Downloaded 10 times
Uploaded byFIDO Alliance
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
The document discusses the importance of robust identity and access management (IAM) in the context of the NIS 2 directive, emphasizing the need for enhanced security in various sectors, including transportation and healthcare. It highlights the role of phishing-resistant multi-factor authentication (MFA) and FIDO security keys as essential tools for securely exchanging sensitive data within the automotive industry's collaborative data ecosystem, Catena-X. Additionally, the document outlines the regulatory obligations and potential penalties for non-compliance with cybersecurity requirements.
More Related Content
Similar to FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
![[Ebooks PDF] download Platform Embedded Security Technology Revealed 1st Edit...](https://cdn.slidesharecdn.com/ss_thumbnails/47659-241219103822-5611a8db-thumbnail.jpg?width=640&height=640&fit=bounds)
More from FIDO Alliance
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
- 1. 1 public Strong Workforce Authentication Push& Pull Factors
- 2. 2 Before we start Whois working in a company with >50 employees? Who is working in a corporate security, business continuity, and/or IT departments?
- 3. 3 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 ‒ IAM = mandatory basic infrastructure ‒ Robust authentication & authorization mechanisms Tier-1 Tier-2 Dealer / Customer OEM Tier-n Recycler Dismantler Exchange of sensitive data requires enhanced security! First open and collaborative automotive data ecosystem Goal: Automotive data-driven value chain CATENA-X Phishing-resistant MFA ‒ securely authenticate to Catena-X ‒ additional security to access control system EU Regulatory Push for Enhanced Cybersecurity NIS 2 Directive Who is affected? Transport Banking, Financials Digital Infrastructure Water Energy Healthcare Post & Courier Manufacturing Public admin Drinking Water Aerospace Food production & distribution e-Communication Networks/Services Waste management Research Digital Service Providers NIS 2 requirements? Penalties? up to 10M € Incident reporting Risk management Cyber hygiene Protection & crisis concepts or 2% of revenue Executive board personally liable ‒ Access control obligation ‒ Multi-factor authentication
- 4. 4 Another question Who isworking at an OEM, Tier 1, Tier 2, or in the automotive industry in general?
- 5. 5 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 ‒ IAM = mandatory basic infrastructure ‒ Robust authentication & authorization mechanisms Tier-1 Tier-2 Dealer / Customer OEM Tier-n Recycler Dismantler Exchange of sensitive data requires enhanced security! First open and collaborative automotive data ecosystem Goal: Automotive data-driven value chain CATENA-X Phishing-resistant MFA ‒ securely authenticate to Catena-X ‒ additional security to access control system New Business Model Pull in Automotive by Catena-X NIS 2 Directive Who is affected? Transport Banking, Financials Digital Infrastructure Water Energy Healthcare Post & Courier Manufacturing Public admin Drinking Water Aerospace Food production & distribution e-Communication Networks/Services Waste management Research Digital Service Providers NIS 2 requirements? Penalties? up to 10M € Incident reporting Risk analysis Cyber hygiene Protection & crisis concepts or 2% of revenue Executive board personally liable ‒ Access control obligation ‒ Multi-factor authentication
- 6. 6 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 ‒ IAM = mandatory basic infrastructure ‒ Robust authentication & authorization mechanisms Tier-1 Tier-2 Dealer / Customer OEM Tier-n Recycler Dismantler Exchange of sensitive data requires enhanced security! First open and collaborative automotive data ecosystem Goal: Automotive data-driven value chain CATENA-X Phishing-resistant MFA ‒ securely authenticate to Catena-X ‒ additional security to access control system Regulatory PUSH and New Business Model PULL NIS 2 Directive Who is affected? Transport Banking, Financials Digital Infrastructure Water Energy Healthcare Post & Courier Manufacturing Public admin Drinking Water Aerospace Food production & distribution e-Communication Networks/Services Waste management Research Digital Service Providers NIS 2 requirements? Penalties? up to 10M € Incident reporting Risk analysis Cyber hygiene Protection & crisis concepts or 2% of revenue Executive board personally liable ‒ Access control obligation ‒ Multi-factor authentication
- 7. 7 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 Why using FIDO Security Keys? Phishing-resistant Standardized protocols No shared secrets, no shared passkeys Possession-based security Offline & online functionality Hardware-based, phishing-resistant MFA with FIDO is the answer Password + standard 2FA Low SECURITY High USABILITY Low High Password OTP NOT phishing-resistant Phishing-resistant FIDO Security Keys Device-bound passkey Cloud-synced passkeys
- 8. 8 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 Our role in hardware-based security Security ICs at the heart of FIDO Security Keys 30+ years Expertise in HW-based security solutions helping you to reduce complexity & implementation costs > 3 billion Smart Card & Security ICs sold per year, proving high quality and reliability Trusted partner Leading in key markets: #1 in security, #2 in connectivity, #1 in automotive Role in FIDO Founding member and active involvement in standardization since the beginning Trusted advisor In security standardization in security & automotive around the globe Long-term commitment Extensive system & application know-how for the fast-changing automotive industry
- 9. 9 Copyright © InfineonTechnologies AG 2024. All rights reserved. public 16 Jul 2024 Thank you for your attention!
- 10.
Editor's Notes
- #4 NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
- #6 NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
- #7 NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
- #8 Synced passkeys provide a phishing-resistant authentication solution that helps reduce the need for passwords and provide a higher level of security than phishable MFA solutions like SMS, OTP, and push notifications. However, as mentioned previously, synced passkeys have security tradeoffs and adversaries are smart enough to pivot to where they can take advantage to gain access. Phishing resistant MFA Based on trust relationship (Registration proves needs to be protected) No shared secrets (Can be easily stolen) Possession based security (Private keys are securely stored in something I have) Know the transacting parties (Both user and relying party are aware of each other) Intent (User acts on a known initiated authentication reques) While a hacker may be able to break into your system remotely, it is difficult to hack into one that requires a physical token without the token itself being present. These tokens also do not store any confidential data. This means that even if they do get lost or stolen, they cannot be used to gain access to sensitive information. reduced mobile device dependency costs maintenance aspects compared to phones https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/zwei-faktor-authentisierung_node.html https://kineticit.com.au/article/multi-factor-authentication/
- #9 Infineon powers electronic ID documents in >110 countries representing 77% of the world‘s population Emergency call (eCall) functionality in majority of cars feature an Infineon chip Secure Element (SE) Meaning OCT 24, 2023 | UPDATED OCT 24, 2023 private keys – security relevant functions and credentials crypto functionality tamper resistant attack resistant security certified secured manufacturing secured shipment SHARE A Secure Element (SE) is a microprocessor chip that facilitates the secure storage and processing of sensitive data. It is commonly used in SIM cards, passports and credit cards.What is a Secure Element (SE)? A Secure Element (SE) is a secure hardware component or chip that stores and processes highly sensitive data. It holds important user data, such as biometric information and banking and transaction information, and protects it from malware attacks. Secure Element can be perceived as a ‘nomad’ type of HSM. In crypto context, an SE can be used in hardware wallets to provide an extra layer of security for private keys. Despite how secure hardware wallets are, a hacker can still perform physical attacks if the wallet comes into their possession. This is where the SE comes in. The Secure Element protects sensitive information with intrinsic countermeasures that make it tamper-proof and resistant to hacking. Entropy, from which the secret recovery phrase and private keys are derived, in cryptocurrency wallets is generated within the SE. The private keys never leave the SE The SE protects your hardware wallet against software attacks and physical attacks, including fault attacks and side-channel attacks. For instance, they can withstand cold-boot attacks, a form of side-channel attack where a malicious actor physically accesses your device to perform a memory dump in the RAM. This forces a hard reset of the device. Tamper-resistant hardware: Utilizes physically shielded environments or specialized processors to deter unauthorized access. Strong encryption and authentication: Employs advanced cryptographic algorithms and key management techniques to ensure data confidentiality and integrity. Secure boot and firmware update mechanisms: Prevents unauthorized modifications to the software running on the device. Industry standards and certifications: Often certified to meet security requirements such as Common Criteria or FIPS 140-2, providing validation of their security features by independent third-party organizations.
- #10 So, - the only thing left for me to say today is: Let’s make Minority Report real! - Let’s jointly unlock the biometric future of authentication and access! - Together, we can transform a market trend into a best-in-class solution for all players.