Secured Mobility

Informatiebeveiliging: dé succesfactor voor

mobiele toepassingen

dr.ir. Jan van den Berg

Capaciteitsgroep Informatica
Faculteit der Economische Wetenschappen
http://www.few.eur.nl/few/people/jvandenberg/

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Agenda

• Historical perspective
• Why going mobile?
• Secured mobility
• Program of today

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Historical perspective
• Information Security concerns
– Storage
– Communication
• Need for Information Security is as old as ..
• Incentives
– War: Caesar’s struggle against Gallia
– Personal Privacy: Caesar’s correspondence with
Cleopatra
– Business: in ancient Rome, commercial horse relay
messaging services [1]
3

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Information exchange in the past
• > 25 centuries ago: Darius established a courier
messaging service (1600 miles within a week)
• 490 BC: messanger Phidippides in Marathon [2]
• 16th century: regular postal service in England
• 19th century: Reuter’s carrier pigeons [3]
• 20th century: pigeon used in WW1, 2
• 19th century: Morse engineered his telegraph
– 1844: 1th message from Washington to Baltimore
– 1866: 1th permanent transatlantic cable

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Info exchange in the past, cont.
• 1876: telephone is patented by Bell
• Mid-1930s: telex [7]
• Nowadays
– phone, fax, radio, television, SMS, Internet:
email, chat, search, file transfer, and … last:
– mobile connectivity: at any place, anytime,
with anyone
• So what!??

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Agenda

• Historical perspective
• Why going mobile?
• Secured mobility
• Program of today

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Why going mobile?
• What’s new actually?
• Who needs mobile (connectivity)?
• What are the driving forces?
• Who are the M-players?
• What are the sine-qua-non’s?

Secured Mobility, VRISBI-VKA Congress, 29-04-04

 What’s new actually?
• E-commerce: process of
– buying/selling/exchanging
products/services/information
using computer networks [4]
• M-commerce: process of
– buying/selling/exchanging
products/services/information
using mobile networks (adapted from [8])
(i.e., with anyone, anytime, anywhere)

• Ergo, high level of personal mobility is a critical

success factor for M-commerce/connectivity
8

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Who goes mobile?
Clients on the move that
• need information
• balance of bank account
• US interest changes announced by Mr. Greenspan
• latest books, CDs, concerts, …
• communicate with other people:
• phone, email, chat, SMS, …
• do transactions (payment technology: debit, credit, chipknip??)
• shopping, making reservations, …
• (stock) investments
• need a personal information store
• authentication/authorization device: passport, drivers licence
• hospital, ANWB, bonus, … card
• agenda: meetings, to-do-list, addresses, … 9

Secured Mobility, VRISBI-VKA Congress, 29-04-04

What are the driving forces?
• Market
– Sufficiently many clients have trust, go mobile now?
– Companies: competitive advantage, business models?
• Technology: integrated mobile services are
– Available? (standardization, integration with Internet)
– Affordable? (critical mass)
– Secure? (prerequisite for trust)
– Ease of use? (real challenge, includes personalization)
• Society
– Government facilitates and stimulates?
– The press pays attention to it?
– M-commerce is the next natural step?
10

Secured Mobility, VRISBI-VKA Congress, 29-04-04

The players

M-Technology M-services Mobile Clients

providers providers Applications

11

Secured Mobility, VRISBI-VKA Congress, 29-04-04

What are the sine-qua-none’s?
• Power of driving forces like trust by clients
– companies offering M-service applications
– technology: M-security!

• Notes:
– Current Internet-Security is not a trivial
problem
– Secure wireless communication is even much
harder!

12

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Many uncertainties
• M-commerce:
– concerns a (r)evolution?
– you should go for it now (or later)?
– has a real future (or is just a stupid idea)
– business models are ready and ok?
– investors want to put money in it?
– is the new hype (remember Internet..)
– it’s technology converges at high (low) speed?
– can be made secure?
• Some answers today!
13

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Agenda

• Historical perspective
• Why going mobile?
• Secured mobility
• Program of today

14

Secured Mobility, VRISBI-VKA Congress, 29-04-04

General security requirements

Integrity Confidentiality

Accountability

Continuity/Availability

15

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Business Damage

Loosing money

Loosing assets

Loosing business

Loosing reputation

Claims

Loosing knowledge
16

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Security ~ risk management
• Risk assessment
– Risk analysis
– Risk valuation

• Risk treatment

• Residual risk: never 100% secure

17

Secured Mobility, VRISBI-VKA Congress, 29-04-04

What can we do?

• Physical measures

• Organizational measures

• Logical measures

18

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Technology does not solve it all

Security
Security Business
Business
Assessment
Solution
Solution Assessment

PSPG
PSPG
Technical
Technical Organizational
Organizational
Risk
Risk
Management
Management
Legal
Legal Security
Security
Awareness
Awareness

20% 80%
19

Secured Mobility, VRISBI-VKA Congress, 29-04-04

When can we do it?

Threat
Preventative
measures
Incident
Detective
measures
Repressive Damage
measures Corrective
measures
Recovery

20

Secured Mobility, VRISBI-VKA Congress, 29-04-04

M-communication:
security requirements & services

21

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Security mechanisms
• Cryptographic tools: ciphers, keys, …
• PSPG
– Policy statements
– Password distribution and use
– Updating procedures of anti-virus software
– Cryptographic key management
– Incident handling
– ….
• ….
22

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Agenda

• Historical perspective
• Why going mobile?
• How going mobile?
• Program of today

23

Secured Mobility, VRISBI-VKA Congress, 29-04-04

The red line: value chain

1. Ewoud 2. Erik
Mobiele
Technology Mobiele Clients
dienst--
dienst
leverancier toepassing
leverancier
3. Sjouke 4. Paskal
Beveiliging
5. René

24

Secured Mobility, VRISBI-VKA Congress, 29-04-04

Program details
• 10.45 – 11.30u, Ewoud van den Boom (Microsoft):
“Visie ontwikkeling mobiele toepassingen”
Pauze
• 11.45 – 12.30u, Erik van Zegveld (VKA):
“Mobiliteit in de samenleving”
Lunch
• 13.30 – 14.15u, Sjouke Mouw (TUE):
“Mobiele security protocollen”
• 14.15 – 15.00u, Paskal van Lomm (ABN-AMRO)
“Mobiel bankieren”
Pauze
• 15.30 – 16.15u, René van den Assem (VKA)
“Geïntegreerde visie op mobility en security”
25

Secured Mobility, VRISBI-VKA Congress, 29-04-04

References
[1] P. Vervest, Innovation in Electronic Mail, Phd-thesis, Technical
University Delft, 1986
[2] http://www.nationmaster.com/encyclopedia/Marathon,-Greece
[3] http://encyclopedia.thefreedictionary.com/Paul%20Reuter
[4] E. Turban et al., Electronic Commerce, A managerial perspective,
Prentice Hall, 2000
[5] W. van Ginkel, The Other Side of Information Security, lecture
notes (GEM-course), EUR, 2003
[6] G.J. van der Pijl, J. van den Berg, Security and ICT-audit, lecture
notes, EUR, 2003
[7] http://www.brunet.bn/telecom/jtb/telex.htm
[8] N. Sadeh, M-commerce, Technologies, Services, and Business
Models, J. Wiley, 2002 (highly recommended)

26

Secured Mobility, VRISBI-VKA Congress, 29-04-04