Cidway Byod Authentication
- 1. BRING YOUR OWN DEVICE non intrusive security solution Swiss Consulting Association – 26.09.2012 by: Laurent FILLIAT Discover the future of security on www.cidway.com
- 2. Agenda ² Cidway OK Security SA ² BYOD: a reality companies have to face ² BYOD: Corporate Strategy ² BYOD: key questions to de addressed ² BYOD Use case 1: Mobile Authentication ² BYOD Use Case 2: Mobile Launcher ² BYOD 2.0 © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 2
- 3. CIDWAY – Background Cidway Partners and Customer Services ² Created in December 2005 ² Global presence via partners & resellers ² Head Quarters in Lausanne, CH ² Support center for Partners ² Sales Offices (CH, UK, MENA, LATAM) ² Support portal available for partners ² Internal R&D & Patent Office ² Consulting services CIDWAY’s Vision Authentication and transactions should be safe, reliable and easy for anyone, anywhere, anytime This vision is fuelled by: ü Meeting virtually all authentication requirements ü Making Authentication & Transactions simple, easy, accessible, secure and user friendly ü Addressing virtually unlimited vertical applications from one platform © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 3
- 4. Cidway Business Solutions Consumer Homeland OEM Corporate access Health Care (Original Equipment Security Security Manufacturers) • e/m-Banking • Corporate resource • Pilots authen-ca-on • Access to medical • Handset access Manufacturers • e/m-Commerce • Transporta-on records • VPN access control • Mobile • e/m- security Government • WiFi HotSpot access • Process control Application • e/m-Brokerage • Application Access • Two ways • Document signature Providers • e/m-Health care • Mobility authen-ca-on corroboration • Network • Document signature Providers • e/m-Gaming corroboration • Financial • e/m-Lottery Institutions • e/m-Loyalty • e/m-Payment © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 4
- 5. Cidway GAIA / SESAMI Product Line One server for multiple tokens Yubikey Display Cards SESAMI Mobile HARDWARE Tokens Time based OTP/TDS Software token Convergence of physical & KeyFob for mobile phones. logical access GAIA Server Authentication platform OATH compliant GAIA SDK Authentication platform SDK SESAMI Mobile SDK SESAMI SMS Time based OTP/TDS mobileSDK SMS based OTP for mobile phones for mobile phones SDK: Software Development Kit © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 5
- 6. Bring Your Own Device
- 7. BYOD – a reality companies have to face According to Forrester (2011), 70% of smartphones belong to users, 12% are chosen from an approved list, and 16% are corporate-issued. Some 65% of tablets belong to users, 15% are chosen from a list, and 16% are corporate issued. Forrester’s study of US information workers revealed that 37% are doing something with technology before formal permissions or policies are instituted. Further, a Gartner CIO survey determined that 80% of employees will be eligible to use their own equipment with employee data on board by 2016. © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 7
- 8. BYOD: A matter of Corporate Strategy Not allowed Agreed Policies Totally open & EMM solutions © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 8
- 9. BYOD: Key questions to be addressed • Finance: Who pays what (data plan, communications, etc.) • Compliance: What regulations govern the data your organization needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on any device that holds data subject to the act. • Security: What security measures are needed (passcode protection, jailbroken/ rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)? • Applications: What apps are forbidden? IP scanning, data sharing, Dropbox? • Agreements: Is there an Acceptable Usage Agreement (AUA) for employee devices with corporate data? • Services: What kinds of resources can employees access—email? Certain wireless networks or VPNs? CRM? • Privacy: What data is collected from employees’ devices? What personal data is never collected? • Legal: who’s responsible in case of loss, stolen device Create the Policy before procuring Technology © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 9
- 10. BYOD Use Case 1: an opportunity for Authentication OK Shift cumbersome and expensive hardware to the Mobile © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 10
- 11. BYOD: Key questions to be addressed… • Finance: No additional costs to the Employee; Cheaper for Corporate • Compliance: Compliant with most of regulations (some solutions). • Security: Only few solutions have the appropriate level of security • Applications: Application to be allowed • Agreements: Idem as with hardware tokens • Services: Self-service deployment, low level of support (compared to hardware) • Privacy: Does not interfere with, nor collect any data on the device • Legal: Idem as hardware tokens • Not Intrusive: a simple application, not requiring a container, no interference with personal data, no risk of communications, does not take control of the device… © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 11
- 12. FAQ on Mobile Authentication Sesami Mobile is the answer • What are the risks if I loose my phone ? • What are the risks to download a fake application from a mobile public store ? • How easy is it to activate the application and what are the risks during the process ? OK • Do I need connectivity to Authenticate ? • What are the risks of brute force, man in the middle and other sophisticated attacks ? • Did the application pass penetration tests ? • What are the coding techniques to guarantee top security ? • Are they credentials transmitted over the air ? What are the risks ? • Is it time based ? Challenge response ? • What happens when the user change the time zone or the phone clock changes ? • Does it work on all Mobile platforms ? • Is it possible to customize the application ? • Can we use the Authentication application within another Mobile solution for example for Mobile Banking ? • Is the solution already deployed and used for Mobile authentication and Mobile Transactions ? • Does the solution considered supports real time-based OTP, mutual-authentication & transaction signature ? © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 12
- 13. BYOD Use Case 2: Protect Data Access not the Device CIO Magazine Online: Mobile device management (MDM) products and services are often the reflexive response to the need for more secure mobile computing, but in many ways that's like using a chainsaw rather than a scalpel to perform surgery. A growing number of secure mobile solution providers say the answer to BYOD is not to control the device, but to control the data access. SALES REPORTS Strong Authentication secured by Mutual Authentication (time-based OTP) Web-based Cidway Mobile Mobile Application Launcher (BI, email, Non-intrusive No-Pin protection Reports, etc.) Secure virtual keyboard Jailbrake/Root detection Data encryption © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 13
- 14. BOYD 2.0 BUY YOUR OWN DEVIVCE ZDNet: Des salariés tenus d’acheter leurs terminaux pour leur activité professionnelle, c’est la phase 2 du BYOD envisagée, pour des raisons d'économies, par des directions financières. Une telle perspective pose de nombreuses questions techniques, mais aussi et surtout en termes juridiques et RH. © 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 14