The Tactical Guide to Securing Data on Cloud Platforms in 2021
Securing Multiple Mobile Platforms - ETSI
Transcript of Securing Multiple Mobile Platforms - ETSI
Securing Multiple Mobile Platforms
1
CPU-based Multi Factor Security
Navin GovindAventyn, Inc.
Founder and CEO2010 Security WorkshopETSI 2010 Security Workshop
Mobile Platform Security Gaps
• Software vulnerabilities, hardware insecurity and weak licensing models have displaced whole solution for securing mobile platforms
• Rapid trends in Cloud, SaaS, VM, Web 2.0+ platforms challenge security, IP protection, device level user security
• Downloaded data rights management need reliable enterprise level
2
• Downloaded data rights management need reliable enterprise level security infrastructure
• Multi-core processors are becoming the norm with dedicated L1 cache per core always present
• Applications, System Software, Portals, User and Device need to be secured using multi factor, scalable, low encryption/bit cost secure computing whole solution
Multi Factor Security
• The crux of the idea is to execute security related functions in a processor using known architectural constructs
• Security algorithms are software, user and device platform specific that prevent class break scenarios
• Security algorithms can be reconfigured dynamically for flexibility when device is in connected mode
3
when device is in connected mode
• The solution is a lightweight “driver” with defined API(s) for securely executing code and retrieving secure data on existing hardware/software platforms
• One click encryption of system software, OS’s, applications, device, data, portals with multi factor authentication using secure hash of customizable machine and user ID’s
CPU-Based Secure Code Execution
• Judiciously utilizes micro-architectural behavior and security features of x86, ARM processor platforms without affecting platform performance
• Robust software encryption solution, secure code execution and run-time integrity verification
• Unique application, user, device ID “Multi Factor Security”
4
• Unique application, user, device ID “Multi Factor Security” authentication, fraud detection and tamper proof solution
• Platform specific algorithms limit class-break scenario to a single user, device and application
• Enforce secure software leasing rights for both locally hosted apps/data and web hosted apps/data
Robust HIPAAManageability
CLIP® EncryptedApplications
Encrypt Patient EMR Data
Secure Health Portal
Tamper Resistant
Multi Factor Secure Platform
EncryptedVirtualization
5
Secure Code Execution(Intel VT/ TXT, AMD-V and ARM TZ)
*Marks are properties of respective owners
EMR Data
Unique Platform Identification and Authentication
Virtualization Layers
Secure Code Execution*Intel vPro/ VT/ TXT, AMD-V, ARM TrustZone
SmartDevice Threat Model Protection
• Preventing malicious code in SmartDevice staging network attacks such as denial of service
• Preventing service frauds such as billing storms• Unauthorized usage of services remotely when the
device is in connected mode
6
device is in connected mode– Theft of services– Unauthorized remote use of devices
• Use camera, GPS, etc.
– Data theft over the network
• Personal data and identity theft
Multi Factor Secure (MFS) Computing
• Code and data are always in encrypted form on the storage media, main memory, buses or on the wire (for downloaded applications)
• Capability to provide execution and processing of above data
7
above data– Securely inside “core” with no visibility outside– Tamper proof because of encryption and run-time integrity
verification– Crypto algorithms are platform specific avoids class-break
scenario– Marginal impact to power/performance
MFS SmartDevice Impact• Use of ARM TZ in addition to Intel vPro/VT/TXT
– Symbian, S60 as an ARM OS
• Business transactions, making a voice call, financial transaction, value added service in the device today are centered around SIM– For many reasons
8
– For many reasons
• Manage wide variety of devices with SIM as the common factor
• Service uniformity across carrier boundaries• MFS technology provides the capability to base/center
the services on the specific device platform for non-SIM device
MFS End-user Scenarios• SmartDevice is a personal device; even the corporate version• MFS technology connects service providers to the platform
provider complementing SIM • Business transactions delivered platform specific along with
operator based SIM• Secure applications that are downloaded from App stores
– Encrypted to prevent malicious and unauthorized usage
9
– Encrypted to prevent malicious and unauthorized usage• Usage Examples
– Scalable mobile banking services• Device user can switch from carrier X to carrier Y and still
continue to bank with the same financial institution– Downloaded media and content delivered to authorized
platforms– Sensitive data cannot be “viewed” on another platform
One-Click Encryption and Authentication
10
Secure Portals, Data, Content and Devices
Secure Computing Usage and Applications
Internet
•Hospital EMR – PHI Encryption•PCI Security for Services
Health InformationEncrypt Application, User IDPrevent ID theft and fraudEnables HITECH, HIPAA
Private IT InfrastructureSecured ApplicationsProvisioningFlexible Licensing
Payors and ProvidersSecure Users and DataScalable Platforms
Multiple Platform SupportX86 and ARM SpecificWin, Linux and Mac OS
11
•PCI Security for Services•Secure Personal Health Devices•Configure Medication & Alerts
Scalable PlatformsIncreased Revenue
Win, Linux and Mac OSCitrix, VMwareAndroid, S60, Snapdragon
� Harden Health Applications Software � Unique Identification and Authentication� Secure User, Device Centric Data Rights� Tamper Resistant Device and Data� Prevent Unauthorized Access to Data� Secure Multiple, Diverse Devices� Simple, Flexible and Affordable
One-Click Encryption and Authentication
• Unique and robust software solution for secure code execution and run-time integrity verification
• Multi factor secure identification and authentication of users, devices for increased security and manageability
• Tamper proof software rights management, software
12
• Tamper proof software rights management, software activation, distribution and licensing solution
• Reduces virtualization layer threats by securing and hardening hypervisors and custom software containers
• Enforcing improved security policies for auditing, compliance, updates and patches
e-Payment Security Integration
13
Registration Server
E-Payment Management
Server
• Client visits registration portal with personal device to create an account– Manually enters details for user ID, password,
mobile number, CC#, relevant identifiers
Payment Registration Flow
14
Client –User Device
mobile number, CC#, relevant identifiers• Registration server queries device for unique
machine specific ID’s, generates a new driver and a lib file and upload files to the client device– Sys file contains the machine specific algorithms– Lib file contains the C API to access the functionality
• Registration server sends encrypted PIN, mobile number, customizable unique IDs etc., to e-payment management server
e-Payment Management
Server
Web-based
• User visits provider for services and makes payment with registered user device with opt-in click for pay by e-Payment
• Client sends the encrypted PIN to StoreFront
• StoreFront sends the encrypted PIN,
Payment Transaction Flow
15
Web-based StoreFront
Client –User Device
• StoreFront sends the encrypted PIN, mobile number, merchant ID and the amount to be charged to e-Paymentserver
• e-Payment Server compares the sent PIN with encrypted PIN, unique ID and returns the appropriate result to StoreFront
Benefits• Enable more patients to review their health bills and
secure pay online or in the office with personal device and public terminals.
• Compelling one click encrypted payment option than using credit card.
16
• Easy integration with devices, EMR vendors and payers for encrypted 24/7 convenience of patient payment process.
• Deter ID theft and fraud prevention.
• 6-month ROI and long term savings with integrated security framework for accelerated patient payments.
Customizable Multi Factor Security for Content Protection
17
Security for Content Protection
Conditional Access TodayContent
Generation/ Playout
Scrambler/Encryptor
Descrambler/
Transmission
Key distribution
18
Descrambler/Decryption
Content Display
Key distribution through a back
channel
Key generation using smart card
OR
Content Protection• Increasingly content is being viewed in non-broadcast mode
– Netflix movie downloads, sitcom episodes on iStore, Hulu etc.
• Content watching is increasingly on personal devices– Laptops, Netbooks, Smartphones
• Key distribution is still a challenge on general purpose platforms– Users generally do not like the idea of attaching a hardware device to
personal devices
19
personal devices– Platform providers do not want to be locked down to a specific hardware
content protection device
• Users will tolerate a CA/DRM mechanism if the user experience is transparent– Minimum hassles to the end users
• A transparent but robust content protection mechanism will be a win-win-win for content (widget) providers, service providers and end-uses
Benefits• No class-break scenario• Streamlined key distribution
– User PIN can still be used (ala debit card)
• Better user experience– Utilize hardware based CA mechanisms when
20
– Utilize hardware based CA mechanisms when needed
• Platform vendors like it because no additional hardware is needed
• Incentive to protect content and IP