The future of the identity ecosystem is mobile
Part of the future of identity series
16 December, 2014
category: Corporate, Digital ID, Government, NFC
By Neville Pattinson, senior vice president, government sales, Gemalto North America
In addition to his position at Gemalto, Pattinson is the technical vice-chairman of the Smart Card Alliance and sits on the board of NSTIC’s Identity Ecosystem Steering Group. He previously served a five-year term on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
According to the Pew Research Center, 90% of American adults have a cell phone and 58% have a smart phone. To take it a step further, 63% of adult cell owners use their phones to go online and 34% of cell Internet users go online mostly using their phones rather than a computer. There is even a word to describe the fear of being without a mobile device: nomophobia.
Our identities, both figuratively and technologically, are tied to our mobile phones. Although most of us recognize that mobile phones are not the most secure way to exchange information and access content, the convenience factor reigns supreme. Even President Obama, when he assumed office, wouldn’t give up his BlackBerry.
So what’s the solution? How do we maintain the freedom and convenience of using one’s own personal device while upholding high security standards? Can it even be done?
The short answer is ‘yes,’ no doubt in part to our country’s awakened fervor exemplified in NSTIC.
The current lack of assurance that we are all who we say we are affects both businesses and governments, as they are left unable to allow employees certain communications online via personal devices due to inadequate authentication mechanisms. This is ironic and unfortunate given the growing move toward BYOD workplaces.
Within the BYOD playing field, we need to find a common denominator and standard implementation for secure credentials
The Identity Ecosystem, as envisioned by NSTIC, is an online environment that will enable people to validate their identities securely and with minimal disclosure of their personal information and perform trusted interaction and transactions.
This is something we all need and will all benefit from.
Today employees work outside the office and must access secure corporate data to conduct daily tasks. A Nasscom/Deloitte report suggested that the global enterprise mobility market opportunity is expected to grow by a compound annual growth rate of 15% to $140 billion by 2020.
Perhaps even more telling, the line between the personal and enterprise sectors is blurring. An Ipsos MORI/Huddle study found that nearly three quarters (73%) of U.S. office workers using enterprise-owned tablets download personal software and apps, while 52% use personal laptops, tablets and smartphones to store and work on enterprise content.
Employees want to access corporate resources – regular mail, encrypted mail, online corporate services – through their mobile phones, and they are doing so whether CIOs and CSOs like it or not. Similarly, corporations and institutions don’t want to constrain their employees by imposing restrictive policies. As many employees are using mobile phones in place of laptops, security solutions on these devices must be on par with security solutions on laptops and desktops.
But the ecosystem is highly fragmented. There are a multitude of smart phones on the market and there is no one method for authentication currently in use.
At the low end of authentication are unmanaged soft credentials, known more commonly as usernames and passwords. Then we have managed soft credentials, like software certificates. Moving on up, there are derived online credentials, such as a secure server in the cloud. Fourth are derived credentials, found on a Universal Integrated Circuit Card (UICC), embedded secure element, or Trusted Execution Environment. Finally, the most secure credentials are smart card credentials.
These are just a few of the choices. But within the BYOD playing field, in order to be the most effective, we need to find a common denominator and standard implementation for secure credentials.
One test bed to consider is the government. Federal employees require secure hardware for handling highly sensitive information. As such, a handset-embedded secure element with a trusted execution environment is the best fit for government employees’ enterprise security applications.
Based on GSMA, Java Card & GlobalPlatform Standards, the UICC is the only common denominator for strong credentialing on mobile devices. The most logical choice, therefore, for the government’s BYOD policy is a Common Access Card and/or Personal Identity Verification (PIV) Card in the UICC smart card for a mobile phone.
Importantly, this solution is device agnostic. The secure UICC can be inserted into various mobile devices and can be moved from handset to handset.
The good news is pilot programs using these secure technologies are already underway. Security and authentication are concerns felt by the C-suite, not just the IT department. These are all positive paradigm shifts. Our goal as a society should be to strive for the day when privacy-enhancing technologies are ubiquitous. I’m confident we’ll get there.