Gaining Business Value from IoT

Transcription

1 Gaining Business Value from IoT Digital Aviation Conference 2018 Thomas Bengs GM, Head of Biometrics EMEIA Enterprise Cybersecurity EMEIA Human Centric Innovation Co-creation for Success FUJITSU

2 Digital Transformation will enable transport infrastructure providers and operators to realise the vision of Intelligent Mobility by improving access to the transport network providing new ways to optimise supply & demand making journeys more seamless FUJITSU

3 A today`s standard travel process Booking Drive & Parking Check in Check in luggage Security check Immigration Passport control Shopping Lounge Boarding Inflight shopping Destination immigration Rental car Hotel What do all these activities have in common? FUJITSU

4 Your IDENTITY is requested! Each of these listed processes require a kind of identification document National ID card Passport VISA Driver License Boarding Pass Credit Card FUJITSU

5 Does Security meets Convenience? For most of those activities corporations implement combinations of single or multiple different methods to avoid misuse Password, Pin, Airline bonus card, Credit card, Passport, Driver License. Are those methods really safe? NO, because Identity fraud is more or less easy they are not compatible beyond each others or only with massive efforts they are forgotten/lost or manipulated by purpose in case of misuse there is no proof of identity who really performed the activity Most of the identity processes are not secured and they are not convenient FUJITSU

6 STILL TOO MANY ATTACK POINTS for our IDENTITY Screen contents can be read Webcam and microphone (internal/external) can be activated and controlled (room surveillance possible) External HDDs, USBs can install viruses and backdoors unnoticed Remote access Transfer and control of the systems by remote access Access to critical data Administrations can access sensible data unnoticed Communication (Internet/LAN/WAN) Backdoors to active / passive network components Data is intercepted Outgoing data can be intercepted, read and manipulated Main memory saves data unencrypted BIOS, OS, driver, application can contain backdoors Mouse and keyboard input can be read Internal data media (HDD, SSD, DVD) are readable despite encryption Intranet Internet Extranet Cloud Physical access to systems through insufficiently secured access processes Hacker attacks hacker attacks are facilitated by monitoring that is not end-toend; logs can be falsified FUJITSU

7 Identity fraud is around us Terrorist attacks Misuse of social media It takes 20 years to build a reputation and five minutes to ruin it Warren Buffet Financial transactions fraud IP theft 50% of organizations suffered a data breach in 2016 Enterprise data theft/manipulation Cyber attacks Cisco annual Cybersecurity report Ponemon Cost of Data Breach Study FUJITSU

8 A world in motion needs Biometric identification Possible identification methods Precision of Biometrics Risk of Fraud Ownership Knowledge Biometrics To be transferred Yes Yes No To be stolen Yes Yes No To be forgotten Yes Yes No To be copied Yes Yes No To be lost Yes Yes No To be altered Yes Yes No Known methods Keys Password Vein Tokens Pin Iris Smart Cards "Selfie" Fingerprint Face Voice Key stroke Biometrics is the preferred method for secured & convenient identification processes FUJITSU

9 A deeper view to selected biometric modalities Deeper View Comparision Face Recognition Iris Recognition Palm Vein Recognition Security Level LOW-Middle Middle-High Very High Usability Depends on environment Middle Depends on environment Middle Broad Range Convenience factor Fair Fair Fair Privacy Factor (GDPR) Very Low Still High Very High Accuracy / Applicability Low-Middle Middle Very High FUJITSU

10 Biometric identification Secure & Convenient FUJITSU

11 Vision of a seamless Customer journey FUJITSU

12 Use case Berlin airports & Vienna airport Requirements Physical access control / Time & attendance Fast and easy access for airport staff, airline crews, federal police, customs, third parties Secure against authentication fraud Insensitive to environmental influences Robust and reliable high availability Solution PalmSecure-based physical access control terminals & turnstiles Template on card method biometric template is stored on LEGIC smart card 50,000 enrollments Customer benefits High security level true authentication Reduction of administration effort & costs Keyless operation Simplifies the authorization process for new people FUJITSU

13 Biometric applications need a strong IAM Identity Access Management is not just a product it is a SOLUTION Business Identity Management Access Management Business: - Defining the the IAM processes like access rights, protection levels, protected areas, building up a meta directory Membership Access Right Technology: - Interfacing the different applications and platforms to interact together User Roles / Groups Resources Technology IAM starts with identification but it also then includes, the way of communication forward & backward to/from the resources to work with Enterprise Access Management: - Defining access roles / groups - Defining authentication processing - Defining identitity management - Defining external access management FUJITSU

14 Hybrid IT the Fujitsu way On premise IT environment Cloud services of different vendors Microsoft Open and Standard Integration Interfaces Fujitsu Identity as a Service Google Repositories for different user groups Employees Subcontractors Partners Customers On premise Applications Identity Lifecycle Management and Provisioning Access Rights and Control Multiple Authentication Mechanisms Federation to the cloud and on premise Single Sign-On Password Management Biometrics Amazon FUJITSU

15 FIDO the Fujitsu way End user device - mobile phone - tablet - notebook Biometric match on device Match with public key to get application login Login to application Login request to application Private key stored on device Public key FUJITSU

16 FIDO A Japanese Megabank use case The bank starts to provide its mobile banking application as it s first FIDO service. At ATM ATM card-less and 4 digits PIN-less At the counter Passbook-less and Stamp-less Channel collaborations with FIDO authentication On the internet Password-less OTP-less The bank aims to expand FIDO solution to its other channels to solve a problem, as each channel currently requires users of different authentication, and improve service usability. Password and OTP for Internet banking. Password and PIN for ATM Stamp requirement at the counter In addition to Bank, Trust, and Stock Crosschannel, a collaboration of Credit card and Debit card is expected to create more business opportunities. Trust Stock Credit card Debit Card Other areas cross-channel collaboration (Bank, Trust, and Stock) FUJITSU

17 FIDO Security meets Convenience ID / PW OTP FIDO Reuse Hard to remember new ones, often using same ones Not reusable Not reusable Phishing Can be easily snatched High phishing risk Not reusable Only the authentication result is transfered Low risk Key Logger High risk due to physically typing in Not reusable No risk due to biometrics and encrypted keys Complexity of operation For each services it requires an (different) ID / PW For each services it requires an OTP Very easy operation Necessary to change regularly To maintain security level it needs to be frequently changed Not reusable Need not to be changed FUJITSU

18 Privacy is important REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation) article 2 (material scope) section 1, article 4 (definitions) and article 9 (processing of special categories of personal data) Don`t compromise yourself You are all you`ve got Unless every single user has not approved (explicit consent) that his personal data shall be processed for one or more specified purposes any processing/usage of those are strictly prohibited In order to be legally compliant it is mandatory to document such written explicit consent where the scope of processing of personal data is defined and every user signs this prior to registration/enrolment FUJITSU

19 Vielen Dank FUJITSU