SlideShare a Scribd company logo
The future of a smart mobile device as a trusted personal Identity management assistant Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
Identity model in a physical world Mutual international acceptance of government issued passports. Acceptance of country specific ID cards within the country by government agencies and businesses.
Identity problem in cyber space
Identity problem in cyber space Security risk, inconvenience and economic acceleration hindrance
Digital catching up physical governments are waking up USA – National Strategy for Trusted identity in Cyberspace (NSTIC) EU – European ID (eID) Other states may have their own plans Leading ThinkTank on Information Security Principles of de-perimiterisation (2006) Now published Identity commandments (May 2011) Interoperability is not given but should be architected into the digital identity systems NSTIC already in discussions with leading identity providers
The shift in identity management is imminent People will embrace new way of identity management Iceberg with topple (violently – be prepared) Single (or very few) personal identity Self-assured or trusted attribute providers We need a trusted device that manages this for us
Mobile device  becomes ubiquitous identity assistant Certifies attributes Certifies Identity provider Certifies Attribute provider Contract Requests identity Issues identity into smart device Authenticates user Seamless login Authenticates user Manages different  “ Personas ”  on behalf of user Authenticates user and passes required attributes Policies for required level of identity assurance and attributes (Multiple of) (Multiple of)
Now we have vision! What next? Technology SAML Oauth Secure mobile device mTPM Secure key storage Secure and trusted OS NFC Bluetooth Face recognition Voice recognition Cryptography and PKI Governance Jericho forum Identity Commandments compliance Segregation of Identity and Attribute providers! Trust between Service providers and Identity and Attribute providers International agreement on compatibility of identity protocols
Mobile device as a trusted device:  [4,5]  How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load Kernel and mobile OS Load mobile applications If Trust is not assured from HW up then there is no trust at all! Enterprise apps accessed from mobile devices OS security capabilities are crucial Application segregation, security reviews
Mobile threats summary  [2] Web-based and network-based attacks  – mobile device is connected, browsing websites with malicious content Malware   – traditional viruses, worms, and Trojan horses Social engineering attacks  – phishing. Also used to install malware. Resource and service availability abuse  – botnet, spamming, overcharging (SMS and calls) Malicious and unintentional data loss  – exfiltration of information from phone  Attacks on the integrity of the device’s data  – malicious encryption with ransom, modification of data (address book)
Mobile Security Models  [2] Traditional Access Control : passwords and idle-time screen locking. Application Provenance : Application signing and Application review in App store Encryption : Encryption of device data and application data Isolation : traditional Sandboxing and Storage separation Permissions-based access control : Limiting application to needed functionality only All must be supported by Trust from HW up.  Jailbreaking breaks  the security model!
Interoperable cyber identity means more security and more convenience for users = economic benefits Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in everyday life (Communicate, Contribute, Access, Pay) Governments should promote interoperable identity frameworks Identity and attribute providers will operate internationally Registration authorities will operate mostly nationally
Resources Veracode Mobile app Top 10 -  http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ Symantec Security Analysis of iOS and Android -  http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02 Mobile Trusted Computing Platform -  http://www.trustedcomputinggroup.org/developers/mobile Understanding HW architecture of Smartphones -  http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia -  http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf Security in Windows Phone 7 -  http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92). aspx Difference between Oauth and OpenID -  http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing Kantara Initiative -  http://kantarainitiative.org/ NSTIC -  http://www.nist.gov/nstic/ ENISA - http://www.enisa.europa.eu/ Jericho Forum - https://www.opengroup.org/jericho/
Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
Question 1: Which party issues a trusted digital identity to an user Government Attribute provider Registration authority Identity provider
Question 2: Which technology makes sure that the mobile device boot loader has not been altered Bluetooth Trusted Computing Base for mobile NFC Face recognition
Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each other Access control Sandboxing Data encryption Clipboard protection
Question 4: What is NSTIC National Science Technology Institute for Computing National Strategy for Trusted Identity for Computers National Strategy for Trusted Identity in Cyberspace National Strategy for Technology Inovation in Cyberspace

More Related Content

What's hot

Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
Sierraware
 
Mobile Security for Banking and Finance
Mobile Security for Banking and FinanceMobile Security for Banking and Finance
Mobile Security for Banking and Finance
Sierraware
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Lacoon Mobile Security
 
Hardware Authentication
Hardware AuthenticationHardware Authentication
Hardware Authentication
Coder Tech
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
2FA Advanced Authentication for Public Safety
2FA  Advanced Authentication for Public Safety2FA  Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety
2FA, Inc.
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
Petr Dvorak
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
Rajat Jain
 
Clear and Present Danger
Clear and Present DangerClear and Present Danger
Clear and Present Danger
Ping Identity
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
Cigniti Technologies Ltd
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
Francisco Anes
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Sierraware
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
Ivanti
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 

What's hot (20)

Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
 
Mobile Security for Banking and Finance
Mobile Security for Banking and FinanceMobile Security for Banking and Finance
Mobile Security for Banking and Finance
 
Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
 
Hardware Authentication
Hardware AuthenticationHardware Authentication
Hardware Authentication
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
2FA Advanced Authentication for Public Safety
2FA  Advanced Authentication for Public Safety2FA  Advanced Authentication for Public Safety
2FA Advanced Authentication for Public Safety
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Clear and Present Danger
Clear and Present DangerClear and Present Danger
Clear and Present Danger
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYODRoadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 

Viewers also liked

C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 

Viewers also liked (6)

C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 

Similar to Mobile phone as Trusted identity assistant

Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
1SI19IS064TEJASS
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security  - technical datasheet2Sholove cyren web security  - technical datasheet2
Sholove cyren web security - technical datasheet2
SHOLOVE INTERNATIONAL LLC
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
Entrust Datacard
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
Symantec
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
Tonex
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
Divyank Jindal
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
online Marketing
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
Dean Iacovelli
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
Javier Gonzalez
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
Tt 06-ck
Tt 06-ckTt 06-ck
880 st011
880 st011880 st011
880 st011
Chandra Rao
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
OKsystem
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
Martin Holovský
 

Similar to Mobile phone as Trusted identity assistant (20)

Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security  - technical datasheet2Sholove cyren web security  - technical datasheet2
Sholove cyren web security - technical datasheet2
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber law
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 
880 st011
880 st011880 st011
880 st011
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 

More from Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
Vladimir Jirasek
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud  Opportunities For A Single IdentityFederation For The Cloud  Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

More from Vladimir Jirasek (11)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud  Opportunities For A Single IdentityFederation For The Cloud  Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Recently uploaded

UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
Michael Price
 

Recently uploaded (20)

UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
 

Mobile phone as Trusted identity assistant

  • 1. The future of a smart mobile device as a trusted personal Identity management assistant Vladimir Jirasek CISSP-ISSAP & ISSMP, CISM, CISA Senior Enterprise Security Architect, Nokia Steering Group, Common Assurance Maturity Model Non-executive director, CSA UK & Ireland
  • 2. Identity model in a physical world Mutual international acceptance of government issued passports. Acceptance of country specific ID cards within the country by government agencies and businesses.
  • 3. Identity problem in cyber space
  • 4. Identity problem in cyber space Security risk, inconvenience and economic acceleration hindrance
  • 5. Digital catching up physical governments are waking up USA – National Strategy for Trusted identity in Cyberspace (NSTIC) EU – European ID (eID) Other states may have their own plans Leading ThinkTank on Information Security Principles of de-perimiterisation (2006) Now published Identity commandments (May 2011) Interoperability is not given but should be architected into the digital identity systems NSTIC already in discussions with leading identity providers
  • 6. The shift in identity management is imminent People will embrace new way of identity management Iceberg with topple (violently – be prepared) Single (or very few) personal identity Self-assured or trusted attribute providers We need a trusted device that manages this for us
  • 7. Mobile device becomes ubiquitous identity assistant Certifies attributes Certifies Identity provider Certifies Attribute provider Contract Requests identity Issues identity into smart device Authenticates user Seamless login Authenticates user Manages different “ Personas ” on behalf of user Authenticates user and passes required attributes Policies for required level of identity assurance and attributes (Multiple of) (Multiple of)
  • 8. Now we have vision! What next? Technology SAML Oauth Secure mobile device mTPM Secure key storage Secure and trusted OS NFC Bluetooth Face recognition Voice recognition Cryptography and PKI Governance Jericho forum Identity Commandments compliance Segregation of Identity and Attribute providers! Trust between Service providers and Identity and Attribute providers International agreement on compatibility of identity protocols
  • 9. Mobile device as a trusted device: [4,5] How does mobile HW and OS hold up? Typically contains System on Chip (SoC) Load Kernel and mobile OS Load mobile applications If Trust is not assured from HW up then there is no trust at all! Enterprise apps accessed from mobile devices OS security capabilities are crucial Application segregation, security reviews
  • 10. Mobile threats summary [2] Web-based and network-based attacks – mobile device is connected, browsing websites with malicious content Malware – traditional viruses, worms, and Trojan horses Social engineering attacks – phishing. Also used to install malware. Resource and service availability abuse – botnet, spamming, overcharging (SMS and calls) Malicious and unintentional data loss – exfiltration of information from phone Attacks on the integrity of the device’s data – malicious encryption with ransom, modification of data (address book)
  • 11. Mobile Security Models [2] Traditional Access Control : passwords and idle-time screen locking. Application Provenance : Application signing and Application review in App store Encryption : Encryption of device data and application data Isolation : traditional Sandboxing and Storage separation Permissions-based access control : Limiting application to needed functionality only All must be supported by Trust from HW up. Jailbreaking breaks the security model!
  • 12. Interoperable cyber identity means more security and more convenience for users = economic benefits Smart mobile device becomes a centre of identity management – secure store and conveniently user digital identity in everyday life (Communicate, Contribute, Access, Pay) Governments should promote interoperable identity frameworks Identity and attribute providers will operate internationally Registration authorities will operate mostly nationally
  • 13. Resources Veracode Mobile app Top 10 - http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/ Symantec Security Analysis of iOS and Android - http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02 Mobile Trusted Computing Platform - http://www.trustedcomputinggroup.org/developers/mobile Understanding HW architecture of Smartphones - http://hubpages.com/hub/Understanding-the-hardware-architecture-of-smartphones A Perspective on the Evolution of Mobile Platform Security Architectures, Nokia - http://asokan.org/asokan/research/platsec-comparison-ETHZ-mar2011.pdf Security in Windows Phone 7 - http://msdn.microsoft.com/en-us/library/ff402533(v=VS.92). aspx Difference between Oauth and OpenID - http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing Kantara Initiative - http://kantarainitiative.org/ NSTIC - http://www.nist.gov/nstic/ ENISA - http://www.enisa.europa.eu/ Jericho Forum - https://www.opengroup.org/jericho/
  • 14. Questions? Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
  • 15. Question 1: Which party issues a trusted digital identity to an user Government Attribute provider Registration authority Identity provider
  • 16. Question 2: Which technology makes sure that the mobile device boot loader has not been altered Bluetooth Trusted Computing Base for mobile NFC Face recognition
  • 17. Question 3: Which security mechanism ensured that mobile applications cannot directly talk to each other Access control Sandboxing Data encryption Clipboard protection
  • 18. Question 4: What is NSTIC National Science Technology Institute for Computing National Strategy for Trusted Identity for Computers National Strategy for Trusted Identity in Cyberspace National Strategy for Technology Inovation in Cyberspace