Operators are building WLAN access into their data strategies, but IT managers are put off by security issues, and users by multiple log-ons to secure authentication Philippe Martineau, Vice President, WLAN, Gemplus, says the answer is the operators’ secret weapon, the SIM.
Mobile working is all the rage at the moment. Business road warriors have a whole technology arsenal that provides them with access to corporate information on the move, such as WLAN access, WiFI hotspots or the latest 3G mobile office cards. Much of the hype around working ‘anytime, anywhere’ is behind us, and this is enabling service providers to step back and take a frank look at the industry. If we are trying to make access to data a permanent right for the working environment, then is it just access to WLAN, and the odd hotspot that we need?
Securing the assets of corporations and governments has taken on a new priority worldwide. With the ever-increasing sophistication, availability, and ease of use of computer and network hacking tools, remote access pathways into enterprise networks, previously considered secure, are now often virtually unprotected from malicious intruders.
The market opportunity
ost enterprises are keen on increasing productivity by offering employees in the field constant access to their data. As such, mobile network operators have identified an important new revenue stream in securing this access over the wireless network. This has become a key part in many operators’ global strategies.
Several attempts have been made to secure data on computer platforms such as PCs, MACs, smartphones or PDAs. All implementations using such devices are open to potential risks, such as the loading of Trojan horses, worms or viruses. Software applications lack the protective mechanisms often found in dedicated hardware devices (e.g., tamper resistance and physical encapsulation of critical circuitry).
SIMple security
Software tokens provide convenience because they operate on a platform that the user already has access to. They do
not require an application-specific hardware and do not add another piece of equipment. However, they do allow the execution of an application that previously ran on a secure device to be embodied on an insecure platform, thus causing a weak link in the security chain. This is because in a software environment, the application is only as secure as the operating system it runs on.
This is where the smart card comes in. Smart cards are tamper-resistant devices that store and process information needed for user identification and authentication. Hardware and software countermeasures are built into smart cards to protect them against all kinds of attacks. Thus, smart cards are the most secure token available on the market, bringing at the same time portability of the user’s identity.
In addition, smart cards, already familiar to subscribers as SIM cards issued by operators, can securely authenticate subscribers using the operator’s existing infrastructure, but are also useful from a billing, quality of service and coverage point of view. As part of a secure corporate access offer, the SIM adds value to a pure network access offer, increasing loyalty from the customer.
Smart card-based solutions, are designed to secure access to networks, applications and web servers, secure e-mail communication and strengthen the security of the digital communications and Internet transactions.
They combine the privacy, integrity, and authentication functionalities provided by cryptographic algorithms with the simplicity, portability, and convenience of smart cards. Private key, digital certificates, and other personal information are securely stored on the smart card to prevent fraudulent use of the user’s electronic identity.
Securing authentication on public networks
Content service providers currently provide users with passwords for accessing public WLANs. This is a solution that is judged insufficient by most information systems managers. The risk that malevolent agents corrupt or
steal these credentials is increased when stored on the hard drive or the permanent memory system.
They are potentially open to unauthorized access and fraudulent use. A more secure alternative is to store the corporate credentials on a removable secure hardware token, which will resist any attacks while ensuring the corporate user identity portability when changing its PC.
When logging on to the network, a user can be prompted to insert a personal smart card into a PC connected to a smart card reader and enter a PIN (Personal Identification Code). This is referred to as a “2-factor authentication” solution, i.e. something you have — the card — and something you know — the PIN. Both must be matched accurately before access to the corporate network is granted.
Bundling mobility and VPN authentication
Two wireless ways to access enterprise resources are either through GPRS or 3G, or through a WiFi network. Both methods of access require the user to go through a two-step process, first authenticating oneself to the Wireless Service provider and then launching the VPN client software, thus requiring a second authentication process. This lengthy and confusing process generally does not encourage positive end user experience.
Access to GPRS/3G networks requires a secure token in the form of a SIM card and most WLAN solutions are progressively migrating to the EAP-SIM authentication standard which will also use SIM hardware for secure authentication.
A better option would be to store all credentials into a unique secure token allowing both Wireless access (GPRS & WiFi) and Enterprise access, creating differentiation for the GPRS service provider Such a solution improves the end-user experience, maintains the highest security levels and offers considerable cost reduction as a single piece of hardware is shared for multiple uses.
Addressing the multiple smart card location options
A global solution has to address different modes of implementations for the secure token, with the SIM either stored in the GPRS modem, a USB reader or in a GSM phone. For the latter, a dynamic password generator is stored in the SIM that, on demand, creates a One Time Password (OTP) requiring manual entry into the PC. This offers a “non-connected” alternative for people to access enterprise resources through, for example, cyber coffee locations.
In the past, employees could authenticate by means of remote access, using only a set of valid credentials consisting of a network user name and its associated logon password, the same standard used to logon employees while at work.
However, the ease of cracking standard passwords has raised IT department concerns to the point that most companies today enforce a “strong” password policy for all network users. The consequence of such a policy makes it very difficult for the employee to remember their passwords, hence generating hot line calls for reactivation.
Benefits of a smart card-based solution
Smart cards can work to protect corporate assets on a number of different levels. The smart card itself is already familiar to end-users. Coupled with the two-factor authentication system, a user must possess both the device itself (the smart card) and the second authentication step, the PIN number.
The ever-increasing memory capacity of smart cards is also offering great flexibility — multiple security protocols are supported, from Simple Password management (Single Sign On applications) to One Time Passwords and Public Keys.
Additionally, the smart card itself can be integrated into a secure solution in a variety of ways, from USB dongles and GSM mobile phones to GPRS and WLAN PCMIA modems. Using the smart card to authenticate a user to PWLAN can again be supported by password-based, OTP or EAP-SIM applications.
The robustness and dexterity of smart card-based solutions is leading industry organisations such as the Liberty Alliance to work with academics, technologists and companies globally to create an environment of ubiquitous access for end users. The Liberty Alliance has defined a concept called Trusted Module, which shares the smart card characteristics of secure memory and secure processing. This is at the heart of their authentication and identity management efforts.
Everybody wins
By leveraging the SIM’s trusted capabilities, Service providers can build a WLAN/GPRS data offering as part of a package for Enterprise security and mobility. This is achieved by storing VPN credentials next to the GSM credentials within the same smart card.
This means seamless authentication to the VPN once connected to the network, single sign-on authentication, WLAN authentication integrated into billing for GSM and GPRS. End-users benefit from convenience and improved mobility, IT managers from greater security, reduced cost, and therefore increased productivity, and finally, service providers from increased service uptake, and a seriously good string to their bow.