Today we saw the announcement of the Samsung smartwatch, Galaxy Gear.
I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone.
Beyond the cool factor, there are immense and also immediate security benefits to be gained from a smartwatch:
You can use the smartwatch as an "invisible" token. If the watch is on your wrist, an application running on the smartphone, mobile device or even a PC will sense the proximity of the smartwatch and thus authenticate and let you in. Without the smartwatch being nearby, you won't be able to (easily) log into the mobile application. This is very similar to Entrust's mobile phone token paired on Bluetooth with a PC, except now the smartphone is the PC and the token is the smartwatch. Further, it's a lot harder to steal your watch than it is to steal your mobile phone. The watch can also use motion, gait, etc. as extra factors for authentication beyond just "being there." Putting a fingerprint reader on a smartwatch may also be an easy way to authenticate users.
Voiceprint authentication to the watch and through the watch. This is where voice control and voiceprint authentication will come of age. Since the smartwatch lacks any other usable input interface other than voice control, using your voiceprint to authenticate to the 1) smartwatch and its applications and 2) through the smartwatch to the smartphone or mobile device will be the easiest option. We expect that the above use case will give a whole new boost to the voiceprint biometrics market.
In Forrester's 16-criteria evaluation of comprehensive identity and access management (IAM) suites, we identified the nine most significant vendors in the category — Aveksa, CA Technologies, Courion, Dell, IBM, NetIQ, Oracle, Ping Identity, and SecureAuth — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their enterprise, business-to-business, and consumer-facing IAM deployments. Get the document at http://www.forrester.com/The+Forrester+Wave+Identity+And+Access+Management+Suites+Q3+2013/fulltext/-/E-RES99281
All of the fighting has resulted in multiple casualties. BlackBerry couldn't keep up the pace and was eventually chopped off at the knees. Microsoft has yet to gain enough developer volume to be a real threat and will eventually reinvent itself as a new company under new leadership. Third-party app stores are distributed and nimble but really amount to nothing more than splinter groups using guerrilla tactics against the major nation states. They just can't compete in the long term.
In the United States, Google Play and Apple iTunes have become the two superpowers in the mobile app war. With exceptional mobile application uptake, these two players have come to dominate the consumer mobile space. Phones don't sell phones. . .applications sell phones, and these two players have won.
Many of us in the information security space have a proud legacy of only purchasing best in breed point solutions. In my early days as an information security practitioner, I only wanted to deploy these types of standalone solutions. One of the problems with this approach is that it results in a bloated security portfolio with little integration between security controls. This bloat adds unneeded friction to the infosec team’s operational responsibilities. We talk about adding friction to make the attacker’s job more difficult, what about this self-imposed friction? S&R pros jobs are hard enough. I’m not suggesting that you eliminate best in breed solutions from consideration, I’m suggesting that any “point solution” that functions in isolation and adds unneeded operational friction shouldn’t be considered.
Enterprises are struggling to understand the risk and privacy impacts of the mobile applications in use in their environment. As the consumerization of mobile continues to shove BYOD into the enterprise, the number of applications in use is growing exponentially. Organizations must get a better handle on just how much risk is accumulating from the proliferation of mobile apps on their user’s devices.
I'm currently researching a concept designed to help an enterprise know where they are on the mobile application security maturity curve. Understanding where one currently resides is the quickest method to determine the path required to improving your standing in the future.
Does your organization allow BYOD?
Do you inventory all of the mobile applications in use in your environment?
Do you execute security and privacy analysis on mobile applications in an organized fashion?
How do you define and enforce policies around mobile application security?
I’ve created a survey to determine current baseline enterprise mobile application maturity levels. If you are involved in the mobile management and security decisions of your enterprise now is your time to help. Please go to the survey link below and fill out the form. I will summarize some of the findings in a future blog post.
What happens in Vegas shouldn’t stay in Vegas. I was out at BlackHat with other members of the Forrester team over a week ago (seems like yesterday!). It was two jam packed days of popping into briefings, guzzling copious amounts of green tea, and meeting new people and learning new things. In general, I like to keep an eye and ear out for startups to see what’s bubbling up, and came across a few at BlackHat:
Co3 Systems. Co3 Systems* help to automate the four pillars of incident response (prepare, assess, manage, and report) and break down responsibilities and response to ensure best practices are followed along with compliance with regulatory requirements. They just updated their security module to include threat intelligence feeds from iSIGHT Partners, AlienVault, Abuse.ch and SANS, and recently rolled out an EU data privacy and breach notification update to the product. I’m a numbers nerd, so when they let me play with the solution, I immediately started running simulations that estimated the cost of a breach.
FileTrek. FileTrek provides visibility and transparency into where data resides, how it’s being accessed, moved, used, changed, and shared between people, devices, and files. No, it’s not DLP. It’s more like the mother of all audit trails that takes context and sequence of events into account. That way, if someone who is supposed to have access to data starts to do things with it beyond what they normally do, FileTrek will flag it as suspicious activity.
It should come as no surprise that regulators and organizations alike struggle to set and enforce guidelines for social media activity. It’s not just that the rise of social media is rapidly transforming the way we interact with people, customers, and brands; but also how many ways this transformation is happening.
The core issue is that social media alters the way we as individuals share who we are, merging our roles as people, professionals, and consumers. As we share more of ourselves on a growing number of social networks, questions quickly surface:
How frequently and on what social networks should we post?
When should we present ourselves in our professional role versus sharing our personal opinions?
Is it okay to be social media friends with co-workers, clients, or your boss?
These are complicated matters for individuals, and absolute conundrums for organizations concerned with how employees behave and interact with others in, and outside of, the workplace. Their questions are even more complicated:
Can organizations dictate how their employees use social media?
Can they monitor social media conversations or use it to learn more about prospective job applicants?
When does the personal connection allowed by social media tools cross the line from business to personal?
I had a conversation recently with one of the top consumer antivirus companies in the world. What came out of this conversation was very intriguing. The conversation presented a vision into how mobility is shaping consumer views on security and how security of the home might be improved.
The vendor and I began by discussing the rapid growth that homes are seeing in the number of Internet-connected devices. An average person today has approximately five consumer devices connected to the Internet in their home, and the number is growing rapidly. For example, my home has the following devices connected today:
Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?
In an attempt to help the enterprise S&R professional understand the overlapping descriptions of mobile security products, I am working on new research that will help organize and quantify the market. Understanding the detailed state of each of the technology offerings in the market, and their potential impact on a five- to 10-year horizon, will help enterprises make more-educated purchasing decisions.
To begin the process of covering all of the technologies being offered today, I’ve divided the solutions in the space by technology type. Not only am I analyzing technologies that are available now, but I’m also researching any additional products, services, and vendors in the mobile security space that have innovative new concepts that they are bringing to bear. These new-age offerings will help shape the future of mobile security, and we need to get ahead of the concepts now if we wish to have a better understanding of the impact of the innovation.