Accellion presentation from The European Information Security Summit.
Case study: What are the security ramifications of
wearable technology? Entering the world of BYOE
• Understanding the risks of connecting wearable
devices to sensitive data without secure solutions
• Consequences of WYOD integration into BYOD
Presented by: Paula Skokowski, CMO, Accellion, USA
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Accellion - The European Information Security Summit, London
1. 1Wearable Technology – Security Considerations
Paula E. Skokowski, CMO, Accellion
The European Information Security Summit,
London, Feb 2015
Wearable Technology - Security
Considerations
2. 2Wearable Technology – Security Considerations
Introduction – Accellion Background
2,000+ 12M+Enterprise customers Users Customers in more than countries renewal rate
115%
57
100,000+users at Verizon
Headquarters
Palo Alto, California
Regional Headquarters
London, Australia
Largest deployment
Securely Connecting Today’s Mobile Workforce with Enterprise Content
4. 4Wearable Technology – Security Considerations
kiteworks by Accellion – Secure Mobile Content Platform
Securely Connecting Today’s Mobile Workforce
With Enterprise Content
Secure Mobile Content Platform
Enabling Employees to
Work Securely Wherever on Any Device,
Smartphone, Tablet, Laptop, Wearable
6. 6Wearable Technology – Security Considerations
Types of Wearable Devices
Fitness Trackers
Smart Clothing Google Glass
Virtual RealitySmart Watches
Not Just for Humans
14. 14Wearable Technology – Security Considerations
Smart Wearable Electronics Projected Growth
Gartner
Over 200 Million Wearable Units by 2018
15. 15Wearable Technology – Security Considerations
Wearables – Leveraging New Mobile Features
New Mobile Features
• Accelerometer
• Ambient light sensor
• Barcode scanning
• Bluetooth
• Camera
• Compass
• Face recognition
• Gestures
• GPS
• Gyroscope
• Multi-touch interaction
• Near-field communication
• Proximity sensor
• Speech recognition
• Touch interface
• Video in/out
• Voice output
New Applications
• Secure Image Capture
• Hands-free workflow
• Signature Capture
• Field Measurements
• Geo-location
• Telemedicine
• Field Troubleshooting
• ….
16. 16Wearable Technology – Security Considerations
Wearables – Introducing New Security Risks
Enable unauthorized access and misuse of sensitive information
Misuse of video and image capture for invasion of privacy
Use of personal data (PHI) to determine health coverage, credit or
employment decisions
Facilitate attacks on other systems
A compromised device could launch a denial of service attack, or send
malicious emails
Create risks to personal safety
An attacker could hack into a medical device that delivers insulin and
change the settings for delivery of medicine.
Unauthorized access to video or internet connected cameras could
jeopardize individual safety
17. 17Wearable Technology – Security Considerations
Wearables – Introducing New Privacy Risks
Direct Collection of Sensitive Personal Information
Precise geo-location
Financial account numbers
Health information (PHI)
Collection of Inferred Personal Information & Behavior
Habits
Stress Levels
Location
Personality Type
Sleep patterns
Happiness
18. 18Wearable Technology – Security Considerations
Data Minimization
Wearables and IoT pose additional risk from expansive
collection and retention of data.
Just because you can collect data doesn’t mean you
should
Collect “just enough” data
Limit collection of data
Retain data for only a set period of time
De-identify data collected
Reveal Data Sharing
19. 19Wearable Technology – Security Considerations
Wearables Information Data Leakage
Common Sources
No IT Management or Oversight
Lost/Stolen Devices
No PIN Protection
No Encryption
Use of Unapproved Apps
Use of Public Cloud File Sharing Services
20. 20Wearable Technology – Security Considerations
Wearables – Information Security
21 43 5
Wearable
Devices
Bluetooth
Communication
Cloud
Services
Mobile
Apps
Wifi
Communication
Image Source: Gartner
21. 21Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile App
4. Wifi communication
5. Cloud services
Security Concerns
Unauthorized Video and Image Capture
Mis-use of Lost and Stolen Devices
1 1
22. 22Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile App
4. Wifi communication
5. Cloud services
Security Concerns
Many wearables use BTLE (Bluetooth Low Energy)
Bluetooth 4.0 includes encryption
22
23. 23Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Does the mobile app include a secure container for stored data?
Is data stored encrypted?
Can the mobile device be remote wiped?
Is the device PIN password protected?
Is MDM in place?
3
3
24. 24Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Is data encrypted in transit?
Does the app communicate over https?
4
4
25. 25Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Is data stored in multiple clouds?
Is data stored encrypted?
Who is data shared with?
Does the user opt-in for use of services?
5
5
26. 26Wearable Technology – Security Considerations
4 Best Practices for Wearable Information Security
1Design in
Security
2 Provide
Security
Training
3Employ
Defense-in-
Depth
4 Monitor
Security
27. 27Wearable Technology – Security Considerations
Best Practice 1 – Design in Security
Minimize the data collected and retained
Use smart defaults
Secure the backend data storage
Test security measures
Secure Mobile
Container
Image upload directly from the camera – bypass camera roll
Store data in the secure container for offline access
6 digit PIN to access downloaded files/data for offline access
28. 28Wearable Technology – Security Considerations
Best Practice 2 – Security Training
Employees are unaware of security risks
Incorporate BYOW into BYOD policy
Train all employees
Retain service providers that meet security standards
29. 29Wearable Technology – Security Considerations
Best Practices 3 – Implement Defense-in-Depth
Implement security at multiple levels
Encrypt data in transit and at rest
Require user authentication – including 2FA
Enterprise Grade
Encryption
256-bit AES encryption for data-at-rest.
SSL encryption for data-in-motion and file upload/download
Authenticate via LDAP, SSO with SAML/OAuth/Kerberos
30. 30Wearable Technology – Security Considerations
Best Practice 4 – Monitor Devices
Track and report all activities in auditable logs
Consider information security over lifetime of the device
Be cognizant of industry and government regulations ie HIPAA
Admin Controls
Whitelist Apps - control which apps can open data.
Selective Remote Wipe – for lost/stolen devices.
Control View/Edit mode for users based on security policy.
Activity Logs - for full audit trail.
31. 31Wearable Technology – Security Considerations
Regulations In the Works
Europe’s Article 29 Working Group (September 2014)
Data protection authorities of EU member countries issued an
Opinion on Recent Developments on the Internet of Things
“user must remain in complete control of their personal data throughout
the product lifecycle, and when organizations rely on consent as a
basis for processing, the consent should be fully informed, freely given
and specific.”
oneM2M global standards body (August 2014)
Released a proposed security standard for IoT devices
Addresses authentication, identity management and access control
EU General Data Protection Regulation
32. 32Wearable Technology – Security Considerations
Thank You
For more information
www.accellion.com
Editor's Notes
A little background about Accellion. The company was started in the late 1990s and in the last few years has evolved to become the leader in providing mobile collaboration and online file sharing solutions.
We have always been focused on delivering solutions to the enterprise and over 2,000 corporations and government agencies across 57 countries worldwide have selected Accellion as their corporate solution. This represents over 12 million users worldwide.
Our customer satisfaction is very high and that’s reflected in our 115%+ renewal rate which means the customers who started using Accellion solutions 3 – 4 years ago are still our customers – even though our solution has evolved considerably during this time. Customers who selected Accellion 3 to 4 years ago are still our customers today, even as our solutions have evolved considerably during that time.
The thing that sets Accellion apart is our ability to provide highly scalable and secure enterprise class solutions, Verizon Wireless is one such customer who has deployed Accellion to support their own highly mobile workforce with currently 100,000+ users on the system.
While we’re headquartered in Silicon Valley, we operate globally with regional headquarters in EMEA and APAC.
Our customers represent the world’s leading organizations that span across verticals such as Legal, Retail, Healthcare, Government, and Technology.
Retailers such as Rolex, Bose, Prada, and Bacardi use our solution to exchange product information securely with their stores, partners, and customers.
Large healthcare and pharmas such as Kaiser Permanente and Pfizer use Accellion to securely handle and share medical information while meeting HIPAA and other compliance requirements.
The companies mentioned here are just a small sample of our 2,000+ customers but does provide a good representation of the leading brands that trust Accellion.
The kiteworks solution by Accellion provides a secure mobile content solution that securely connects today’s mobile workforce with enterprise content.
Mobile workers today need to access enterprise content from a wide variety of devices spanning smartphones, tablets, latops, desktops and most recently wearable devices. With kiteworks organziations can provide employees the ability to access, share, create and edit enterprise content wherever work takes them.
Kiteworks seamlessly connects with enterprise content stored on premise in ECM systems such as Sharepoing, OpenText, and Documentum and also provides secure access to Home Drives, and Network File Shares.
In addition kiteworks provides connection to content stored in cloud storage systems such as Dropbox, Google, OneDrive and Box providing employees with a single unified window into all their content across all storage systems.
For IT this unified approach to content enables all file activities to be tracked and logged for auditing purposes and demonstration of compliance with regulations such as HIPAA.
Wearables - part of the new classification of devices – collectively called the Internet of Things
Devices or sensors that connect, store, or transmit information with or between each other via the Internet
Wearable devices Introduce new security risks
Question for the audience
1. How many people currently own a wearable device?
2. How many people own more than one wearable device?
3. Unsure - What is a wearable device?
Wearable devices come in a number of form factors – most popular to date have been the fitness trackers but for enterprise use the smart watches and augmented reality displays such as Google Glass and also the smart clothing offer the most potential for improving worker productivity.
Wearables are not just for humans – many useful pet wearable devices.
For those interested in sports some very interesting work being done using smart clothing to track athlete training and performance in the Premier league. Louis Van Gaal, Manchester United Coach, and Occulus Rift
In 2017 smartglasses may begin to save field service industry $1B per year through improved efficiency 5.4M field workers saving 1 hr per week
Diagnosing and fixing problems more quickly
Camera on smart glasses will increase usefulness by providing vison-enabled AR apps- with instructions and streaming video – raises employee privacy and enterprise security concerns.
Head mounted displays (HMD) headsup displays (HUD) with augmented reality (AR)
Smartglasses could help someone who is fairly new to a role perform as well as a worker with years of experience.
Provide navigation information, maps and directions – arrows superimposed – emergency workers would have a hands-free way to view maps and floor plans
Video collaboration with experts in remote locations results in faster repairs and saves expense of flying out an expert.
Smartglasses – heavy industry, manufacturing, oil and gas
Currently <1% - expected to increase to 10% in 5 years
Accellion has developed a reference application for Google Glass that demonstrates the use of kiteworks to enable access and sharing of confidential Personal Health Information in an Emergency Room setting.
In this reference application an ER doctor is able to scan a bar code to register a patient and is then able to view data from the patient’s health record all in a hands free mode. Also the doctor is notified when MRI results are available and is able to share the results with other experts for assistance in rapid diagnosis for the patient resulting in improved patient care.
Smart watches offer the opportunity to really work “out of the offce”
The form factor of smart watches enables users to easily and discreetly receive notifications and updates to keep work moving forward when outside of the office
Using kiteworks a user can be notified when documents are available and can then share documents and record messages to be delivered along with the docs.
Recent data from Gartner shows that the number of wearable units is expected to rise rapidly with over 200M devices expected by 2018 – with Wrist based devices being dominant followed by body devices and then head mounted devices
The most exciting applications with wearable devices leverage the unique mobile features such as GPS< voice recognitions, video input and output. These new features make possible new types of applications that were not possible before. The opportunity here is not just to deliver email to a watch but to enables work processes that were not possible before
Along with the development of these new wearable/mobile applications come new security and privacy risks.
Most obvious is the potential to capture data that could be misused – in particular the unauthorized capture of video and images. Even when used for work purposes there is the potential to capture other unintended information about people in backgrounds for instance.
The privacy concerns regarding wearables come from two sources. The direct collection and handling of sensitive personal information such as recording the location of people and their health information for example
Also equally concerning is the collection of inferred personal behavior such as habits, location stress levels
Data Minimization
Reduces risk of collecting large store of data that is enticing to data thieves
Reduced risk that data will be used in ways contrary to user expectations
Flu example – capturing geolocation is very useful – good example
Skin rash – capturing geolocation may not be directly relevant – bad example
The common sources of data security risk for wearable devices is similar to those for smartphones and tablets.
Information security for wearable devices can be thought of in 5 discrete segments. For organizations that have addressed BYOD then segments 3, 4 and 5 have already been addressed – wearable devices add in segments 1 and 2 for consideration from a security perspective.
Information Security
Wearable Device
Bluetooth Communication
Mobile Devices/Apps
Wifi Communication
Cloud Services
According to Gartner more than 20% of respondents surveyed in early 2014 said they terminated the relationship with a US provider predominantly because of the surveillance allegations that came to the surface as part of the NSA revelations in June 2013
Here are 4 best practices to consider when thinking about wearable device information security in the enterprise. These best practices are based on recent guidelines published by the Federal Trade Commission (FTC).
Information Security should be designed in. When considering use of wearable devices make sure to do a security review and test of the design.
Look for use of a secure mobile container for storing content locally
Security training should be provided to employees on the security implication sand security policy governing the use of wearable devices. Any 3rd party service providers should meet security standard outlined in security policy.
Information security for wearable devices should be considered as a defense in depth ie it is a series of security measures that provide security in layer.
Enterprise grade encryption is essential including encryption of data at rest and in transit. Wearables should also authenticate via LDAP and SSO
For information security of wearable devices the use of these devices should be monitored, tracked, logged for auditable purposes. For compliance with HIPAA it is essential that all sharing, access and editing of personal health information (PHI) is tracked and logged ie organizations must be in control of PHI.
In EMEA there are a number of regulations in process governing the Internet of Things and wearable devices. Organizations should keep up to date with development of regulations to ensure the use of wearable devices is in compliance.