a two-factor solution, it is giving up a previously strong password for a weak PIN.
that govern how they are to be used for authentication. Generally, it is an opaque operation, clouded in obscurity, with little peer testing to test those systems or disclose reports of testing performed by creditable third-party labs. Therefore, outside of the organization that implements them, no other organization can trust the credential. In the age of health care mandates where the basic requirement is collaboration and sharing across disparate organizations, an investment in proximity for authentication to IT systems is not only insecure, but shortsighted.
MANDATES ARE PUSHING HEALTH CARE PROVIDERS TO RETHINK HOW THEY PROOF, MANAGE, ISSUE AND USE IDENTITIES
DEAD END Mandates are forcing the adoption of Electronic Health Records systems and Health Information Exchanges to enable improved care by sharing information across providers, payers and the patients. At the same time, ePrescribing is rapidly growing and the DEA’s ruling for Electronic Prescribing of Controlled Substances requires approved identity proofing and authentication methods. Prox cards and/ or static passwords are not on that approved list. A slew of other mandates and initiatives are also taking shape to influence health care providers to rethink how they proof, manage, issue and use identities. In most cases, there are two recurring considerations for systems that will be viable and scalable in the long-term. First, credentials must be able to be repurposed across the various mandates to avoid the need for multiple credentialing systems. Second, these credentials must be able to demonstrate they were implemented in a way that complies with requirements so they can participate in the various exchanges. Proximity cards are their own trust model, established by the vendor independently, and have no standards frameworks
Fall 2014
57
DOODLING YOUR WAY TO SECURE ACCESS FREE FORM GESTURE BIOMETRICS MAY BE NEW KEY TO AUTHENTICATION
In the quest for secure and convenient authentication methods, the doodle may prove to may be more than just a way to kill time during a boring meeting. Whether you call it a squiggle, doodle or free-form gesture, the act of drawing a curvy line in lieu of typing a four-digit code is getting positive reviews from researchers, software developers and users. Researchers at Rutgers University found that free-form shapes are more secure than standard pass codes, and it turns out they’re surprisingly easy to remember. Jeff Maynard has some experience with this. As founder and CEO of the Texas-based Biometric Signature ID, he looks for authentication options that aren’t easily hacked or stolen during
58
Fall 2014
data breeches. He believes gesture biometrics fits the bill. “When a user accesses a computer or portable device they see a screen with a drawing area on it, and they’re asked to draw a series of numbers, letters or characters,” Maynard explains. BioSig’s software picks up the user’s drawing patterns – including length, speed, and direction – and compares that information to the user’s encrypted
enrollment profile. If matched, the user can log in to the device or access services. Some users will even tell you it’s fun. “It reminds them of an Etch A Sketch,” Maynard says. He first discovered the fun factor working with clients in higher education. Student surveys showed a 98% satisfaction level with the software, and 45% found the process entertaining. The students thought it was cool enough to repeatedly log in. “It gives you instant feedback whether you are successful or not,” Maynard says. “People were looking at this as a bit of a gaming opportunity.” Independent testing showed BioSig had a product that worked. Testing for
Researchers find gesture has high security, ease of use Researchers at Rutgers University, Max-Planck Institute for Informatics and the University of Helsinki set out to determine whether user-generated, free form shapes on a touch screen could be an alternative to the methods commonly used for authentication on mobile devices. The team found that gestures are easy to remember and can be more secure than standard pass codes. “They work very well and they’re resistant to attacks – such as shoulder surfing attacks – that other methods are vulnerable to,” says Janne Lindqvist, assistant professor of electrical and computer engineering at Rutgers and a leader of the password project. About half of the study’s 63 participants chose to create gestures using one finger, while the
false positives found the software to be highly accurate – three times stronger than the regulations for biometrics set by the National Institute of Standards and Technology. Maynard says squiggle technology works best when people are drawing something that’s meaningful to them. Instead of a simple squiggle, BioSig encourages users to draw three or four characters. “They can be shapes, like happy faces or flowers, but in most cases we recommend numbers or letters because you’re always going to be able to remember that,” Maynard says. “Remember, each character can be written in different, unique patterns.” BioSig keeps track of how its 2 million users behave as they access their digital assets through multiple portable devices. The company collects behaviors that help authenticate the user, Maynard explains. An alert may be triggered if someone repeatedly takes a long time
other half used multiple fingers. Either way, it took only a few tries for the users to be able to generate their chosen gesture in just two seconds. The study showed that users tended to create signature type patterns, which ended up being very secure. In a shoulder surfing attack trial, attackers were not able to repeat the gesture well enough to gain access. Plus, the users had no trouble remembering the gesture several weeks later. Researchers experimented with an Android tablet and smartphone. Lindqvist imagines this system being put to use in many ways, even physical access to buildings.
to log in or is trying to log in from an unfamiliar IP address.
VULNERABILITY REMAINS How does BioSig know whether the person logging in is the real deal? It’s a challenge that the company is always working on, thanks in part to a grant awarded through the National Strategy for Trusted Identities in Cyberspace. BioSig receieved the grant to explore and combat online identity theft. The goal is to have remote users authenticate their identity before they gain access to a digital asset, like a bank account or personal health information. “When you’re doing something from a remote log in, you have to find different ways to determine whether that individual is really the user,” explains Maynard. “That’s why we’ve built the data mining capability.”
He points to the risk taken on by Internet vendors who accept credit cards. Without actually seeing the card, the card number could be in the hand of a thief. “One of the ways to prevent that is to create a technology that enables an individual from any remote location to create a profile that’s stored by – let’s call it Nordstrom’s,” Maynard says. “Every time I go to Nordstrom’s, I have to authenticate my identity. I can do it with my mouse, my finger – from any device. So even though the bad guys have my credit card number, they’re not going to be able to get in to use that card.” “If you can find one technology that will allow you access – like a single sign on into multiple applications – that’s the Holy Grail,” Maynard explains. “That’s where we are heading with gesture biometrics.”
Fall 2014
59
GLOBALPLATFORM: BALANCE SECURITY, USABILITY IN STANDARDS JON GEATER, CHAIR, GLOBALPLATFORM SECURITY TASK FORCE
Over the last few years, more and more valuable information has been deployed to mobile devices and we are using that information in new and different ways. Protecting this data has become an increasingly complex challenge; one that requires a systematic and coordinated approach to curate secure solutions that do not impair the user experience. This philosophy of user-first security is called ConsumerCentric Security. Improving security and user experience simultaneously is no simple feat, and it is for this reason that GlobalPlatform has launched its Security Task Force. The group is working to define the association’s overall security philosophy and determine how GlobalPlatform can leverage its experience and technical specifications for the benefit of the connected information ecosystem.
CURATION CREDENTIALS GlobalPlatform has been involved in security for a long time. As more entities, companies and people have become interested in and engaged with the development of security standards and solutions, the association has identified an opportunity to make security services more sophisticated and refined for services that really matter people. At a workshop, the Security Task Force brought together representatives from a range of sectors to discuss real-world security requirements that GlobalPlatform Specifications can address. This liaison activity is essential to ensure that work is not being duplicated across bodies and that the efforts being undertaken will genuinely enhance the services being delivered. With the group just kicking off, there is a real opportunity for players from both the developer and user sides of the ecosystem to help shape the future of both
60
Fall 2014
GlobalPlatform’s security work and the greater marketplace.
THE VISION Traditionally, companies and consumers have regarded security as a barrier: the stereotypical view is that security makes life more difficult and access less conve-
more effective than simply making access difficult, time consuming and frustrating. GlobalPlatform is therefore working to take the experience that exists within its membership and apply it systematically to specific use cases. We are listening to the requirements of the outside world and working to make storing and accessing sensitive information on devices easier
GLOBALPLATFORM SEES SECURITY AS AN ART. THE ART IS IN FINDING THE APPROPRIATE COMPROMISE BETWEEN SECURITY AND USABILITY, WHILE REMEMBERING THAT FUNCTIONALITY IS PRIMARY nient. But this does not have to be the case. This is the residue of the security-as-anafterthought philosophy and is something that GlobalPlatform is working with the industry to address by building in security from the start. As an example, placing a barrier across a highway may increase security – after a potentially problematic rollout – since traffic would be unable to move and collisions would therefore be rare. But such a system would also make the highway useless. This seems a ludicrous idea but we do have barriers on our highways: those that separate oncoming lanes from each other. This security solution is a win-win for security and usability: the reduced chance of collisions allows traffic in both directions to move faster, enabling more throughput. This principle is transferable, as security built into a system that understands the specifics of that system is much
through appropriate security. For example, leveraging the security that exists within secure chip technology to reduce the number of keystrokes needed to complete an e-commerce purchase, while maintaining the same or better level of security, will benefit everyone involved. The task force is currently assessing which combinations of GlobalPlatform’s Specifications most effectively achieve an appropriate level of security for particular markets or implementations, while maintaining usability in the context of that market. To do this, it is working closely with the sector-specific groups within GlobalPlatform – the Government, Premium Content and Mobile Task Forces – in order to fully understand the needs of each area. In addition to this, GlobalPlatform will draw information from other bodies and associations to feed into this activity. Working together makes everyone stronger and striking the right balance is the key.
THE ART OF SECURITY GlobalPlatform sees security as an art. The art is in finding the appropriate compromise between security and usability, while remembering at all times that functionality is primary. Security should be there to preserve reliability and enhance functionality, never to compromise it. With this in mind, a far more innovative and finessed solution is achievable when specifications are combined to answer the specific questions posed by a security problem. This is significantly more effective than selecting a single, silver bullet. So what about those security ratings? Bigger, in this instance, is not always better. A higher Common Criteria rating does not equate to more effective or suitable security because it says little about what the thing actually does. It’s all about the functionality; an air bag and a seat belt might both have safety-rating certificates but you would not rely on one to do the job of the other. By applying these principles to GlobalPlatform technologies there’s an opportunity to create easy to use but also secure systems. For example, the secure element is a very small piece of hardware that is physically strong but often programmatically limited. The Trusted Execution Environment – a secure area that resides in the main processor of a connected device and ensures that sensitive data is stored, processed and protected in a trusted environment – is flexible and has access to rich system resources. However, it shares physical protection with the main processor and this is usually less than that of the secure element. When combined the secure element and Trusted Execution Environment create a much better security and usability balance can be achieved than with traditional single-point solutions.
If security is to be usable, though, it must be transparent, such that the user does not realize it is there. For it to be transparent, it must be designed into the system. For it to be designed in, it must be tailored for the specific use case it is protecting. And to tailor the security to a use case, that use case must be understood. This ensures that the solution is secure by default, and this is the approach that GlobalPlatform has taken for the development of all of its secure-chip specifications. Effective curation is therefore also about consistency and the ease of integrating different technologies. GlobalPlatform’s core specifications are all developed under the same philosophy and have companion specifications, which connect them to ensure that they integrate effectively with one another. The association’s 120+ strong membership ensures the widespread industry collaboration, which is needed to achieve a strong, open and interoperable compliance-led ecosystem for security.
NEXT STEPS Looking forward to the next few years, we will see the Trusted Execution Environment come to the forefront as a part of the mobile device security infrastructure. While not yet a household name, Trusted Execution Environments already reside in the handsets of millions of consumers around the world. It may seem disappointing that such an innovative technology is hidden in the shadows, but in fact, GlobalPlatform can be proud that it is effortlessly and quietly working to provide a seamless level of appropriate and usable security. This work is never complete, however. We are stronger together, so we call on the ecosystem to come forward and contribute to our work in this area as we continue our journey to curate the security ecosystem.
GlobalPlatform’s core security specs TEE A Trusted Execution Environment is a separate execution environment that runs alongside the rich operating system (OS) on which most application processing occurs. When integrated in the core of the mobile device, the TEE may control any capability (screen, keyboard, modem, etc.) so as to ensure appropriate usage. This also serves to protect the device and user from rogue or malicious applications, such as malware or spyware. SE A secure element is a tamper-resistant device capable of embedding smart card-grade applications. As an endpoint, it provides the security and confidentiality required to support various business models and multiple applications. System messaging This establishes protocols for mobile messages that support system exchanges between servers in the cloud that facilitate the secure deployment of a mobile service onto a mobile device (a process known as ‘provisioning’).
Fall 2014
61
COLLISION COURSE: PRIVACY, PAYMENTS AND DIGITAL IDENTITY GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Would a digital identity infrastructure enable us to get rid of cash, dump passwords, and solve privacy problems associated with the Internet of Things? David Birch is hopeful. “If we continue to have our old notion of identity – the idea that you’re this passport identity, and everywhere you go you have to present that identity and give all of your personal details in order to engage in any kind of transaction – that’s devastating,” says Birch, a founding director and global ambassador for Consult Hyperion, a firm based in the UK and the U.S. that specializes in secure electronic transactions. Birch is also an author who’s been talking a lot about his book Identity is the New Money, in which he explains that the
IF A DIGITAL IDENTITY THAT’S GIVEN TO ME BY MY BANK TELLS THE BAR IN A CRYPTOGRAPHICALLY SECURE WAY THAT I’M OVER 21, THEY NEVER NEED TO KNOW MY NAME…
62
Fall 2014
thing that makes commercial transactions possible has more to do with a reputation than an identity. “I go into the bar and you ask to see my driving license. My driving license gives you all sorts of information, which is none of your business,” explains Birch. “Who I am isn’t relevant to that transaction. So it’s not really about my identity – it’s about my reputation.” Birch focuses on the technological changes that are merging payments with identity. He wants countries to rethink the identity, or entitlement, infrastructure. Birch calls for three things in his book: To establish a national entitlement scheme, creating a framework where the private sector can produce identities to be consumed by both the private and public sector. To enable a financial services passport, so transactions can be cheaply and easily conducted using one’s reputation – instead of paperwork that can’t be verified on the spot. To reduce the cost of payments and consider using banks as privacy partners. “Suppose you had a bank app on your phone that could tell other people I’m an American citizen, I’m over 21, I’ve been with Citibank for more than five years, but that’s all,” Birch says. “There might be a lot of places where you’d want to use that identity because Citibank in that example is protecting your identity. They’re not telling people who you are.”
Another reason for an identity infrastructure is the possibility of dumping passwords. Birch hates them, especially when he’s fumbling to recall the password for his coffee shop account. Security and identity need to be built into the infrastructure of this new world with the Internet of Things. “How am I going to give my car permission for my wife to drive it and to use my highway toll pass?” Birch asks. He suggests that passwords are not sufficient or efficient in such cases. He eschews cash, too. He figures with an ample identity infrastructure, we wouldn’t need cash because the system could keep track. But he knows that’s a long time coming, particularly in the U.S. “The American relationship with money is odd compared to other counties,” Birch says. “I go to buy a ticket on the subway and I have to literally go and iron dollar bills I can feed my them in. It’s crazy stuff, especially since I’d rather just use my debit card.” Birch believes the anonymity of cash enables the rich and powerful against everyone else because it’s unaccountable. He says it can be used for nefarious purposes, like tax evasion. Plus cash costs money to produce. Birch supports the White House’s National Strategy for Trusted Identities in Cyberspace. He’d like to see NSTIC underpinning all sorts of things – connected with modern technology like mobile phones. He wants to see driver licenses and the like transformed into digital identities. Recall the example in the bar. “If I have a digital identity that’s given to me by my bank, which tells the bar in a cryptographically secure way that I’m a state resident and I’m over 21, they never need to know my name. My identity remains protected, locked up in the bank vault where it’s safe,” he says. “What’s actually passing around in the great wide world are the attributes to that identity – authenticated credentials that enable me to do things.”
“Birch is really talking about the mobile phone as the keeper of this digital identity,” Shoaff says. “There are still segments of our population that are socioeconomically distressed that can’t afford to carry around this digital thing.” Another challenge is how to handle non-citizens – like the recent surge of immigrants at the Texas border. “These people have no digital reputation to bring with them. I’m not so sure we to cut them out of the economic system because they have no digital reputation to assert,” Shoaff says. “So what happens then? I just think there’s hurdles that we can’t anticipate yet.” Shoaff suggest the solutions to these hurdles may be a generation or two away. Eventually, he suspects digital identity will be handled internationally via an exchange, the way the Swift Exchange handles currencies and regulations between countries. He doesn’t anticipate the disappearance of cash within our lifetime. He says digital currencies like Bitcoin aren’t immune to criminal enterprises, and moving away from physical currency won’t put a dent in criminals misusing money. “Sometimes I just like paying with actual cash because it protects anonymity,” says Shoaff, whose birthday surprise from his wife was ruined when he saw the credit card bill before he got the gift. “There are all sorts of implications where the experience can actually be impaired by having everything traceable and recordable.” Like cash, Shoaff thinks passwords will be around a while. “The problem is I personally can’t see a way around something you know being used in combination with something you have or something you are to unlock a credential,” Shoaff says. Shoaff says any change in thinking around identity should include transparency, trust and control by the individual – things that he says are absent today in most of the identity economy. “I think it’s something that’s owned by the individual, and banks and whoever else that has it are stewards of it – but they think they own it, and that’s got to change,” Shoaff says. “Technology has got to be put in place so that the individual ultimately has control over the data and how it’s used.” Shoaff thinks a digital identity infrastructure will happen, but the transition to get there will be lengthy. “We should all go into this cautiously,” Shoaff says. “Not everything that technology enables is good.”
…MY IDENTITY REMAINS PROTECTED, LOCKED UP IN THE BANK VAULT WHERE IT’S SAFE
DON’T DUMP CASH OR PASSWORDS JUST YET Stephen Shoaff, CEO and co-founder of UnboundID Corp., an identity data platform developer, agrees with Birch and sees problems with digital identity that won’t be solved anytime soon.
Fall 2014
63
TRUSTED NFC TAGS EXPAND AUTHENTICATION APPLICATIONS MARK ROBINTON, TECHNOLOGY INNOVATION MANAGER, HID GLOBAL
T
he Near Field Communications market is poised to explode over the next five years, with the share of NFC-enabled smart phones in the U.S. expected to reach 53% by 2015. This rapid growth is driving a shift from mobile payments to adventurous, interactive marketing and authentication services. If NFC is included in a device, using it can be simple, requiring no modification to devices or downloading apps. Embedding tags enables consumers to interact with nearly any item or document in new ways. These “Internet of Things” applications include tapping a smart poster for an interactive brand experience, authenticating the value of a luxury item or verifying the presence of a health care provider. Companies are discovering the unique benefits in applications such as Electronic Visitor Verification systems and Digital Out-of-Home media campaigns. It is a frictionless experience for users because authenticity is verified simply by holding a smart phone or tablet close to the tag. This
64
Fall 2014
ease-of-use makes it ideal for everything from retail loyalty cards and sweepstakes promotions, to tracking home health visits and patient access, to educational materials.
THE PROMISE OF SECURITY Rapid advancements in NFC security have helped to eliminate the potential for fraud and abuse in NFC-enabled services. With traditional QR codes or static NFC tags, there was no easy way to authenticate the identity and location of an individual or item, and tags were vulnerable to cloning and tampering. This however, has changed thanks to next-generation “trusted tags.” These new tags include security and privacy attributes that change on every tap to provide a secure audit trail and make taps uncloneable. Trusted NFC authentication tags can incorporate an electronically signed and cryptographically secure digital certificate to prove authenticity.
Tags can be embedded in virtually any product, piece of equipment or common household item, and users can verify authenticity with an NFC-enabled smart phone or mobile device. This not only optimizes security and convenience, but also eliminates the need for special readers or other equipment for tag authentication and enables new use cases that require proof of presence. The combination of trust and convenience opens the door to use of trusted tags in diverse markets and enables them to support a variety of Internet of Things applications. Already, the home health and Digital Out-of-Home markets are realizing significant benefits from trusted tags.
PROOF OF PRESENCE IN HEALTH CARE In 2011, Medicare reimbursements for home-based care totaled $18.4 billion and state Medicaid program reimbursements hit $12.7 billion for beneficiaries’ personal-
care services. It’s the kind of money that has proved impossible for fraudulent players to resist, resulting in the fleecing of Medicare, Medicaid and private insurance companies for billions of dollars covering in-home services that were never provided. To stem the tide of fraudulent claims, a number of states have passed legislation requiring home health care agencies to implement Electronic Visitor Verification to prove that a home health aide or nurse was physically present in the patient’s home for the required length of time. Proximity technologies like NFC or Bluetooth Low Energy satisfy these requirements by enabling highly secure Electronic Visitor Verification systems that are both easy to use and difficult to manipulate or defraud. Trusted tags are proving to be a viable alternative to the more traditional telephony-based and GPS-enabled systems for closing authentication gaps. Tamper-proof tags are attached to or embedded into an object inside the patient’s home in such a way that they cannot surreptitiously be removed or altered. When the caregiver arrives, they simply “tap” the object with their BLE- or NFC-enabled device to communicate secure information to a cloud-based authentication platform. Tag data has security and privacy attributes that change on every tap, thereby providing an indisputable and auditable Electronic Visitor Verification record for home health agencies to use for billing and reimbursement. Top NFC tag solutions also integrate seamlessly into most agencies’ clinical and administrative management software systems. This enables data collected at the point of care to be transmitted back to the agency in real-time for improved care coordination, faster and more accurate claims processing and advanced analytics.
CREATING CONSUMER CONNECTIONS In the Digital Out-of-Home market, trusted tags eliminate abuse with retail loyalty programs, gaming and sweepstakes cam-
TAG DATA HAS SECURITY AND PRIVACY ATTRIBUTES THAT CHANGE ON EVERY TAP, PROVIDING INDISPUTABLE AND AUDITABLE RECORDS
paigns connected to marketing displays. By requiring consumers to interact with an authentic tag to generate an entry into a program, fraudulent entries are minimized. This is illustrated by the successful “Film for All Friday” campaign conducted on behalf of the 2014 Tribeca Film Festival by Tamoco, a global provider of mobile marketing technology and analytics. Tamoco embedded trusted tags into promotional posters on display at participating retail outlets. Fans who visited these locations over a four-day period received free tickets simply by tapping the posters with an NFC-enabled smart phone or tablet. Over the course of the promotion, film fans tapped promotional posters a total of 8,195 times. The security attributes of trusted tags enabled Tamoco to verify proof of presence, and delivered an interaction that was both secure and effortless for participants, creat-
ing an unbreakable connection between the festival and film-loving consumers.
A FRICTIONLESS EXPERIENCE By enabling smart phones and other mobile BLE- and NFC-enabled devices to effortlessly double as tag readers and communicate with authentication services, companies that were previously stuck on the Internet of Things sidelines have a vast array of opportunities before them. Trusted tags in particular enable secure transactions and instill confidence that individuals scanning the tags are both who and where they claim to be. For applications like Electronic Visitor Validation and Digital Out-of-Home, access to BLE- and NFC-enabled devices and a growing acceptance of mobile interactions are coming together to drive innovation, reduce fraud and build consumer relationships in a way not previously possible.
Fall 2014
65
VASCULAR BIOMETRICS FOR THE EYE NEW ‘EYE VEIN’ MODALITY UNLOCKS MOBILE, APPS
It may look like you’re taking a selfie but it’s actually an extra layer of security for access to a mobile device, app or network. Most are familiar with iris biometrics but a new ocular identification is making waves: eye vein. Reza Derakhshani, an associate professor at University MissouriKansas City, discovered the technology in 2006. Along with CEO Toby Rush, he formed the EyeVerify in 2012 and serves as the company’s chief scientist. EyeVerify enrolls an individual’s eye vein pattern and uses it for authentication, Rush says. The user holds the phone a few inches away from their face and is prompted by the app’s voice tips during both enrollment and authentication. When in the correct position to capture the eye vein image, the handset vibrates twice to provide notice. The user then looks to the left or the right
66
Fall 2014
depending on the use case. Altering the gaze to the side enables the camera to better view the vein pattern in the white of the eye. The system maps a user’s eye vein pattern, which is unique to individuals in the same way that palm and finger vein patterns are unique. “We encrypt using the local device and that binds the template to the device,” Rush explains. “Templates never leave the device and we match in the encrypted space.” If a match occurs the system creates a 128-bit encryption key that can be used to access secure web sites or apps on the device that are enabled with EyeVerify, Rush says. A 2008 Mitre study of eye vein biometrics found that it stacks up with many of the major modalities. Eye vein had a .002% false accept rate and .88% false reject rate. The only modality in that study to beat eye vein was iris. The advancement of front-facing cameras on handsets has made EyeVerify technology possible, Rush says. The company is working to improve the technology further, including the ability to enroll and authenticate users when they are looking straight ahead instead of requiring them look to the left of right. EyeVerify is also working on improving liveness detection and anti-spoofing capabilities. The new biometric modality received a boost when Good Technology tapped it as an alternative to passwords. The two companies integrated Eyeprint ID, so that users of the Good Dynamics Secure Mobility Platform, Good for Enterprise and other Good solutions can enable biometrics for authentication, eliminating the password. Rush says some Good users are already using the technology for secure access. A couple Avisian editors took the iPhone version of EyeVerify for a spin to see how it performs. We found the voice prompts and the handset vibration to be nice touches, letting us know when the handset was positioned correctly. Being able to see what you’re doing by looking at the screen was also a great addition compared to earlier solutions that predated handsets with front-facing cameras. Looking up and to the left was a little awkward, and at times, led to some false rejects. But when the phone was passed around the office to test an enrolled eye vain pattern against an unregistered individual, there were no false accepts. Being able to use this technology looking straight ahead would be a welcome addition to the app and make it much easier to use. Overall the usability was significantly better than other handset biometric solutions we tested in earlier years.
HOW DOES YOUR COMPANY IDENTIFY ITS VISITORS?
By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.
www.evolis.com
Some security technologies are sooooo yesterday.
Stay on the cutting edge with the interoperable iCLASS SE® Platform — for access control that’s never out of style. Choose HID Global’s iCLASS SE® Platform — the open, adaptable solution that easily integrates smart cards, mobile devices and whatever tomorrow brings, for greater security, flexibility, simplicity and performance. Now as your access control evolves, your budget will stay optimized and your security will always be in style. Start your iCLASS® SE Platform makeover at hidglobal.com/yesterday-reid © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and iCLASS SE are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.