What’s in Your BYOD World?

Biometrics is key to network-centric security

• By Michael Harris
• May 01, 2013

As network security professionals are acutely aware, they must be continuously vigilant to meet the ever-evolving threats driven by the bring your own device (BYOD) trend that is extending the network outside the office. BYOD-related concerns about mobile security reach across private and public markets. Fortunately, the salvation for security pros can be found in the latest innovations in multifactor authentication using biometrics. By enabling multi-ifactor authentication anywhere, anytime, biometrics allows both security and privacy on the network.

As we all know, mobility is the key trend driving today’s biometrics market. Mobility means putting data and network access everywhere. Long gone are the “good old days” in the enterprise with stationary datacenters or networks confined to the office. Even when people started teleworking, it was relatively easy—compared to the current situation—to secure laptops and the network.

Now we are dealing with a host of BYOD devices, including smartphones and tablets, that are not standardized and much more difficult to integrate. In fact, with so many operating systems and data platforms, it is no longer possible to maintain standard integration and data profiles.

But, as every network security professional knows, the shift in the mobile communications industry toward increased convenience and personalization cannot be stopped. We have to find a way to work across these platforms and tie convenience to security.

Hard Look at Server Access

With illegitimate mobile access becoming the biggest threat to network-centric security, a primary challenge is hardening access to the server by identifying and authenticating the end-point access. To prevent tunneling into our systems and to ensure our data’s integrity, we must make sure those accessing the system are legitimate.

At the same time, we are dealing with a network that has now exploded outside the office. It’s everywhere. Increasingly, data is no longer maintained on the server and is vulnerable to illegitimate access. The threats that can compromise data seem to multiply daily; any number of users could have an infected email client, malware apps could be injected into the network or there could be people on the network who are just plain subversive. So the key becomes authentication of programs on the network and people who are on it.

At the same time, privacy remains a paramount concern. People who are on company-issued mobile devices and have company data running on platforms for personal use want to know how the network can differentiate their private data from company data.

Data integrity is another network-centric security issue. It used to be that data sat on the server. Now it’s sitting on tablets and smartphones. How do we maintain its integrity?

The good news is that all the network-centric security needed for mobile data platforms can be implemented with technology available today. The bad news is that, historically, increased security has usually meant increased inconvenience to the end user.

Nuts and Bolts of Secure Network Access

Experienced network security professionals know that access to the back-end network of the corporate enterprise should always be done through a virtual private network (VPN), the encrypted tunnel running through a hardened conduit called the secure socket layer (SSL). Integrity of the VPN is ensured by the SSL’s encrypted protocols.

On the other end is the user’s tablet, smartphone or other mobile device. Access is enabled by use of certificates as part of a Public Key Infrastructure (PKI), a compilation of hardware, software, individuals and guidelines to develop, manage and disable digital certificates that provide secure network access from a user’s device. The PKI contains a private key that binds the public keys with their correct (and unique) user identities via a certificate authority (CA). The private key is then used only by the user based on his or her secret code or password, and the PKI operates as the authentication channel that binds to a registration authority (RA) to ensure the public key correlates directly to the user’s identity to allow the user secure network access.

The next layer of network-centric security issues is presented by the device themselves. Delivery of secure access and services to mobile devices depends on application of strong multifactor user authentication. Proof-positive authentication should comprise some combination of what you know (password or PIN), what you have (ID card or token) and who you are (biometrics). The more factors, the better.

Passwords alone are never adequate because they can be easily compromised. While solutions combining password/PIN and ID card/token are often considered strong enough, only biometrics can provide absolute proof that a person is who he or she claims to be.

Biometrics Basics

Biometrics is perhaps the most innovative approach to implementing security on mobile devices. Fingerprinting, the most common and most secure biometric, is strongly supported by standards developed by the National Institute of Standards and Technology (NIST).

Biometrics not only provides convenient security, but incorporating multimodal biometrics can make the network practically impenetrable by unauthorized threats. Fingerprinting can be supplemented by iris recognition, face recognition and a series of less common modalities.

Anywhere, Anytime Authentication

Introduced by Precise Biometrics in June 2012, the Tactivo casing for smartphones and tablets enables multilevel authentication for mobile devices, anywhere and anytime.

This is a combination smartcard and fingerprint reader for the iPhone 4 and 4S, as well as the iPad. Connected directly to the device and designed specifically to complement the Apple design, the case provides both a smartcard and fingerprint reader to protect against unauthorized application access. Together with special-purpose apps, Tactivo enables companies and government agencies to maintain a high level of authentication and security when employees use mobile devices to access sensitive information.

Tactivo enhances the security features already available in iPhone and iPad devices. For example, using the BioSecrets app, Tactivo is able to store passwords and other sensitive information within a biometrically secured container on the iPhone 4S, iPhone 4, iPad 2 and the new third-generation iPad.

How IT Works

Tactivo makes the end point—smartphone, tablet or other mobile device—a trusted access point. It enables convenient security, making it easy to pick up the iPhone or iPad, swipe your finger and authenticate the device. By using PKI and a smartcard certificate, the app provides the strong front-end authentication needed to establish a secure session through the SSL, enabling access to the network datacenter via the VPN.

It provides two-factor authentication with biometric and smartcard/ hardware security modules. Smartcards, with their integrated circuit chip, can be used to perform the biometric authentication directly on the card. By doing that, it gets behind its own firewall and is impervious to malicious code or attacks without compromising personal biometric data.

In addition, the app is supported by a portal called idApps.com that provides information on a growing directory of available apps. At the same time, the iOS toolkit will expand to support a variety of biometrics to continue to be convenient and easy to use.

The iOS toolkit enables developers to implement self-contained authentication or integrate with third-party identity managers and service providers. As a result, the app can be used with a virtually unlimited number of apps.

The Precise iOS toolkit enables iOS app developers to integrate smartcard or fingerprint authentication, or both. Smartcard and fingerprint functionality can be integrated separately or together to replace passwords or PINs, enhancing convenience and increasing security. App developers also can combine these authentication methods with other iPhone and iPad features such as GPS.

The iOS toolkit is designed to make integration as straightforward as possible. It has a simple API and, to ensure short development time, sample implementations for smartcard integration and fingerprint enrollment/verification are included. This functionality can be directly integrated into other apps.

Supported by the iOS toolkit, Tactivo has the potential to evolve with and adapt to changing market needs. For example, solutions can be developed to verify card integrity and authenticity; verify cardholder identity; control access to applications or application data stored locally on the device; and facilitate access to Web and cloud services. In addition, because Tactivo supports government smartcard credentials including CAC, PIV, PIV-I and TWIC, the iOS toolkit is well-suited for developers targeting the government segment.

This article originally appeared in the May 2013 issue of Security Today.