Identity, the New Security Perimeter

Identity, the New Security Perimeter

Mobile users have access to more information, better communication than ever before

Identity, the New Security PerimeterIn the past few years, we have witnessed a dramatic increase in employee mobility. Whether traveling, working from home, in flex offices or a conference room at a home office, we expect information access to be immediate and communication via voice, chat, text or email to be always available. This mobility started the “Consumerization of IT” that has led to the growing adoption of the Bring Your Own Device or BYOD trend for mobile phones and tablets. This has increased productivity as mobile users have access to more information and better communication using the devices they are most comfortable with. As users have added business apps to access secure data within the workplace, the need to link and manage the appropriate identity has led to the emergence of another growing trend—Bring Your Own Identity or BYOI.

One Device, Multiple Identities

On a modern mobile device, the user will have a mixture of personal and work activities, making it essential to associate each activity with the appropriate digital identity. An email client and a secure browser for accessing corporate portals are among the apps that a typical employee will need to complete their job. The corporate IT department needs to ensure that the digital identity that enables access to these resources is securely linked to the correct person, as well as be sure they can disable that access when appropriate. Organizations now realize that users also need a place on the mobile device for personal apps and data that can function concurrently with their work activities.

If an enterprise terminates an employee by eliminating access to their mobile phone, an IT organization must erase all of the work apps and data without touching the former employee’s personal files.

A New Perimeter

This increased mobility also has contributed to the shift away from perimeterbased security. If users are no longer behind a firewall, the security perimeter needs to be redefined. One view is that identity is the new perimeter. The set of applications used with a work identity and the associated credentials on a mobile device define a perimeter that an employer needs to manage and secure.

This perimeter needs to be visible to the user. It has to be clear if an employee is sending a personal or professional email; security is as much about making it easy for the user to do the correct thing as it is about technical hardening. Since email may contain enterprise confidential information, apps will be secured with some kind of lock, a PIN or possibly a biometric check if the phone has the capability. Fingerprint scanners are already built into or will be featured as an add-on for some smartphones. Other biometric options, such iris scan or voice recognition, are being developed.

Once unlocked, the user can interact with data and applications using their work identity as though they are on a workstation inside the company.

Stronger Authentication, Less Hassle

While the security perimeter is being redefined, it is becoming increasingly apparent that user name/password are no longer an acceptable level of authentication. Fortunately, the mobile device presents a robust platform for two, or even three, factor authentications. Virtually every mobile device has one or more secure elements, such as the Universal Integrated Circuit Card (UICC), that can be used to securely store keys and perform cryptographic operations. This can be used to enhance the security of digital identities. The credentials are stored in the secure element, and critical elements of cryptography are performed inside it without exposing the keys.

How to Implement BYOI

Implementing BYOI requires three steps:

  1. Ensure that the mobile devices are manageable, either by selecting devices with management capabilities or by using third-party products.
  2. Implement a mobile identity and credential management solution.
  3. Select applications that leverage the credentials.

Some mobile devices are designed for remote management. For example, BlackBerry products were among the earliest adopted in the enterprise due to their strong IT management features. BYOD created the need for mobile device management (MDM) solutions that manage all of the phones carried by a corporation’s employees. MDM products include a server-side management console and links to the mobile devices. If the mobile devices do not have features, like application containers, the MDM vendor may include client-side code. While early MDM solutions took over the entire device, providing the features desired by IT managers, they created conflicts with personal data on the device.

Newer offerings have a variety of ways to connect the MDM console with the enterprise apps and data, while keeping personal data separate. Mobile application management (MAM) products also are available to handle the downloading and updating of apps under enterprise control. Often, this takes the form of a private app store.

Provisioning and managing identity for BYOI requires a link into the phone for provisioning and lifecycle management, and at the same time a connection to the appropriate directory, identity and credential management software in the enterprise. A number of existing identity and credential management products have been extended to provide over-the-air (OTA) provisioning and lifecycle management. A mobile identity solution must implement and manage the specific policies of the organization.

Many government and commercial organizations in the United States are following the FIPS-201 standard from the National Institute of Standards and Technology (NIST) for identity credentials. Initially implemented using smart cards for public-key infrastructure (PKI) secure badges, the FIPS-201 standard is in the process of being updated to embrace mobile device support using the concept of derived credentials. Whether strictly following the NIST standards for full compliance, or simply using them as a guide for best practice, it is a good idea to use distinct, derived credentials for each mobile device. One needs to anticipate that there will be more than one mobile device per user, perhaps a smartphone and a tablet, and that the devices will be replaced as they are lost, stolen, broken or simply updated with a newer model.

Finding applications that are credential-aware for secure operations can be a challenge. Most mobile operating systems do not have standardized interfaces for cryptographic credentials, so each application has to be selected for the specific purpose. Several specialists offer products today, and more solutions will be offered as the pressure to move away from static passwords continues to grow.

Looking to the Future

Modern smartphone and tablet operating systems have support for device, application and identity management. Looking forward, the industry can see that the functionality operating systems provide will become richer, offering enhanced features and better security.

Enhanced security features in the hardware will increase the security of mobile device use significantly and will add to the isolation between personal and professional identities. Several handsets already support the ARM Trusted Execution Environment, which provides hardware protection to prevent malware on the phone stealing secrets or interfering with the security of apps.

Investments are being made in operating systems to provide higher levels of support for credential management to support BYOI and to strengthen the security platform. In 2013, the BlackBerry 10 is adding support for dual personas with the “Balance” application, and SE Android is the platform for solutions like the Samsung “Knox” that also offer separate containers for personal and work applications.

While the focus this year is on managing two identities securely on one device, as the market matures there will be a trend to support additional identities, each with its own perimeter. A person might have a second job or want to use a suite of healthcare apps that link securely to their healthcare provider. In each of these cases, the device holder will want to enable a set of apps to use a strongly authenticated identity that is separate from others.

As user mobility continues to increase, devices become more powerful and BYOD becomes the norm—a critical piece in increasing productivity and maximizing value.

This article originally appeared in the May 2013 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.