The Mystery of PKI for Mobile

Mobile PKI

Bringing mobile devices onto an existing PKI enterprise security infrastructure is challenging.  That is no mystery— the mystery is how. How does enterprise IT address the demand for a mobile without killing an existing PKI security strategy?

IDC predicts the US mobile worker population will hit 105.4 million by the year 2020, which is approximately 73% of the US workforce.  Those are fairly astonishing numbers.  We’ve seen the growth of mobile in recent years, but there are still roadblocks when it comes to enterprise rollout of mobile, most notably security fears.  Half of businesses admit security is their biggest concern to increasing user mobility. Securing enterprise mobility has been an ongoing and arduous topic for IT security professionals. And the fact that 1 in 5 security professionals have experienced a mobile security breach, makes those fears especially understandable.

Maintaining high-assurance security, while offering access to company resources to an on-the-go workforce has become a balancing act. So much so, a third of businesses actually prevent employee access to company resources via mobile. But this is likely not a long term or sustainable solution to the problem. How long can you keep employees from using mobile devices at work?  It’s only a matter of time before enterprise IT is met with a mob of angry workers, marching the halls, clutching their iPhones and shouting their demands.  IT professionals are feeling the pressure to find a viable, user friendly, easy-to-deploy and secure options.

PKI smart card technology for smartphones

We’ve been blogging a bit more lately about PKI and how it’s making a big comeback. PKI provides military-grade security to fight against constant and increasing security threats.  So how do we extend PKI, which generally uses smart cards or USB tokens to mobile devices, which normally don’t have embedded slots for such form factors?  And how do you find a compromise that won’t kill your security strategy?

We recently held a webinar, hosted by Gemalto’s resident PKI mobility expert, Gregory Vigroux.  We highly encourage you to visit our BrightTalk Channel and listen to the replay to get the whole story.  In the spirit of blogging, we’ll offer a quick recap, but the webinar will give you much more detail.

Addressing PKI on smart phones

Let’s take a look at some of the technologies out there for using PKI credentials with mobile devices.

  • Native Keystores—certificate containers.
  • Proprietary keystores—mobile device management or enterprise mobile manager systems that use a combination of software technologies to « hide » credentials into one single application. Customers use a proprietary implementation or the Native keystore.
  • Hardware protected keys—tamper resistant hardware components embedded into the mobile device, such as a TEE/eSE. Used in Apple Pay and Samsung Pay.
  • Derived credentials—created for the US Federal PIV market to solve the mobility issue, derived credentials (a term coined by NIST) refers to cryptographic credentials derived from those in a Personal Identity Verification (PIV) card or Common Access Card (CAC) and carried in a mobile device instead of the card.
  • External to the phone—the most secure, this solution uses NFC or Bluetooth smart technology-enabled device, external to the smartphone that acts as a reader. For example, Gemalto MobilePKI solutions provide either a Bluetooth-enabled badge holder or USB token. You can see how it works in the video Enterprise Mobile Security.

So those are some of the key considerations to think about while you’re planning your PKI strategy to address mobility in the enterprise.  And we can’t stress enough that planning is one of, if not the most important step when implementing a mobile PKI strategy within your organization.  Please take an hour and watch the webinar Don’t let Smartphones Kill your PKI Security Strategy.  You’ll learn much more about the options listed above and the advantages and disadvantages of each.

Leave a Reply

Your email address will not be published. Required fields are marked *