Main page
Managing the Mobile
Workforce Plenary
Friday Plenary
Other Open Sessions
Attendees
Conference
Home Page
The Open Group
Home Page
Comments
Release Status
Latest PDF reader

Go Mobile, Stay Secure

Matias Impivaara, Marketing Manager, Handheld security, F-Secure Corporation

Mr Impivaara began by considering the need for Mobile Security

People: it is people who drive security: they like to stay in touch; they value freedom and openness; they demand customized solutions and privacy; they expect the latest technology, and they want to enjoy themselves.  What they don't want is to become technology and security experts

Technology Develops, but the security needs remain the same:

  • Channel Security
    • Confidentiality (limited to the authorized persons)
    • Integrity (not altered, entire and undiminished)
    • Authentication (the origin or author unquestionable)
  • Content Security
    • Integrity (functional and uncontaminated)
    • Availability (suitable or ready for use, accessible)
    • Privacy (accessible only to the persons concerned)

Protection is needed for both the infrastructure and the terminals: once a virus gets into the system it become authenticated and protected!

Data Security is critical in many mobile solutions.  Mr Impivaara quoted Anders Nordlander, IT-Security Manager, Swedish National Social Insurance Board: "The use of PDA devices offers clear benefits for us, but it also exposes us to evident new security risks. Confidentiality of information is critical for our operations and we simply cannot afford compromising security.”

Standard device security is not enough, but it is also important to remember that the security to be provided should match the need; it is not an absolute.

There are different types of device: mobile, handheld, and wireless.  However, these are different: a desktop pc may be connected to a wireless device; a standard laptop is of itself mobile, but neither handheld or wireless ... and so on.

Wireless Connections as a Security Challenge 

  • A wireless connection alone does not change the nature of the device much 
  • Encryption is always needed to ensure secure wireless communications - many are happy to trust GSM encryption
  • All today’s wireless communications standards include some protection, but the protection level is sometimes questionable

Mobility as a Security Challenge

  • Corporate devices move constantly across the corporate boundaries
  • When devices move, also confidential information moves
  • Many office workers already carry or own several mobile devices
  • Traditional security applications, such as the corporate firewall, cannot protect the mobile devices

The small size of most mobile devices is also a security challenge.  They can fit in a purse or pocket (or - next generation - behind your tie).  Now they not only go to the employees homes, but into bars, the beach, and so forth.  This has an enormous impact on the risk.

What is the threat situation?

The main risk is of unwanted disclosure of stored information: a tiny memory card can hold a megabyte of information, and usually there is no protection for these devices.  There is no inherent encryption, and information on how to access them can be found on the internet.  Thousands of these devices are lost of stolen every year.

Hacking presents another threat.  Once you have defined network access right to a device you will always have information held on the device about how to access the corporate network.  The same passwords are often used to access the mobile device as to access the corporate network.

Viruses and other harmful content.  There was a nonsense story in Finland about a dangerous virus attacking Nokia phones.  There was no real threat, but the media love the idea.  There are no real viruses for mobile devices at the moment.  However, in the future there are people trying to create them, and the things we can do is to learn from the pc world, and we should be preparing beforehand.

Potential Solutions

What are the product requirements for a solution?  Solutions should be:

  • On-device, to protect the handheld devices in all situations
  • Automated - easy to install, update and manage
  • Invisible - optimized for the wireless platforms to guarantee the fastest possible functionality, and without any need for user intervention in normal use
  • Trustworthy - there should be strong encryption algorithms and continuous and fast anti-virus updates

It is important to have a complete package, including 

  • Reliable and tested products
  • Integrated systems and interoperability
  • Covering all platforms and all devices
  • Best available functionality
  • Easy management
  • Full update service and technical support

Mr. impivaara emphasized the need for effective management.  It should be possible, for instance, to be able to distribute antu-virus software automatically, and to have appropriate process set up for situations where for instance a user loses a device.  There are a range of potantial business models, and he went on to discuss several different options, such as Licence agreements with hardware vendors, subcontracting and OEM deals, direct enterprise sales, service provider cooperation, sales through partners, and internet sales

In summary he brought out the following lessons:

  • While people value freedom and privacy, mobility remains a security challenge and even the best built-in security is too weak for demanding business use.  
  • Content encryption is needed today, and security applications should be installed on all mobile devices.  
  • Good products are automatic, invisible and easy to manage

Understanding Policy For Network Security: Wireless Challenges

Peter Harter, Senior Vice-President, Business Development and Public Policy for Securify, Inc.

Peter began by considering the current environment, and pointed out that in the mobile world there is no perimeter to the system for which security is needed.  An ICC survey of wireless networks in London had shown that 90% are exposed as a result of mis-configuration, default setting, weak or lack of encryption.

Increasingly systems are vulnerable to threats from rogue networks and access points set up by employees.

One limitation is that PDAs and other handheld devices have less power and facility and thus cannot handle PC based security solutions

IDC and Price Water house Coopers have carried out a study over the last year, and they concluded that the losses due to poor security were 1.38 trillion US - more than the GNP of France.  Not only are people causing more security losses, but companies are taking more care to track security invasions.

He considered the success (?) of the internet

  • We’ve been building the Internet for 25 years
  • Business & Government constantly use the Internet to improve efficiency:
  • To succeed in business today requires connectivity to customers, partners, and employees.
  • Hundreds of companies will put you on the net
  • Thousands of consultants will secure your net
  • Spending on security doubles every year
  • Losses and breaches increase every year
  • Loss due to security issues last year: $1.38 trillion (more than the GNP of France)*
  • We’ve got a problem

In the business environment there are many more challenges. Many businesses are exchanging information with their partners; the total system is only as strong as its weakest link.  If you don't have control of the total network, how sure can you be of your security?  A lot of security is at the perimeter - firewalls and so on - like the doors of a house - but what if it has no windows?

There is a lot of noise - many distractions, but it is very hard to identify the real threats and to concentrate on them.

People want to know how real the threat is - how much real damage can be done to business continuity.  People are looking at network security as closely as they are auditing their financial assets.  Increasingly in the US there is the suggesting that Public Corporations will have to expose in their annual reports the state of the security of their networks.

There is an old saying: 'you can't manage what you can't measure', and in practice nobody can measure network security against a baseline.  At a recent conference, only 20% of organizations had a security policy, and only 20% of them maintained it on an ongoing basis.

Peter then turned to what he described as the Policy Empowered Network

It is important to begin not with technology but with policy.  The policy is key - single point solutions are not enough.

In summary, Peter made three points:

  • Network and application security management must change: there is a need to control IP addresses
  • Security risk must be managed based on the business requirements through a specific policy.
  • Improved security management measures are needed today, in particular tight control of configuration and management, and visibility of all traffic behavior

It is not possible to outspend the security problem, or to hire enough people to conquer it.  The only way is through policy.

Questions:

Bob Blakely, IBM Tivoli.  You mentioned cyber risk insurance on one slide.  Once a risk has been identified, how can it be quantified?

Peter Harter: From a US perspective, the thinking has been that if you have a comprehensive approach to network security and management and can measure access and use, you have something that actuaries can work with.  Without that, everything is anecdotal.

Bill Ostrom, University of St Thomas: What problems do you see ahead in managing how users contribute to their own security?

Peter Harter: Letting executives use PDAs means an issue that needs to be managed, but people don't use these devices lightly.

How to get value out of Mobile Solutions

Boris Dickmann, and Dietmar Kock, Wearix and Predictive Systems

Predictive Systems are The Open Group's representative in several countries in Europe.

The key message of the presentation by Herr Koch and is that to be successful companies must look at overall business processes and see mobile as a part of that.

Boris Dickmann began by looking at the market and its strengths and solutions, and commented on some market research:

  • "From 2003/04 onwards we expect about 50% of professional users to have a mobile end device as basic equipment.“ (META Group, 2000)
  • "Furthermore we expect more than 75% of the know-how carriers to follow a mobile activity within at least 25% of their time.” (META Group, 2000)
  • "In 2004 every professional user will have 3 to 4 different devices with applications and mobile access.” (META Group, 2000)
  • "Mobile access on data and applications will become one of the most important success factors in companies.” McKinsey, 2002

The potential values from using mobile applications come from several sources:

  • Reduced labor costs resulting from increased employee productivity, the availability of information on site, the possibility of immediate data collection and processing, the avoidance of multiple input, and fast and flexible dispatching
  • Reduced Process costs resulting from higher process quality, fewer media breaks, fewer transmission errors at data recording
  • Reduced cost of capital resulting from higher Cash flow - e.g. from seamless billing process triggered from mobile worker instead of paper based process, and the reduction of bound capital costs e.g. from optimized spare parts management and demand transparency ordering on site

Like many speakers, Boris emphasized the need to begin with the business need and the business process, and only then to think about the mobile solution.

Any security analysis has to consider the use of devices and information, and Herr Dickmann asked Dietmar Kock to present a Security Framework

Dietmar pointed out that the strategic question of understanding risks and analyzing how to meet them has to be the starting point of any security consideration.

IT-Governance consists of governing, controlling, monitoring and measuring IT-processes and IT resources within an enterprise. It is divided into the following competencies

  • IT Alignment: Effective support of business strategies and business processes through IT. 
  • IT Value Delivery: Efficient delivery of IT-Services.
  • IT Risk Management: Identification, valuation and management of IT related risks
  • IT Performance Measurement: Controlling-procedures to optimally allocate IT resources

One problem is that naturally systems become heterogeneous because it is not always possible to replace devices by an identical model.  Secondly, as bandwidth grows, so do data volumes, so the problem increases.  Usage of mobile computing power will reduce transaction costs and offer high availability.

In order to provide solutions we decided to implement a platform that we could use as a standardized basis for a solution.

Success Factors

  • Develop once only and leverage available mobile computing power
  • Enable transaction security and smart replication mechanisms, so that database security can be achieved - use of SQL is a significant factor.
  • Support easy administration of users and devices.  Suitable products such as Tivoli need to be provided, and deploying applications on a Web server can enable devices with limited computing power.
  • Facilitate flexible integration in existing and future IT-infrastructure. there needs to be connectivity for standards interfaces such as XML and RDBMS, and backend connectivity to existing systems - SAP etc.

In summary, risks are of 5 categories:

  • Organizational
  • Infrastructure
  • Project related
  • Process related: there is constant change in all areas, and to some extent isolated solutions are inevitable - but it is important to reset other solutions as necessary.
  • Cost and service related: missing transparency is often caused by costs in other areas

User Authentication Methods for Mobile Systems

Dr Steven Furnell, Network Research Group, University of Plymouth

Dr Furnell began by discussing the growth of mobile devices in recent years.  There has been a substantial growth of mobile devices: e.g. mobile phones - 768m in 2001 to 1,848m in 2004

At the same time there is increasing device functionality e.g. convergence of PDA and phone devices.  This trend seems set to continue, and at the same time mobile devices contain an increasing amount of sensitive information.  This leads to the question: What protects these devices from attack?

Already these devices are vulnerable to threat and their increased use seems likely to make this trend increase as well.

Within Dr Furnell's Network Research Group there are several programs of Postgraduate and postdoctoral research: 13 current PhD projects, 8 in the area of IT security.  There are links to  Orange in a number of projects, including two sponsored PhDs relating to authentication for mobile devices.

Increasingly we are going to have the capability to access information from a wide range of services, increasing the need to authenticate ourselves for all these devices.  Future devices could have all sorts of information about individuals, maybe including medical records, and corporations.  In addition they are used as gateways into corporate systems.

He presented some headlines from relating to loss of mobile phones and spamming techniques, such as viruses causing PCs to send SMS messages to mobile phones.

There are three potential authentication strategies:

  • Something the user knows (e.g. password or PIN)
  • Something the user has (e.g. a card or other token)
  • Something the user is (i.e. a biometric characteristic)

There are obvious weaknesses of traditional methods: passwords and PINs are often:

  • badly selected (and easily guessed)
  • written down
  • shared with colleagues or friends
  • infrequently changed
  • the same on multiple systems, so that an attacker, getting into one system, can get into others.

Steven went on to describe a Questionnaire distributed to 161 mobile phone subscribers, with the aim of to assess the usage of mobile services, usage of current authentication methods, and the likely acceptance of more advanced methods.  In response:

  • 88% of respondents want some form of additional service from their phone:
  • 73% would like personal organizer functions
  • 58% would use the web
  • 53% to download music
  • Additional services suggested included: Digital money, radio, GPS

In terms of current security, in the majority of cases authentication is via a PIN.  All phones support the use of a PIN when the phone is turned on; others support a secondary PIN to take the phone out of standby mode.

  • 89% had knowledge of the PIN facility
  • The 11% that were unaware would scale to approximately 84.5 million users worldwide
  • Although 89% knew about the PIN facility only 56% used it
  • 65% of those who did not use it blamed inconvenience 
  • 41% did not have confidence in the protection of the PIN facility
  • Of the 24% who had 2 level PIN security, 64% did not use it, finding it inconvenient

PINS are often compromised:

  • 17% of people have forgotten their PIN
  • 26% told it to someone else
  • 6% wrote it down

on the other hand:

  • 81% believed additional security a good idea
  • Of these, 63% would even accept continuous authentication / supervision
  • Only 2 out of 161 respondents considered additional security to be a bad idea

this would suggest that alternative approaches are needed - is those not involving PINs

Steven then want on to consider Future Authentication Requirements

Inconvenience was a major reason why survey respondents did not use PINs: require methods that can be non-intrusive; it is also desirable to have methods that users cannot easily invalidate.

Token based methods not likely to be viable for mobile systems: tokens could be carried with devices or left permanently in situ - it is analogous to removing the SIM card from the phone, which few people do today.

Finally he went on to consider behavioral approaches.  These are less certain than other methods, and important measures are

  • False Acceptance Rate (FAR) - errors where impostors are falsely believed to be legitimate users
  • False Rejection Rate (FRR) - errors where the system falsely identifies the legitimate user as an impostor

Minimizing one of these often results in a substantial increase in the other, so there is a need for an appropriate balance

Possible biometrics include: 

  • Facial recognition - key vectors such as position of eyes, nose, chin.  These positions enable people to be distinguished.
  • Voice recognition, using the microphone to extract a voice profile.  (Future versions of the Palm OS are expected to include this)
  • Signature verification - may be measured statically or dynamically.  May be vulnerable to forgery, but could also analyse speed and acceleration of the signature process.
  • Iris scanning (not retinal scanning), which can already be done on desktop PCs.  This can be done at some distance from the device.  (It was later clarified that this required a specialist camera, so the devices that are increasiungly being 
  • Keystroke dynamics - analyzing the characteristic rhythms of someone's typing.  Could be used to strengthen a normal user name / password approach, or could be applied continuously.
  • Fingerprint recognition - requires a specialist device (all the others are based on devices that could be expected as standard).  Could also use temperature recognition.  The British Government have recently considered computerizing ministerial red boxes, using fingerprints and signet rings.

In summary Dr Furnell reached four conclusions:

  • User authentication is a key security requirement for mobile systems
  • Survey results show that current methods may be compromised
  • Biometric technologies offer a means to make authentication more transparent
  • Unfortunately, one size does not fit all
Questions

Q The trade off between FAR and FRR depends on what you're trying to achieve.  In discouraging theft, some false acceptances may be tolerable.

A Yes, it very much depends on whether the authentication is supported by some continuous approach
Home · Contacts · Legal · Copyright · Members · News
© The Open Group 1995-2012  Updated on Monday, 29 April 2002