Upload
accellion
View
568
Download
2
Tags:
Embed Size (px)
Citation preview
1Wearable Technology – Security Considerations
Paula E. Skokowski, CMO, Accellion
The European Information Security Summit, London, Feb 2015
Wearable Technology - Security Considerations
2Wearable Technology – Security Considerations
Introduction – Accellion Background
2,000+ 12M+Enterprise customers Users Customers in more than countries renewal rate
115%57
100,000+users at Verizon
Headquarters
Palo Alto, California
Regional Headquarters
London, Australia
Largest deployment
Securely Connecting Today’s Mobile Workforce with Enterprise Content
4Wearable Technology – Security Considerations
kiteworks by Accellion – Secure Mobile Content Platform
Securely Connecting Today’s Mobile Workforce
With Enterprise Content
Secure Mobile Content Platform
Enabling Employees to
Work Securely Wherever on Any Device,
Smartphone, Tablet, Laptop, Wearable
6Wearable Technology – Security Considerations
Types of Wearable Devices
Fitness Trackers
Smart Clothing Google Glass
Virtual RealitySmart Watches
Not Just for Humans
14Wearable Technology – Security Considerations
Smart Wearable Electronics Projected Growth
Gartner
Over 200 Million Wearable Units by 2018
15Wearable Technology – Security Considerations
Wearables – Leveraging New Mobile Features
New Mobile Features• Accelerometer
• Ambient light sensor
• Barcode scanning
• Bluetooth
• Camera
• Compass
• Face recognition
• Gestures
• GPS
• Gyroscope
• Multi-touch interaction
• Near-field communication
• Proximity sensor
• Speech recognition
• Touch interface
• Video in/out
• Voice output
New Applications• Secure Image Capture
• Hands-free workflow
• Signature Capture
• Field Measurements
• Geo-location
• Telemedicine
• Field Troubleshooting
• ….
16Wearable Technology – Security Considerations
Wearables – Introducing New Security Risks
Enable unauthorized access and misuse of sensitive information
Misuse of video and image capture for invasion of privacy
Use of personal data (PHI) to determine health coverage, credit or
employment decisions
Facilitate attacks on other systems
A compromised device could launch a denial of service attack, or send
malicious emails
Create risks to personal safety
An attacker could hack into a medical device that delivers insulin and
change the settings for delivery of medicine.
Unauthorized access to video or internet connected cameras could
jeopardize individual safety
17Wearable Technology – Security Considerations
Wearables – Introducing New Privacy Risks
Direct Collection of Sensitive Personal Information
Precise geo-location
Financial account numbers
Health information (PHI)
Collection of Inferred Personal Information & Behavior
Habits
Stress Levels
Location
Personality Type
Sleep patterns
Happiness
18Wearable Technology – Security Considerations
Data Minimization
Wearables and IoT pose additional risk from expansive collection and retention of data.
Just because you can collect data doesn’t mean you should
Collect “just enough” data
Limit collection of data
Retain data for only a set period of time
De-identify data collected
Reveal Data Sharing
19Wearable Technology – Security Considerations
Wearables Information Data Leakage
Common Sources
No IT Management or Oversight
Lost/Stolen Devices
No PIN Protection
No Encryption
Use of Unapproved Apps
Use of Public Cloud File Sharing Services
20Wearable Technology – Security Considerations
Wearables – Information Security
21 43 5
Wearable
Devices
Bluetooth
Communication
Cloud
Services
Mobile
Apps
Wifi
Communication
Image Source: Gartner
21Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile App
4. Wifi communication
5. Cloud services
Security Concerns
Unauthorized Video and Image Capture
Mis-use of Lost and Stolen Devices
1 1
22Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile App
4. Wifi communication
5. Cloud services
Security Concerns
Many wearables use BTLE (Bluetooth Low Energy)
Bluetooth 4.0 includes encryption
22
23Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Does the mobile app include a secure container for stored data?
Is data stored encrypted?
Can the mobile device be remote wiped?
Is the device PIN password protected?
Is MDM in place?
3
3
24Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Is data encrypted in transit?
Does the app communicate over https?
4
4
25Wearable Technology – Security Considerations
Wearables Information Security
1. Wearable Devices
2. Bluetooth Communication
3. Mobile Device and App
4. Wifi communication
5. Cloud services
Security Concerns
Is data stored in multiple clouds?
Is data stored encrypted?
Who is data shared with?
Does the user opt-in for use of services?
5
5
26Wearable Technology – Security Considerations
4 Best Practices for Wearable Information Security
1 Design in
Security
2 Provide
Security
Training
3 Employ
Defense-in-
Depth
4 Monitor
Security
27Wearable Technology – Security Considerations
Best Practice 1 – Design in Security
Minimize the data collected and retained
Use smart defaults
Secure the backend data storage
Test security measures
Secure Mobile
Container
Image upload directly from the camera – bypass camera roll
Store data in the secure container for offline access
6 digit PIN to access downloaded files/data for offline access
28Wearable Technology – Security Considerations
Best Practice 2 – Security Training
Employees are unaware of security risks
Incorporate BYOW into BYOD policy
Train all employees
Retain service providers that meet security standards
29Wearable Technology – Security Considerations
Best Practices 3 – Implement Defense-in-Depth
Implement security at multiple levels
Encrypt data in transit and at rest
Require user authentication – including 2FA
Enterprise Grade
Encryption
256-bit AES encryption for data-at-rest.
SSL encryption for data-in-motion and file upload/download
Authenticate via LDAP, SSO with SAML/OAuth/Kerberos
30Wearable Technology – Security Considerations
Best Practice 4 – Monitor Devices
Track and report all activities in auditable logs
Consider information security over lifetime of the device
Be cognizant of industry and government regulations ie HIPAA
Admin Controls
Whitelist Apps - control which apps can open data.
Selective Remote Wipe – for lost/stolen devices.
Control View/Edit mode for users based on security policy.
Activity Logs - for full audit trail.
31Wearable Technology – Security Considerations
Regulations In the Works
Europe’s Article 29 Working Group (September 2014)
Data protection authorities of EU member countries issued an Opinion on Recent Developments on the Internet of Things
“user must remain in complete control of their personal data throughout the product lifecycle, and when organizations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific.”
oneM2M global standards body (August 2014)
Released a proposed security standard for IoT devices
Addresses authentication, identity management and access control
EU General Data Protection Regulation