Thanks to the folks at CES and the Department of Homeland Security for inviting me to participate on a panel focused on mobile security titled Tale of the Tablet.
The panel focused on hardware, software and social security on mobile devices. If you're curious about the challenges the enterprise is facing securing mobile devices in this "BYOD" (bring your own device) world, you'll enjoy the panel. I was impressed that DHS coordinated a panel like this -- especially that they thought to include a company like Socialize that's focusing on the social privacy & security issues vs. the traditional hardware/software issues facing mobile security. As I said in my intro, "I'm not a hardware or software security guy, but I'm here because often the biggest point of vulnerability in a device is the human using it."
Greg Schaffer, Acting DHS Deputy Undersecretary moderated. Other panelists included:
Here's the panel description:
This panel of public- and private-sector representatives will discuss the complexities the technology industry faces as its consumers become increasingly mobile and the measures to keep these devices secure constantly changes. The panel will discuss how manufacturers can continue producing the most up-to-date programs without impeding security. You'll hear from the manufacturers and app developers who are working furiously to create the latest programs to work across multiple operating systems and the government divisions and software security developers who are striving to protect consumers with new security applications. The panel will also consider what responsibility the industry should have in assisting consumers to apply the stringent cyber security measures at home, and how government collaboration or oversight can factor in to the solution. The Department of Homeland Security National Cyber Security Division will moderate the engaging discussion and debate.
Yesterday I moderated a panel on mobile web vs. native apps, courtesy of Digital Media Wire's conference track at the National Association of Broadcasters NABShow conference in Las Vegas. Here's the session description:
Mobile Apps v Mobile Web: What's the Winning Formula? With the proliferation of the Apple iPhone and iPad, Google's Android platform and new Blackberry services, there has been an explosion of growth of mobile applications of all kinds. At the same, more consumers are accessing content through the "mobile web", i.e., sites created specifically for mobile devices and accessible through mobile browsers with no download or installation required, than ever before. With the huge buzz around apps it would seem that mobile applications are taking over, but the race is far from over. This panel will discuss the competing considerations in determining whether to go app or web. Will the "mobile web" eclipse "mobile apps" in the future? Who will be the winners and losers?
The session featured the following panelists:
IS IT SAFE?
“Is it safe?” Sir Laurence Olivier’s line from Marathon Man came back to haunt me this week as I attended a whole series of cyber security conferences, seminars and a Standards launch, culminating yesterday with a speech by the senior editor of The Economist on Snowden and the damage he has done to Western Intelligence. I’m “conferenced-out” and need to recover in time for “The Big One” - UK Government’s own cyber security annual conference (actually GCHQ’s) - IA14 in London on 16 and 17 Jun 14.
Monday was the Security Company’s very popular special interest group meetings on security awareness - SASIG. These meetings have gone from strength to strength - well done Martin Smith - and the theme was the Insider Threat and how business life has changed to a much more wartime-like state of internal vigilance. It’s not so much “Trust No-One” in the office environment, more “Who Are All These People?”. Standards of HR scrutiny need improving, access management deserves greater recognition as an in-depth framework of protection and management needs to sit up and take notice of today’s main security vulnerabilities - lack of timely and dynamic GRC; holistic, comprehensive and in-depth access control (combined physical and cyber); intelligent, innovative and cost-effective recovery and resilience plans when using Cloud services, especially Infrastructure as a Service and Desktops/Workplace as a Service. Lastly, a noted specialist gave an excellent review of Edward Snowden’s life up to when he was hired by the CIA and how the US Government missed all the warning flags. As a result I’ve modified my view on Snowden. It is clear from his background that Snowden is who he is - anyone who had looked at his background would never have employed him on Government contracts. The error is that he was both employed and then cleared to handle the highest classification of information, with system administrator status. The vetting agency, an outsourced company called US Investigations LLC was on a target achievement payment regime and they were behind their targets. Hence quite a number of individuals only got a cursory examination before being cleared. I understand over 650,000 individual investigations for personnel clearance have had to be reviewed and redone. Not surprisingly the company is being sued - http://www.bloomberg.com/news/2014-01-23/security-firm-sued-by-u-s-over-bad-background-checks.html.
Following the Snowden story Edward Lucas, senior editor of the Econonist, gave a refreshing reality check on Snowden and the whole rationale for nation level spying at Acumin’s annual RANT conference in London. To my mind he put the Snowdenistas in their place. His articulation of common sense can be found in his short book “The Snowden Operation” on sale for less than a pound on Amazon as a Kindle download.
Then Inside Government had an Identity Management conference on Wednesday to publicise better the UK Government’s Identity Assurance Programme - IDAP. IDAP is a version of a SAML 2.0 enabled Federated Identity Management scheme where the Government does not require you to authenticate direct with them - or a Government Department - to enable online transaction with Central or Local Government but allows the Public to use a Trusted Third Party with whom they have enrolled their identity and that Government also trusts to verify whom they are. In this way the Government hopes to overcome the privacy objections that stymied the National Identity System (the ID Card). IDAP , predictably, is behind the curve. That’s probably okay since there are a number of technical and human challenges to overcome; the system will be fairly unique (but others have implemented similar systems); SAML 2.0 (the key identity management protocol) wasn’t really designed for such a large system and has had to be modified; most importantly, the Government’s flagship project, “Digital By Default”, the key to the transformation of Government Services (and Government, frankly) depends on secure Identity Management and therefore IDAP. Politically, therefore, IDAP has to work and in time for it to be used as one of the success stories in the next election campaign.