Discover the future of security on www.cidway.com

Swiss Consulting Association – 26.09.2012 by: Laurent FILLIAT

BRING YOUR OWN DEVICE non intrusive security solution

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 2

Agenda

OK ² Cidway Security SA

² BYOD: a reality companies have to face

² BYOD: Corporate Strategy

² BYOD: key questions to de addressed

² BYOD Use case 1: Mobile Authentication

² BYOD Use Case 2: Mobile Launcher

² BYOD 2.0

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 3

CIDWAY – Background

Cidway ²  Created in December 2005 ²  Head Quarters in Lausanne, CH ²  Sales Offices (CH, UK, MENA, LATAM)

²  Internal R&D & Patent Office

Partners and Customer Services ²  Global presence via partners & resellers ²  Support center for Partners ²  Support portal available for partners ²  Consulting services

CIDWAY’s Vision Authentication and transactions should be safe, reliable and easy for anyone, anywhere, anytime

This vision is fuelled by: ü  Meeting virtually all authentication requirements

ü  Making Authentication & Transactions simple, easy, accessible, secure and user friendly

ü  Addressing virtually unlimited vertical applications from one platform

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 4

Cidway Business Solutions

•  e/m-Banking •  e/m-Commerce •  e/m-

Government •  e/m-Brokerage •  e/m-Health care •  e/m-Gaming •  e/m-Lottery •  e/m-Loyalty •  e/m-Payment

Consumer Security

•  Corporate resource access

•  VPN access control •  WiFi HotSpot access •  Application Access •  Mobility •  Document signature

corroboration

Corporate access

•  Handset Manufacturers

•  Mobile Application Providers

•  Network Providers

•  Financial Institutions

OEM (Original Equipment

Manufacturers)

•  Pilots  authen-ca-on  •  Transporta-on  security  

•  Two  ways  authen-ca-on  

Homeland Security

•  Access to medical records

•  Process control •  Document signature

corroboration

Health Care

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 5

Cidway GAIA / SESAMI Product Line

One server for multiple tokens

GAIA SDK�Authentication platform SDK

GAIA Server�Authentication platform

SESAMI Mobile�Time based OTP/TDS Software token for mobile phones.

SESAMI Mobile SDK�Time based OTP/TDS mobileSDK for mobile phones

HARDWARE Tokens Convergence of physical &

logical access�

OATH compliant

SESAMI SMS�SMS based OTP for mobile phones

SDK: Software Development Kit

Yubikey

KeyFob

Display Cards

Bring Your Own Device

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 7

BYOD – a reality companies have to face

According to Forrester (2011), 70% of smartphones belong to users, 12% are chosen from an approved list, and 16% are corporate-issued. Some 65% of tablets belong to users, 15% are chosen from a list, and 16% are corporate issued.

Forrester’s study of US information workers revealed that 37% are doing something with technology before formal permissions or policies are instituted. Further, a Gartner CIO survey determined that 80% of employees will be eligible to use their own equipment with employee data on board by 2016.

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 8

BYOD: A matter of Corporate Strategy

Not allowed Totally open Agreed Policies & EMM solutions

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 9

BYOD: Key questions to be addressed

•  Finance: Who pays what (data plan, communications, etc.)

•  Compliance: What regulations govern the data your organization needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on any device that holds data subject to the act.

•  Security: What security measures are needed (passcode protection, jailbroken/rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)?

•  Applications: What apps are forbidden? IP scanning, data sharing, Dropbox?

•  Agreements: Is there an Acceptable Usage Agreement (AUA) for employee devices with corporate data?

•  Services: What kinds of resources can employees access—email? Certain wireless networks or VPNs? CRM?

•  Privacy: What data is collected from employees’ devices? What personal data is never collected?

•  Legal: who’s responsible in case of loss, stolen device

Create the Policy before procuring Technology

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 10

BYOD Use Case 1: an opportunity for Authentication

OK

Shift cumbersome and expensive hardware to the Mobile

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 11

BYOD: Key questions to be addressed…

•  Finance: No additional costs to the Employee; Cheaper for Corporate

•  Compliance: Compliant with most of regulations (some solutions).

•  Security: Only few solutions have the appropriate level of security

•  Applications: Application to be allowed

•  Agreements: Idem as with hardware tokens

•  Services: Self-service deployment, low level of support (compared to hardware)

•  Privacy: Does not interfere with, nor collect any data on the device

•  Legal: Idem as hardware tokens

•  Not Intrusive: a simple application, not requiring a container, no interference with personal data, no risk of communications, does not take control of the device…

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 12

OK

•  What are the risks if I loose my phone ? •  What are the risks to download a fake application from a mobile public store ? •  How easy is it to activate the application and what are the risks during the process ? •  Do I need connectivity to Authenticate ? •  What are the risks of brute force, man in the middle and other sophisticated attacks ? •  Did the application pass penetration tests ? •  What are the coding techniques to guarantee top security ? •  Are they credentials transmitted over the air ? What are the risks ? •  Is it time based ? Challenge response ? •  What happens when the user change the time zone or the phone clock changes ? •  Does it work on all Mobile platforms ? •  Is it possible to customize the application ? •  Can we use the Authentication application within another Mobile solution for example for

Mobile Banking ? •  Is the solution already deployed and used for Mobile authentication and Mobile

Transactions ? •  Does the solution considered supports real time-based OTP, mutual-authentication &

transaction signature ?

FAQ on Mobile Authentication Sesami Mobile is the answer

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 13

BYOD Use Case 2: Protect Data Access not the Device

CIO Magazine Online: Mobile device management (MDM) products and services are often the reflexive response to the need for more secure mobile computing, but in many ways that's like using a chainsaw rather than a scalpel to perform surgery. A growing number of secure mobile solution providers say the answer to BYOD is not to control the device, but to control the data access.

secured by

SALES REPORTS

Cidway Mobile

Launcher Non-intrusive

Web-based Mobile

Application (BI, email,

Reports, etc.)

Strong Authentication Mutual Authentication

(time-based OTP)

No-Pin protection Secure virtual keyboard Jailbrake/Root detection

Data encryption

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 14

BOYD 2.0

BUY YOUR OWN DEVIVCE

ZDNet: Des salariés tenus d’acheter leurs terminaux pour leur activité professionnelle, c’est la phase 2 du BYOD envisagée, pour des raisons d'économies, par des directions financières. Une telle perspective pose de nombreuses questions techniques, mais aussi et surtout en termes juridiques et RH.