What’s in Your BYOD World?
Biometrics is key to network-centric security
- By Michael Harris
- May 01, 2013
As network security professionals are
acutely aware, they must be continuously
vigilant to meet the ever-evolving
threats driven by the bring your
own device (BYOD) trend that is extending
the network outside the office. BYOD-related
concerns about mobile security reach across private
and public markets. Fortunately, the salvation for
security pros can be found in the latest innovations
in multifactor authentication using biometrics. By
enabling multi-ifactor authentication anywhere, anytime,
biometrics allows both security and privacy on
the network.
As we all know, mobility is the key trend driving
today’s biometrics market. Mobility means putting
data and network access everywhere. Long gone are
the “good old days” in the enterprise with stationary
datacenters or networks confined to the office. Even
when people started teleworking, it was relatively
easy—compared to the current situation—to secure
laptops and the network.
Now we are dealing with a host of BYOD devices,
including smartphones and tablets, that are not standardized
and much more difficult to integrate. In fact,
with so many operating systems and data platforms, it
is no longer possible to maintain standard integration
and data profiles.
But, as every network security professional knows,
the shift in the mobile communications industry toward
increased convenience and personalization cannot
be stopped. We have to find a way to work across
these platforms and tie convenience to security.
Hard Look at Server Access
With illegitimate mobile access becoming the biggest
threat to network-centric security, a primary challenge is
hardening access to the server by identifying and authenticating
the end-point access. To prevent tunneling into
our systems and to ensure our data’s integrity, we must
make sure those accessing the system are legitimate.
At the same time, we are dealing with a network
that has now exploded outside the office. It’s everywhere.
Increasingly, data is no longer maintained on
the server and is vulnerable to illegitimate access. The
threats that can compromise data seem to multiply
daily; any number of users could have an infected
email client, malware apps could be injected into the
network or there could be people on the network who
are just plain subversive. So the key becomes authentication
of programs on the network and people who
are on it.
At the same time, privacy remains a paramount
concern. People who are on company-issued mobile
devices and have company data running on platforms
for personal use want to know how the network can
differentiate their private data from company data.
Data integrity is another network-centric security
issue. It used to be that data sat on the server. Now it’s
sitting on tablets and smartphones. How do we maintain
its integrity?
The good news is that all the network-centric security
needed for mobile data platforms can be implemented
with technology available today. The bad
news is that, historically, increased security has usually
meant increased inconvenience to the end user.
Nuts and Bolts of Secure
Network Access
Experienced network security professionals know
that access to the back-end network of the corporate
enterprise should always be done through a virtual
private network (VPN), the encrypted tunnel running
through a hardened conduit called the secure socket
layer (SSL). Integrity of the VPN is ensured by the
SSL’s encrypted protocols.
On the other end is the user’s tablet, smartphone or
other mobile device. Access is enabled by use of certificates
as part of a Public Key Infrastructure (PKI),
a compilation of hardware, software, individuals and
guidelines to develop, manage and disable digital certificates
that provide secure network access from a user’s
device. The PKI contains a private key that binds
the public keys with their correct (and unique) user
identities via a certificate authority (CA). The private
key is then used only by the user based on his or her
secret code or password, and the PKI operates as the
authentication channel that binds to a registration
authority (RA) to ensure the public key correlates directly
to the user’s identity to allow the user secure
network access.
The next layer of network-centric security issues
is presented by the device themselves. Delivery of secure
access and services to mobile devices depends on
application of strong multifactor user authentication.
Proof-positive authentication should comprise some
combination of what you know (password or PIN),
what you have (ID card or token) and who you are
(biometrics). The more factors, the better.
Passwords alone are never adequate because they
can be easily compromised. While solutions combining
password/PIN and ID card/token are often considered
strong enough, only biometrics can provide absolute
proof that a person is who he or she claims to be.
Biometrics Basics
Biometrics is perhaps the most innovative approach to
implementing security on mobile devices. Fingerprinting,
the most common and most secure biometric, is
strongly supported by standards developed by the National
Institute of Standards and Technology (NIST).
Biometrics not only provides convenient security,
but incorporating multimodal biometrics can make
the network practically impenetrable by unauthorized
threats. Fingerprinting can be supplemented by
iris recognition, face recognition and a series of less
common modalities.
Anywhere, Anytime
Authentication
Introduced by Precise Biometrics in June 2012, the
Tactivo casing for smartphones and tablets enables
multilevel authentication for mobile devices, anywhere
and anytime.
This is a combination smartcard and fingerprint
reader for the iPhone 4 and 4S, as well as the iPad. Connected
directly to the device and designed specifically to complement the Apple design, the case
provides both a smartcard and fingerprint
reader to protect against unauthorized
application access. Together with
special-purpose apps, Tactivo enables
companies and government agencies to
maintain a high level of authentication
and security when employees use mobile
devices to access sensitive information.
Tactivo enhances the security features
already available in iPhone and
iPad devices. For example, using the
BioSecrets app, Tactivo is able to store
passwords and other sensitive information
within a biometrically secured container
on the iPhone 4S, iPhone 4, iPad
2 and the new third-generation iPad.
How IT Works
Tactivo makes the end point—smartphone,
tablet or other mobile device—a
trusted access point. It enables convenient
security, making it easy to pick up
the iPhone or iPad, swipe your finger
and authenticate the device. By using
PKI and a smartcard certificate, the app
provides the strong front-end authentication
needed to establish a secure session
through the SSL, enabling access to
the network datacenter via the VPN.
It provides two-factor authentication
with biometric and smartcard/
hardware security modules. Smartcards,
with their integrated circuit chip,
can be used to perform the biometric
authentication directly on the card. By
doing that, it gets behind its own firewall
and is impervious to malicious
code or attacks without compromising
personal biometric data.
In addition, the app is supported by
a portal called idApps.com that provides
information on a growing directory
of available apps. At the same time,
the iOS toolkit will expand to support a
variety of biometrics to continue to be
convenient and easy to use.
The iOS toolkit enables developers
to implement self-contained authentication
or integrate with third-party identity
managers and service providers. As
a result, the app can be used with a virtually
unlimited number of apps.
The Precise iOS toolkit enables iOS
app developers to integrate smartcard
or fingerprint authentication, or both.
Smartcard and fingerprint functionality
can be integrated separately or together
to replace passwords or PINs, enhancing
convenience and increasing security.
App developers also can combine
these authentication methods with other
iPhone and iPad features such as GPS.
The iOS toolkit is designed to make
integration as straightforward as possible.
It has a simple API and, to ensure
short development time, sample implementations
for smartcard integration
and fingerprint enrollment/verification
are included. This functionality can be
directly integrated into other apps.
Supported by the iOS toolkit, Tactivo
has the potential to evolve with and
adapt to changing market needs. For
example, solutions can be developed to
verify card integrity and authenticity;
verify cardholder identity; control access
to applications or application data
stored locally on the device; and facilitate
access to Web and cloud services. In
addition, because Tactivo supports government
smartcard credentials including
CAC, PIV, PIV-I and TWIC, the
iOS toolkit is well-suited for developers
targeting the government
segment.
This article originally appeared in the May 2013 issue of Security Today.