TCG activities on Mobile Security standardization. Mr. Janne Uusilehto, Nokia Chairman, TCG MPWG Embedded Security Seminar September 12, 2005

Similar documents
Trusted Platform for Mobile Devices: Challenges and Solutions

Building Digital Key Solution for Automotive

Lecture Embedded System Security Introduction to Trusted Computing

NGN: Carriers and Vendors Must Take Security Seriously

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

Strong Security Elements for IoT Manufacturing

Integrated Access Management Solutions. Access Televentures

Apex Information Security Policy

Procedure: Bring your own device

Should You Use Liberty or Passport for Digital Identities?

Trusted Computing Today: Benefits and Solutions

Information Security Management System

Is IT-Virtualisation a Security Panacea? Frank Ackermann, Dipl. Inf. (FH), CISSP

The Oracle Trust Fabric Securing the Cloud Journey

Internal Audit Report DATA CENTER LOGICAL SECURITY

Securing the Distributed Enterprise

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Mobile Devices prioritize User Experience

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Computer Security Policy

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Procurement Language for Supply Chain Cyber Assurance

Product Security Briefing

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Security and Authentication

CyberFence Protection for DNP3

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Adaptive & Unified Approach to Risk Management and Compliance via CCF

Cryptography and Network Security Chapter 1

ICS Security Innovation Asia Pacific ICS Security Summit. Singapore 2013

Stand: File: gengler_java_e. Java Community Process: Not perfect, but operating very successfully

HP Security Solutions for business PCs. Comprehensive protection measures so you can work smarter and with greater confidence.

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

Trusted Computing Group

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Cisco ASA 5500 Series IPS Edition for the Enterprise

Management Information Systems. B15. Managing Information Resources and IT Security

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Cyber Security Program

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Lecture Embedded System Security Introduction to Trusted Computing

IoT & SCADA Cyber Security Services

Introduction to Device Trust Architecture

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Checklist: Credit Union Information Security and Privacy Policies

SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE

How DDoS Mitigation is about Corporate Social Responsibility

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Using Biometric Authentication to Elevate Enterprise Security

The Honest Advantage

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Mastering The Endpoint

CSci 530 Final Exam. Fall 2007

Security Architecture

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

deep (i) the most advanced solution for managed security services

Wireless LAN Security (RM12/2002)

Timing in Cyber Physical Systems. Marc Weiss, Ph.D. NIST, Time and Frequency Division WSTS 2015

THE FUTURE IS HYBRID. Patrick Harr. Global Vice President, Cloud Strategy and Solutions Hewlett-Packard Company

The leader in session border control. for trusted, first class interactive communications

RESOLUTION 45 (Rev. Hyderabad, 2010)

Operationalize Security To Secure Your Data Perimeter

Cyber Security and Cyber Fraud

Client Computing Security Standard (CCSS)

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Introduction to Security. Computer Networks Term A15

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The concept of a storage-centric network which is safe and secure anywhere jointly developed

How Your Organization Can Drive Success in the Age of Digital Disruption

Enabling Innovation in the Digital Economy

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Information Technology Procedure IT 3.4 IT Configuration Management

Cryptography and Network Security

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Internet of Things Security standards

Bringing Cybersecurity to the Boardroom Bret Arsenault

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Topics. Ensuring Security on Mobile Devices

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Spotlight Report. Information Security. Presented by. Group Partner

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Carbon Black PCI Compliance Mapping Checklist

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Managed Security Services - Endpoint Managed Security on Cloud

LINUX SECURITY PRIMER: SELINUX AND SMACK FRAMEWORKS KATHY TUFTO, PRODUCT MANAGER

GSE/Belux Enterprise Systems Security Meeting

PT Unified Application Security Enforcement. ptsecurity.com

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

IoT Security and Risk Management

Transcription:

TCG activities on Mobile Security standardization Mr. Janne Uusilehto, Nokia Chairman, TCG MPWG Embedded Security Seminar September 12, 2005 1

Trusted Computing Definition Hardware and Software behave as designed 2

Why TCG works on mobile security Mobile phones becoming more sophisticated enable them to be used for basic computing tasks Increasing variety and popularity of mobile data services require more trust and security in the device, service, content and network Convergence of Internet and mobile domains require common trust approach 3

Scope of Mobile Phone Work Group The group will work on the adoption of TCG concept for mobile devices to enable different business models in market environment of open terminal platform The group will enhance TCG as needed to address specific features of mobile devices like their connectivity and limited capability 4

Threats for mobile environment Viruses and worms Denial of service Attacks against network Man in the middle attacks Total system crash, permanent damage Transaction data manipulation Violation of privacy: ID applications, personal information Loosing money: e-cash, unauthorized phone calls, etc. Physical attacks (against others equipment) TCG addresses threats from Physical attacks (against own equipment) device architecture level Misuse of personal information Violating copyright protection, copying electronic tickets, etc. Device is portable easy to steal 5

Time is right for mobile security standardization "Despite this intense vendor - and media-driven speculation - the necessary conditions required for viruses or worms to pose a real rapidly spreading threat to more than 30 percent of "A lot of this (cell phone attacks) is hyped to create a enterprise mobile devices will not converge until year-end WDSGlobal 2007 (Gartner) handles data support market calls that for doesn't exist," said Neil MacDonald, group vice IDC Hewlett-Packard, agrees that there is Nokia, unlikely Orange, to president be Sony a and research director major Ericsson outbreak and until T-Mobile. the start In of the 2008 at last Gartner quarter, Inc. it "The market received just 10 end-user enquiries will exist about eventually because the devices are becoming more smart phone viruses out of the 275,000 calls powerful, but the threat today it fielded--equating to 0.0036 percent is minimal of and all overblown." calls. 6

TCG Mobile Deliverables Use Cases: Consolidated collection of usage scenarios that are describing the usage of mobile devices in trusted environment, concentrated on exploring added value for mobile devices. Requirements: List of high-level requirements (functional and non-functional) related to the adoption of trusted computing platform for mobile devices. Mobile specific specifications: Proposal of extensions and modifications required for TCG main specification to be adopted for mobile devices. 7

TCG Mobile Security roadmap Approval of of mobile use cases Approval of of technical requirements Approval of of mobile specification 1.0 1.0 Product implementations Q2-05 Q3-05 Q4-05 2006 => 8

Benefits of standardized security 1/2 Prevents fragmentation, enhancing interoperability and reducing R&D costs. Allows wider peer review for flaws, hence affecting a higher quality end result Reduces the risks, and increases confidence in manufactureres supporting the required functionality Increases confidence in consumer and business users in trusting their device to work as intended 9

Benefits of standardized security 2/2 Standardized interfaces allow terminal manufacturers to expand their supplier base Standardized interfaces allow hardware component providers to expand their customer base Allows the industry to pool the scarce resource of top experts Allows for the industry to come together and collectively decide priority items 10

TCG Mobile Security Use Cases 11

Introduction These Use Cases intend to outline the application of TCG techniques and specifications to mobile Devices They have been written to: Guide subsequent technical specification work within the Mobile Phone Working Group Ensure that the work of Mobile Phone Working Group meets real industry needs 12

Use Case classification Substantive use cases describe functionality that is likely to be required of all Devices implemented according to the technical specifications (Use Case 1) Application specific use cases describe functionality that may not be required of all Devices implemented according to the technical specifications (Use Cases 2-6) 13

1. Platform Integrity Ensure the use of authorized operating system(s) and hardware Platform integrity maintenance means that the platform HW and principal elements of the platform SW are in the state intended by the Device Manufacturer. Substantive use case Substantive use 14case

2. Device Authentication Assists a Service or Network Provider in end user authentication when the device identity has been bound to an end user identity Prove the identity of the device itself Device should be able to store and protect all identities Device should use the appropriate identities depending on the context Application specific use 15case Application specific use case

3. Robust DRM Implementation By employing trusted computing principles, techniques and specifications, device manufacturers can establish a robust DRM implementation This use case proposes a hardened implementation of the DRM specification Application specific use 16case Application specific use case

4. SIMLock/Device Personalisation Ensure that a mobile device remains locked to a particular network until it is unlocked in an authorized manner Mechanisms to deter device theft need to be in place Subsidising entities need to be assured that End Users cannot move their device to another Network Provider or Service Provider without authorisation Application specific use 17case Application specific use case

5. Secure Software Download Goal for the use case is for the device to securely download application software, application software updates, firmware updates or patches Software download may be triggered by the end user, device manufacturer or network provider Application specific use 18case Application specific use case

6. Secure channel between device and UICC Some security sensitive applications may be implemented partly in the UICC and partly in the device UICC and device should be aware of each others trust status in order to avoid malicious software on the device interfering with applications avoid a compromised device-uicc interface interfering with applications Application specific use 19case Application specific use case

Summary TCG Mobile Phone Work Group works to specify mobile security in device hardware and relevant software layers TCG Mobile Phone Work Group has published a set of use cases to form the basis of the TCG mobile security specification The specification is expected to be ready for product implementations in early 2006 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback