Accellion - The European Information Security Summit, London

1Wearable Technology – Security Considerations

Paula E. Skokowski, CMO, Accellion

The European Information Security Summit, London, Feb 2015

Wearable Technology - Security Considerations


Introduction – Accellion Background

2,000+ 12M+Enterprise customers Users Customers in more than countries renewal rate

115%57

100,000+users at Verizon

Headquarters

Palo Alto, California

Regional Headquarters

London, Australia

Largest deployment

Securely Connecting Today’s Mobile Workforce with Enterprise Content


Introudction - Accellion Customer Highlights


kiteworks by Accellion – Secure Mobile Content Platform

Securely Connecting Today’s Mobile Workforce

With Enterprise Content

Secure Mobile Content Platform

Enabling Employees to

Work Securely Wherever on Any Device,

Smartphone, Tablet, Laptop, Wearable


Wearables - What Are We Talking About?


Types of Wearable Devices

Fitness Trackers

Smart Clothing Google Glass

Virtual RealitySmart Watches

Not Just for Humans


Wearables and the Premier League - Viper


Wearables in the Enterprise – Improving Productivity


Use Case: Google Glass Emergency Room App


“Working From Home”


Working – “Away From My Desk”


Working - “Out of Office”


“Out of Office” - But Still Productive


Smart Wearable Electronics Projected Growth

Gartner

Over 200 Million Wearable Units by 2018


Wearables – Leveraging New Mobile Features

New Mobile Features• Accelerometer

• Ambient light sensor

• Barcode scanning

• Bluetooth

• Camera

• Compass

• Face recognition

• Gestures

• GPS

• Gyroscope

• Multi-touch interaction

• Near-field communication

• Proximity sensor

• Speech recognition

• Touch interface

• Video in/out

• Voice output

New Applications• Secure Image Capture

• Hands-free workflow

• Signature Capture

• Field Measurements

• Geo-location

• Telemedicine

• Field Troubleshooting

• ….


Wearables – Introducing New Security Risks

Enable unauthorized access and misuse of sensitive information

Misuse of video and image capture for invasion of privacy

Use of personal data (PHI) to determine health coverage, credit or

employment decisions

Facilitate attacks on other systems

A compromised device could launch a denial of service attack, or send

malicious emails

Create risks to personal safety

An attacker could hack into a medical device that delivers insulin and

change the settings for delivery of medicine.

Unauthorized access to video or internet connected cameras could

jeopardize individual safety


Wearables – Introducing New Privacy Risks

Direct Collection of Sensitive Personal Information

Precise geo-location

Financial account numbers

Health information (PHI)

Collection of Inferred Personal Information & Behavior

Habits

Stress Levels

Location

Personality Type

Sleep patterns

Happiness


Data Minimization

Wearables and IoT pose additional risk from expansive collection and retention of data.

Just because you can collect data doesn’t mean you should

Collect “just enough” data

Limit collection of data

Retain data for only a set period of time

De-identify data collected

Reveal Data Sharing


Wearables Information Data Leakage

Common Sources

No IT Management or Oversight

Lost/Stolen Devices

No PIN Protection

No Encryption

Use of Unapproved Apps

Use of Public Cloud File Sharing Services


Wearables – Information Security

21 43 5

Wearable

Devices

Bluetooth

Communication

Cloud

Services

Mobile

Apps

Wifi

Communication

Image Source: Gartner


Wearables Information Security

1. Wearable Devices

2. Bluetooth Communication

3. Mobile App

4. Wifi communication

5. Cloud services

Security Concerns

Unauthorized Video and Image Capture

Mis-use of Lost and Stolen Devices

1 1



1. Wearable Devices


3. Mobile App


5. Cloud services

Security Concerns

Many wearables use BTLE (Bluetooth Low Energy)

Bluetooth 4.0 includes encryption

22



1. Wearable Devices


3. Mobile Device and App


5. Cloud services

Security Concerns

Does the mobile app include a secure container for stored data?

Is data stored encrypted?

Can the mobile device be remote wiped?

Is the device PIN password protected?

Is MDM in place?

3

3



1. Wearable Devices




5. Cloud services

Security Concerns

Is data encrypted in transit?

Does the app communicate over https?

4

4



1. Wearable Devices




5. Cloud services

Security Concerns

Is data stored in multiple clouds?

Is data stored encrypted?

Who is data shared with?

Does the user opt-in for use of services?

5

5


4 Best Practices for Wearable Information Security

1 Design in

Security

2 Provide

Security

Training

3 Employ

Defense-in-

Depth

4 Monitor

Security


Best Practice 1 – Design in Security

Minimize the data collected and retained

Use smart defaults

Secure the backend data storage

Test security measures

Secure Mobile

Container

Image upload directly from the camera – bypass camera roll

Store data in the secure container for offline access

6 digit PIN to access downloaded files/data for offline access


Best Practice 2 – Security Training

Employees are unaware of security risks

Incorporate BYOW into BYOD policy

Train all employees

Retain service providers that meet security standards


Best Practices 3 – Implement Defense-in-Depth

Implement security at multiple levels

Encrypt data in transit and at rest

Require user authentication – including 2FA

Enterprise Grade

Encryption

256-bit AES encryption for data-at-rest.

SSL encryption for data-in-motion and file upload/download

Authenticate via LDAP, SSO with SAML/OAuth/Kerberos


Best Practice 4 – Monitor Devices

Track and report all activities in auditable logs

Consider information security over lifetime of the device

Be cognizant of industry and government regulations ie HIPAA

Admin Controls

Whitelist Apps - control which apps can open data.

Selective Remote Wipe – for lost/stolen devices.

Control View/Edit mode for users based on security policy.

Activity Logs - for full audit trail.


Regulations In the Works

Europe’s Article 29 Working Group (September 2014)

Data protection authorities of EU member countries issued an Opinion on Recent Developments on the Internet of Things

“user must remain in complete control of their personal data throughout the product lifecycle, and when organizations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific.”

oneM2M global standards body (August 2014)

Released a proposed security standard for IoT devices

Addresses authentication, identity management and access control

EU General Data Protection Regulation


Thank You

For more information

www.accellion.com