September 18, 2014, Uplinq 2014, San Francisco, CA – At the session “Shared Responsibility in the Mobile Security Ecosystem”, five industry experts including Paul Kocher, Chief Scientist of Cryptography Research Division of Rambus; Coby Sella, CEO of Discretix; Rajiv Dholakia, VP Product Management of Nok Nok Lab; Dror Nadler, SVP, Sales and Strategic Alliances of Cellrox and Steve Singer, VP, WW Field Applications Engineering of the Mobile and Networking Security Division, INSIDE Secure, were discussing the current trends in security for mobile products. The panel was moderated by Asaf Ashkenazi, director of product management for Qualcomm Technologies.
The state of security today is pretty bad and the trends are scary – said Paul Kocher. He stated that fundamentally we do not know how to make complex software secured. We are going to see dynamic growth of different devices; growth in the value of the information and the network as well, which means more and more complexity. More devices equal more things to attack, more value equal more rewards for attackers if they are successful and more complexity means more bugs and opportunities to attack.
Kocher made these statements from a position of being in the industry for over 15 years and starting in software security. He started in software cryptology and found the software was messing it up, then the training was messing it up, and he decided that this route for cryptology was not going to save the day. He then moved over to hardware based security that can be optimized for the key use cases. That is the solution he has been providing for the semiconductor industry and mobile devices for several years.
He continued – threats that we see right now will not match the threats that we are going to see next year. Right now we are only 2-3 bugs away from a compromised software solution space. We are going to see more reasons and abilities to break into the system. Kocher does not believe that software program will find the solution for it. Based on his extended experience, he recommended giving up on the software solution, as it is a moving target; and build hardware that can be robust for these key use cases: main application, communication, and identity. He is optimistic that the prices for transistors continue to falling. As we add more cores and more area, we can devote a larger portion of that to security which will enable us to deal with some of the problems that not required the perfection in software programming.
Dholakia, who represented the software company perspective, mentioned that even though the trends are pessimistic, it is good to look at the consequences from two dimensions. One is the security dimension and the other is the business dimension where security eventually cost a friction. There are ways to shape software. We have a once in a lifetime opportunity to reshape the devices that we carry with us or slap around our wrist, to allow them to have the security characteristics that are more robust than anything that we dream of carrying with us. That makes him optimistic.
Singer noted that the mobile VPN is one of the areas of expertise for INSIDE since the mid nineties. They have taken security component and add layers above it; some of them are specifically around authentication. Our mobile devices are the gateways into a larger access, so the use of VPN authentication of who the end point is, is instrumental. One solution space area that his company does is to run all these functions within their protected silo/trusted execution environment. Singer pointed out that the audience could see the demo specifically highlighting that capability, which was showcased at the expo hall of Hilton hotel where the Uplinq conference took place.
He stated that gives them two silos approach: one thing is authentication components; the other is data encryption. Their solution for authentication is, it is something that typically happens once, but if the data is constantly and dynamically being processed we need another “envelope” to provide another level of security and validate that the algorithms are running properly. In that case the area of focus is around certified libraries. The next area of security is a device by itself that can be stolen, and the contents of the flash can become valuable for someone else. Finally the other points of challenge in security are the applications by themselves. Gartner did the report that shown that 75% of current apps do not effectively and properly address the security.
Nadler talked about the need to virtualize a device to gives it the ability to have multiple operating systems on the device. Just as the virtualization in servers was the way to be cost effective, while in mobile devices is all about usage.
Sella mentioned that when we talk about breaches, lots of them are user oriented, such as problems like poor passwords. Qualcomm built a very good solid platform with a lot of security capabilities. The challenge is to create a streamlined users experiences and also to harness the right type of financial incentives for security. Discretix was one of the first companies pointing out the importance of security of the mobile end point devices.