Blog posts by John Tolbert

The Return of Authorization

Authorization is one of the key concepts and processes involved in security, both in the real world as well as the digital world.  Many formulations of the definition for authorization exist, and some are context dependent.  For IT security purposes, we’ll say authorization is the act of evaluating whether a person, process, or device is allowed to operate on or possess a specific resource, such as data, a program, a computing device, or a cyberphysical object (e.g., a door, a gate, etc.).

The concept of authorization has evolved considerably over the last two decades.  No longer must users be directly assigned entitlements to particular resources. Security administrators can provision groups of users or select attributes of users (e.g. employee, contractor of XYZ Corp, etc.) as determinants for access. 

For some of the most advanced authorization and access control needs, the OASIS eXtensible Access Control Markup Language (XACML) standard can be utilized. Created in the mid-2000s,  XACML is an example of an Attribute-Based Access Control (ABAC) methodology.  XACML is an XML policy language, reference architecture, and request/response protocol. ABAC systems allow administrators to combine specific subject, resource, environmental, and action attributes for access control evaluation.  XACML solutions facilitate run-time processing of dynamic and complex authorization scenarios.  XACML can be somewhat difficult to deploy, given the complexity of some architectural components and the policy language.  Within the last few years, JSON and REST profiles of XACML have been created to make it easier to integrate into modern line-of-business applications.

Just prior to the development of XACML, OASIS debuted Security Assertion Markup Language (SAML).  Numerous profiles of SAML exist, but the most common usage is for identity federation.  SAML assertions serve as proof of authentication at the domain of origin, which can be trusted by other domains.  SAML can also facilitate authorization, in that, other attributes about the subject can be added to the signed assertion. SAML is widely used for federated authentication and limited authorization purposes.

OAuth 2.0 is a lighter weight IETF standard. It takes the access token approach, passing tokens on behalf of authenticated and authorized users, processes, and now even devices.  OAuth 2.0 now serves as a framework upon which additional standard are defined, such as Open ID Connect (OIDC) and User Managed Access (UMA).  OAuth has become a widely used standard across the web.  For example, “social logins”, i.e. using a social network provider for authentication, generally pass OAuth tokens between authorization servers and relying party sites to authorize the subject user.  OAuth is a simpler alternative to XACML and SAML, but also is usually considered less secure.

From an identity management perspective, authentication has received the lion’s share of attention over the last several years.  The reasons for this are two-fold: 

  • the weakness of username/password authentication, which has led to many costly data breaches
  • proliferation of new authenticators, including 2-factor (2FA), multi-factor (MFA), risk-adaptive techniques, and mobile biometrics

However, in 2017 we have noticed an uptick in industry interest in dynamic authorization technologies that can help meet complicated business and regulatory requirements. As authentication technologies improve and become more commonplace, we predict that more organizations with fine-grained access control needs will begin to look at dedicated authorization solutions.  For an in-depth look at dynamic authorization, including guidelines and best practices for the different approaches, see the Advisory Note: Unifying RBAC and ABAC in a Dynamic Authorization Framework.

Organizations that operate in strictly regulated environments find that both MFA / risk adaptive authentication and dynamic authorization are necessary to achieve compliance.  Regulations often mandate 2FA / MFA, e.g. US HSPD-12, NIST 800-63-3, EU PSD2, etc.  Regulations occasionally stipulate certain that access subject or business conditions, expressed as attributes, be met as a precursor to granting permission.  For example, in export regulations these attributes are commonly access subject nationality or licensed company.

Authorization becomes extremely important at the API level.  Consider PSD2: it will require banks and other financial institutions to expose APIs for 3rd party financial processors to utilize.  These APIs will have tiered and firewalled access into core banking functions.  Banks will of course require authentication from trusted 3rd party financial processors.  Moreover, banks will no doubt enforce granular authorization on the use of each API call, per API consumer, and per account.  The stakes are high with PSD2, as banks will need to compete more efficiently and protect themselves from a much greater risk of fraud.

For more information on authentication and authorization technologies, as well as guidance on preparing for PSD2, please visit the Focus Areas section of our website.

GDPR vs. PSD2: Why the European Commission Must Eliminate Screen Scraping

The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years.  Both emanate from the European Commission, and both are aimed at consumer protection.

GDPR will bolster personal privacy for EU residents in a number of ways.  The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses.  GDPR will require that data processors obtain clear, unambiguous consent from each user for each use of user data. In the case of PSD2, this means banks and Third-Party Providers (TPPs).  TPPs comprise Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).  For more information, please see https://www.kuppingercole.com/report/lb72612

Screen scraping has been in practice for many years, though it is widely known that this method is inherently insecure.  In this context, screen scraping is used by TPPs to get access to customer data.  Some FinTechs harvest usernames, email addresses, passwords, and account numbers to act on behalf of the users when interacting with banks and other FinTechs.  This technique exposes users to additional risks, in that, their credentials are more likely to be misused and/or stored in more locations. 

PSD2 will mandate the implementation of APIs by banks, for a more regular and safer way for TPPs to get account information and initiate payments.  This is a significant step forward in scalability and security.  However, the PSD2 Regulatory Technical Standards (RTS) published earlier this year left a screen scraping loophole for financial organizations who have not yet modernized their computing infrastructure to allow more secure access via APIs.  The European Banking Authority (EBA) now rejects the presence of this insecure loophole:  https://www.finextra.com/newsarticle/30772/eba-rejects-commission-amendments-on-screen-scraping-under-psd2.   

KuppingerCole believes that the persistence of the screen scraping exception is bad for security, and therefore ultimately bad for business.  The proliferation of TPPs expected after PSD2 along with the attention drawn to this glaring weakness almost ensures that it will be exploited, and perhaps frequently. 

Furthermore, screen scraping implies that customer PII is being collected and used by TPPs.  This insecure practice, then, by definition goes against the spirit of consumer protection embodied in GDPR and PSD2.  Furthermore, GDPR calls for the principle of Security by Design, and a screen scraping exemption would contravene that.  TPPs can obtain consent for the use of consumer PII, or have it covered contractually, but such a workaround is unnecessary if TPPs utilize PSD2 open banking APIs.  An exemption in a directive should not lead to potential violations of a regulation.  

At the Intersection of Identity and Marketing

Digital Transformation is driving a diverse set of business initiatives today, including advanced marketing techniques, creating new consumer services, acquiring better customer information, and even deploying new identity management solutions.  As organizations discover new and efficient methods for engaging customers, they often realize new and more profitable revenue streams.

At the intersection of identity and marketing, we find Consumer Identity and Access Management (CIAM) systems.  CIAM is a relatively new but fast-growing area within the overall IAM market.  As the name implies, Consumer IAM focuses on the consumer.  This means that CIAM solutions feature:

  • Self-registration, with options to use social network credentials
  • Progressive profiling:  collecting information from customers over a period of time through various interactions, rather than asking for a lot of information up front
  • White-labeling for seamless branding
  • Flexible authentication:  username, mobile devices, social logins, and often 2FA or MFA methods
  • Consent management:  easy-to-use and understand opt-ins for data collection
  • Identity and marketing analytics: data about consumers and their activities that can be transformed into business intelligence.

Many CIAM solutions were designed from the ground up to make the customer experience more pleasant.  Other CIAM solutions have evolved from the traditional IAM systems we’ve used in businesses and governments for decades.  Most CIAM solutions can be run from the cloud, either as a turn-key SaaS or as a solution your teams can administer inside IaaS. 

The data generated from CIAM systems is inherently useful for marketing. There are two very different approaches for harvesting and using CIAM data: native tools or exporting to third-party programs. 

The most feature-rich CIAM solutions build in identity and analytics capabilities into their platforms.  Examples of reports that are possible in these types of solutions include:

  • demographics such as gender, age, location, nationality;
  • segmentation analysis such as generation, age range, income bracket;
  • events including logins, registrations, social providers used;
  • “likes” such as favorite TV shows, sports teams, books, music;
  • social engagement including top commenters and time spent on site.

Most CIAM vendors permit programmatic access via REST APIs to integrate with a wide range of 3rd party market analysis tools as well, e.g. Google Analytics and Tableau.  For enterprise or organizational customers, the data is there, but the choice for how to obtain it and analyze it depend on your organizational capabilities and preferences.

Much of this information produced by CIAM systems can be beneficial; however, with the EU General Data Protection Regulation (GDPR) on the horizon, the ability to collect informed consent from consumers about the use of their data becomes paramount.  Among the many provisions of GDPR, the regulation will require that organizations that collect information about users to obtain clear and unambiguous assent for per-purpose processing.  Fortunately, many CIAM vendors have proactively designed their user interfaces to facilitate GDPR compliance to some degree.  In addition to collecting consent and allowing users to change their preferences, data processors will also need to be able to log consent, export or delete user data upon request, and notify users when terms change or when data breaches happen.

In conclusion, well-constructed and configured CIAM solutions can help customers acquire valuable information on their consumers, that, in concert with advanced techniques such as marketing automation, can lead to higher revenues and better consumer satisfaction.  Information gleaned at the intersection of identity and marketing is subject to privacy and other regulations, and as such, needs to be protected appropriately.

Don’t Fall Victim to Ransomware (Links to Free Tools)

Ransomware attacks have increased in popularity, and many outlets predict that it will be a $1 billion-dollar business this year.  Ransomware is a form of malware that either locks users’ screens or encrypts users’ data, demanding that ransom be paid for the return of control or for decryption keys.  Needless to say, but paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem. 

Ransomware is not just a home user problem, in fact many businesses and government agencies have been hit.  Healthcare facilities have been victims.  Even police departments have been attacked and lost valuable data.  As one might expect, protecting against ransomware has become a top priority for CIOs and CISOs in both the public and private sectors.

Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention.  However, in the case of ransomware, detection is pretty easy because the malware announces its presence as soon as it has compromised a device.  That leaves the user to deal with the aftermath.  Once infected, the choices are to:

  1. pay the ransom and hope that malefactors return control or send decryption keys (not recommended, and it doesn’t always work that way)
  2. wipe the machine and restore data from backup

Restoration is sometimes problematic if users or organizations haven’t been keeping up with backups. Even if backups are readily available, time will be lost in cleaning up the compromised computer and restoring the data.  Thus, preventing ransomware infections is preferred.  However, no anti-malware product is 100% effective at prevention.  It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.

Most ransomware attacks arrive as weaponized Office docs via phishing campaigns.  Disabling macros can help, but this is not universally effective since many users need to use legitimate macros.  Ransomware can also come less commonly come from drive-by downloads and malvertising. 

Most endpoint security products have anti-malware capabilities, and many of these can detect and block ransomware payloads before they execute.  All end-user computers should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions.  Servers and virtual desktops should be protected as well.  Windows platforms are still the most vulnerable, though there are increasing amounts of ransomware for Android.  It is important to remember that Apple’s iOS and Mac devices are not immune from ransomware, or malware in general.

If you or your organization do not have anti-malware packages installed, there are some no-cost anti-ransomware specialty products available.  They do not appear to be limited-time trial versions, but are instead fully functional.  Always check with your organization’s IT management staff and procedures before downloading and installing software.  All the products below are designed for Windows desktops:

Avast: C-Ransomware

Cybereason Ransomfree

Kaspersky Anti-Ransomware Tool

Windows Defender

The links, in alphabetical order by company name, are provided as resources for consideration for the readers rather than recommendations. 

Ransomware hygiene encompasses the following short-list of best practices:

  1. Perform data backups
  2. Disable Office macros by default if feasible
  3. Deliver user training to avoid phishing schemes
  4. Use anti-malware
  5. Develop breach response procedures
  6. Don’t pay ransom

KuppingerCole will be publishing Leadership Compass reports on anti-malware and endpoint security solutions in the weeks ahead.

PSD2 RTS Final Draft: The good and the not-so-good

The European Banking Authority released the final draft of the Regulatory Technical Specifications for PSD2 this week.  It contains several improvements and clarifications, but there are still a few areas that fall short of industry expectations.

After the release of the initial drafts, EBA received a multitude of comments and discussion from many organizations and software vendors.  One of the top concerns was on the mandate for Strong Customer Authentication (SCA), which was defined traditionally as something you have, something you know, or something you are.  Originally it was conceived to apply to any transaction over €10.  The limit has been raised to €30, which is better, but still less than the recommended €50. 

The revision also takes into account the innovations and benefits of risk-adaptive authentication.  Risk-adaptive authentication encompasses several functions, including user behavioral analytics (UBA), two- or multi-factor authentication (2FA or MFA), and policy evaluation.  Risk-adaptive authentication platforms evaluate a configurable set of real-time risk factors against pre-defined policies to determine a variety of outcomes.  The policy evaluation can yield permit, deny, or “step-up authentication” required. 

PSD2 RTS stipulates that banks (Account Servicing Payment Service Providers, or ASPSPs) must consider the following transactional fraud risk detection elements on a per-transaction basis: 

  1. lists of compromised or stolen authentication elements;
  2. the amount of each payment transaction;
  3. known fraud scenarios in the provision of payment services;
  4. signs of malware infection in any sessions of the authentication procedure

Items 1-3 are commonly examined in many banking transactions today.  The prescription to look for signs of malware infection is somewhat vague and difficult to achieve technically.  Is the bank responsible for knowing the endpoint security posture of all of its clients?  If so, is it responsible also for helping remediate malware on clients?

Furthermore, in promoting “continuous authentication” via risk-adaptive authentication, EBA states:

  • the previous spending patterns of the individual payment service user;
  • the payment transaction history of each of the payment service provider’s payment service user;
  • the location of the payer and of the payee at the time of the payment transaction providing the access device or the software is provided by the payment service provider;
  • the abnormal behavioural payment patterns of the payment service user in relation to the payment transaction history;
  • in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.

The requirements described above, from the PSD2 RTS document, are very much a “light” version of risk-adaptive authentication and UBA.  These attributes are useful in predicting the authenticity of the current user of the services.  However, there are additional attributes that many risk-adaptive authentication vendors commonly evaluate that would add value to the notion and practice of fraud risk reduction.  For example:

  • Geo-velocity
  • IP address
  • Time of day/week
  • Device ID
  • Device fingerprint
  • Known compromised IP/network check
  • User attributes
  • User on new device check
  • Jailbroken mobile device check

Now that limited risk analytics are included in the PSD2 paradigm, the requirement for SCA is reduced to at least once per 90 days.  This, too, is in line with the way most modern risk-adaptive authentication systems work. 

The PSD2 RTS leaves in place “screen-scraping” for an additional 18 months, a known bad practice that current Third Party Providers (TPPs) use to extract usernames and passwords from HTML forms.  This practice is not only subject to Man-in-the-Middle (MITM) attacks, but also perpetuates the use of low assurance username/password authentication.  Given that cyber criminals now know that they only have a limited amount of time to exploit this weak mechanism, look for an increase in attacks on TPPs and banks using screen-scraping methods. 

In summary, the final draft of PSD2 RTS does make some security improvements, but omits recommending practices that would more significantly and positively affect security in the payments industry, while leaving in place the screen-scraping vulnerability for a while longer.

 

The Importance of Consent Management: CIAM vs. GDPR

Consumer identity and access management solutions are bringing value to the organizations which implement them, in terms of higher numbers of successful registrations, customer profiling, authentication variety, identity analytics, and marketing insights.  Many companies with deployed CIAM solutions are increasing revenue and brand loyalty.  Consumers themselves have better experiences interacting with companies that have mature CIAM technologies.  CIAM is a rapidly growing market segment.

CIAM systems typically collect (or at least attempt to collect) the following attributes about consumers:  Name, email address, association with one or more social network accounts, age, gender, and location.  Depending on the service provider, CIAM products may also pick up data such as search queries, items purchased, items browsed, and likes and preferences from social networks.  Wearable technology vendors may collect locations, physical activities, and health-related statistics, and this data may be linked to consumers’ online identities in multiple CIAM implementations.  To reduce fraud and unobtrusively increase the users’ authentication assurance levels, some companies may also acquire users’ IP addresses, device information, and location history. 

Without the EU user’s explicit consent, all of this data collection will violate the EU’s General Data Protection Regulation (GDPR) in May of 2018.  Penalties for violation can be up to €20M or 4% of global revenue, whichever is higher.

Consider a few definitions from the GDPR:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(4) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(5) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

This means that companies that are currently deriving benefit from CIAM must:

  1. Perform a privacy data assessment
  2. Create new privacy policies as needed
  3. Plan to clean and minimize user data already resident in systems
  4. Implement the consent gathering mechanisms within their CIAM solutions

If your deployed CIAM solution is not yet fully GDPR compliant, talk with your vendor about their product roadmaps.  Find out when they will release a GDPR compliant version, and determine how to work that into your own release schedule. 

If your organization is considering deploying CIAM in the near future, make sure that GDPR compliant consent mechanisms and storage schemes are on your RFP requirements list.

This article is not intended to provide detailed technical or legal advice.  For more information, see the full text of GDPR at the link above, and visit www.kuppingercole.com. Over the next few months, we will examine other aspects of GDPR and what it entails for business, IAM, and IT infrastructure.

Consumer Identity Summit 2016 - Summary

KuppingerCole just concluded our first Consumer Identity Summit in Paris.  In fact, this was the first Consumer focused digital identity event of its kind.  The event was very well attended, and featured excellent expert speakers from all across the globe.  The popularity of the event and enthusiasm for dialogue among attendees demonstrates the need for treating Consumer Identity differently than traditional Enterprise Identity.  The technology has been evolving significantly, to meet rapidly changing business requirements and encompass newly developed technologies.

Businesses and public sector organizations are finding that they need to “Know Your Customer” (KYC) better for a number of reasons.  Consumer Identity and Access Management (CIAM) services can help meet these objectives.  For example, retail and media outlets can provide better experiences to registered users.  These companies can offer incentives, special sales, and other features to increase loyalty to their brands.  Banks and financial institutions can better comply with Anti-Money Laundering (AML) regulations by establishing digital relationships via CIAM, and provide competitive advantages. 

Consumer identity is becoming more than just a competitive advantage though.  Katryna Dow, CEO of Meeco, said “Consumer Identity is the new channel”.  What this means is that digital service providers are in many cases beginning to bypass traditional distribution channels to directly engage and sell to consumers.  This will have increasingly profound effects on business models.  Consider, for example, the changes in entertainment media and its prior distribution channels.  Where consumers once bought movies and programs on VHS or DVD at stores such as Blockbuster and Hollywood Video, consumers are now streaming content straight from Amazon, Hulu, Netflix, Sony, and more.  The same can be said for online retailers:  those utilizing consumer identity solutions have ways to alert interested buyers, solicit feedback, and create revenue streams that others can’t. 

Allan Foster, VP of Community at ForgeRock and President of Kantara Initiative, described the difference between enterprise IAM and CIAM: “with enterprise IAM, IT provides the identities; in CIAM, IT provides the means for consumers to build their own identities.”   This saves administrative effort, and puts control over which attributes to share back into the consumers’ hands, making them a participant in the process.

Ian Glazer, Senior Director at Salesforce Identity, highlighted the need for improved user experiences, showing how effective consumer identity management promotes a much better user journey.   He stated that businesses must reduce friction for consumers by using social logins, progressive profiling, and progressive proofing. Logins should not require “Yet Another Username & Password”, or YAUP.  Consumer identity should work across multiple channels, including tying users to their IoT devices.

Several speakers touched on the importance of preparing for the EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018.  GDPR contains language which governs the treatment and handling of information gathered and used by CIAM systems. GDPR defines what personally identifiable information (PII) is:  name, email, photos, posts on social networks, medical information, and financial information are examples.  Some of the most important provisions include explicit consent for PII data usage, localized processing (EU citizen data must be housed and processed within the EU itself), data portability (EU citizens must be able to export their data from systems), and the right to be forgotten (data deletion).  CIAM solutions must be able to meet all these requirements to be viable within the EU in the post-GDPR regulatory schema.  For more information on GDPR, follow KuppingerCole’s updates, and to see the full text, go to http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

To meet the privacy objectives of GDPR, Dr. Maciej Machulak discussed Kantara Initiative’s User Managed Access (UMA) specification.  UMA provides a framework for web applications to obtain user’s consent for use of their data.  KuppingerCole believes that UMA will be a major enabler for GDPR compliance.  For more information on UMA, see https://kantarainitiative.org/confluence/display/uma/Home

We also presented the results of our CIAM Leadership Compass at the Summit.  For this paper, ForgeRock, Gigya, IBM, iWelcome, Janrain, LoginRadius, Microsoft, Okta, PingIdentity, Saleforce, SAP, and SecureAuth participated.  Each company has products that serve the CIAM needs of their own customers, with different strength, challenges, and target markets.  For the full report, see https://www.kuppingercole.com/report/lc71171

Lastly, our own Martin Kuppinger weighed in on the ownership aspect of CIAM deployments.  There are a variety of ways that CIAM can be implemented and maintained.  In some companies, marketing takes the lead.  In others, IT is completely responsible.  The hybrid ownership approach works best:  IT owns the deployment, but operates it as a service for the business as a whole.  This promotes tight integration with enterprise IAM, without being encumbered by enterprise IAM limitations.  It also allows businesses to efficiently promote regulatory compliance and security, while offering consistent and feature-rich solutions for sales and marketing.

KuppingerCole will continue to track with CIAM solution developers and customers to provide the most up-to-date information on CIAM, KYC, and the regulatory drivers in this space.

GlobalPlatform Conference Review

GlobalPlatform recently held their annual conference in Santa Clara, California. GlobalPlatform is an international standards organization that defines specifications for the Trusted Execution Environment (TEE), or the secure virtual operating system within the OSes of mobile devices. It also specifies requirements for Secure Elements (SE), the protected storage components within mobile devices. Used together, Trusted Apps run inside the TEE, protected from rogue apps and malware. Trusted Apps control access to data stored in SE. The use of TEE also protects confidentiality and integrity between the user input and display. The specifications are becoming widely used in the protection of premium content (digital media), financial apps, telecommunications, automotive components, healthcare devices, and transit systems.

TEE is being used to secure processing and messaging in many IoT scenarios already today, such as parking meters, food monitoring, and "smart cities" street light monitoring. On the consumer side, TEE is implemented in watches, home automation, and even cars. Remote monitoring of manufacturing, logistics, agriculture, and environments is increasingly being performed by IoT sensors. The number of Internet connected devices is rapidly rising.

Given the recent spate of record-breaking DDoS attacks launched from compromised IoT devices, expect to see greater emphasis and consumer demand for security and privacy on IoT manufacturers. Most consumers do not want their webcams and refrigerators to be involved in illegal activities, such as knocking websites off the air, or sabotaging food production.

Beyond providing specifications for execution and storage, GlobalPlatform can help with IoT security by adopting device identity standards. The IoT devices that have unwittingly participated in attacks have done so because bad actors took control using default usernames and passwords. In most cases, users aren't directly involved, so having a username/password identity scheme does not even make sense for IoT sensors.

The lifecycle for IoT device identities is quite different from human users. Some devices are designed to last a few hours, such as passive WiFi concrete hardening sensors. Some agricultural sensors are designed to last a growing season. However, in other cases, Internet-enabled durable goods and medical devices are expected to last from several years to perhaps decades. Thus, the identity lifecycle and difficultly associated with modifying attributes pose new security risks. Time will tell, but ultimately a PKI-lite certificate-based device identity paradigm may emerge, if revocation issues can be sufficiently addressed. IoT device vendors and third party service providers will likely find that device identity and access management could generate long-term subscription and fee revenues.

With regard to user authentication, GlobalPlatform and the FIDO Alliance will be cooperating with cross-certification and joint testing programs. The FIDO Alliance is an international Standards Development Organization (SDO) focused on multi-factor and mobile authentication technologies. GlobalPlatform currently provides test tools and certified test labs to perform independent security testing of TEEs. This yields qualified products. Many vendors are already building and certifying TEEs. FIDO authenticators and clients are being deployed in the TEE. Apps that run in the open, or "Rich OS" can request authentication from the FIDO client/authenticator, running securely in the TEE.

FIDO is also adding security certification. The first priority is protecting the authenticator’s keys. Security certification for FIDO will re-use other organizations’ standards, such as FIPS 140-2 and GlobalPlatform TEE. FIDO security certification will look for and confirm the use of TEE by FIDO components. FIDO certification will then include functional certification by FIDO (as it is today), and Global Platform TEE certification as a component of security.

GlobalPlatform and FIDO are planning to synchronize certification processes. Independent certified test labs will provide the testing services for both organizations. OEMs will be able to get both needed certifications much more quickly. Such an approach is a "win-win" for the mobile IAM community, as there are many common members between FIDO and GlobalPlatform, and this should reduce the cost and time needed to obtain security certifications from both organizations.

As we know, IoT devices are proliferating but security is severely lacking. The number of FIDO certified products is also beginning to grow. GlobalPlatform’s TEE will add needed runtime and I/O security to both IoT and FIDO applications. KuppingerCole recommends that both IoT device manufacturers and FIDO implementers utilize TEE to:

  1. improve the overall security posture of IoT devices and FIDO authenticators
  2. reduce the risk of malware taking over IoT devices and turning them into DDOS botnets
  3. increase integrity of key generation, storage, and use in FIDO authenticators
  4. add credibility to IoT and FIDO products in the marketplace.

KuppingerCole will continue to monitor developments in the mobile and IoT security space.

GlobalPlatform TEE specifications can be found at https://www.globalplatform.org/specificationsdevice.asp.

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

Connected Consumer Learn more

Connected Consumer

When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance. Handing over personal data to a commercial organisation the consumer typically does this with two contrasting expectations. On one hand the consumer wants to benefit from the organisation as a contract partner for goods or services. Customer-facing organizations get into direct contact with their customers today as they are accessing their [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00