Kevin Gillick, executive director of GlobalPlatform, a non-profit standard for secure digital services and devices, shares his views on how security and technology priorities are changing and what should be done in today’s interconnected world
February 21, 2018 | Neeti Aggarwal
- The critical challenge is how to ensure that security services are compatible across all devices with the rapid changes from new technologies on payment services
- There is a need to uniquely identify every device, mutually authenticate prior to any communication, and monitor devices through their life cycle to counteract security concerns
- One key emerging area in security concern is in the adoption of IoT, wherein lack of clarity on security standards still remains
Security in technology is only as strong as the weakest link. As stream of new devices get added, and new entrants join the financial services networks, ensuring security along with seamless integration becomes a moving target. Adoption of new technologies like Internet of Things (IoT) could bring in its fold integration of billions of devices rendering a secure ecosystem essential, but also more difficult to achieve, for an end-to-end security.
Global Platform has been active in advancing standards to facilitate secure and interoperable management of applications and technology, and is also recognised as the body responsible for trusted execution environment (TEE). Operating since 1999, itcurrently has 110 members evenly spread across Europe, North America and Asia.
The changing security challenge
The security challenge and requirements has changed rapidly as new technologies emerge and banks embrace digitisation. Kevin Gillick, executive director of GlobalPlatform, shared his views on how security and technology priorities are changing.
Kevin Gillick, executive director, GlobalPlatform
“Managing security used to be simple as the bank used to own the card, product, etc. and there was fairly constrained issuance and life cycle environment with well-defined risk management. But now as payment services have gone digital, reaching consumers through multiple channels, devices and payment instruments connected with cards and IoT objects, the critical challenge is how to ensure that our security services are compatible across all devices and consistent with risk management expectations. The institutions don’t own the devices but manage the risks and consumer experience and require the behaviour of services to be uniform regardless of devices. It is not just security, but the interface, experience, protection and management of applications and relationships across devices,”he said.
While the industry needs to accommodate and provide business services securely and integrated across devices, the threats and challenges in ensuring cybersecurity continue to grow rapidly.
“In an interconnected world we need to be able to uniquely identify every device to prevent incidents like device cloning and counteract security threats. There is a need to mutually authenticate prior to any communication the proof of origin of data and to manage and monitor devices through their life cycle, based on known cybersecurity threats along with ensuring the right access controls. Two secure end points are critical to mitigate threat in this interconnected world, first the server in the cloud and second, the end-point devices with the consumers,” pointed Gillick.
With increasing attacks, the industry is working towards new algorithms in cryptography to ensure secure communication and information security along with greater crypto-agility for faster transition from one encryption standard to another.
“We are working with members and government agencies around the world to define mechanisms that will permit crypto-agility and, in the future, support for quantum resistant algorithms. Industry standards will need to address this to be ahead of the curve,” he commented.
The financial services industry, more than others, needs to balance between the technology development and the multiple regulatory concerns and compliance requirements, especially with regards to security in technology.
“Key is that the technology we are promoting is not restrictive or prevents alignment with certain regulatory conditions. Governments are very good at creating regulations but they are not very good at explaining how to support a regulatory requirement through technology. For example, around privacy regulation, we came up with a privacy framework which explains how to implement specific privacy attributes and conditions for a secure digital service on a device.”
Managing security in Internet of Things
One key emerging area in security concern is in the adoption of IoT, which potentially promises an interconnected and efficient world that can facilitate greater customer convenience and service, but it also increases the threat of frauds and possible cyberattacks. There still remains lack of clarity on security standards for IoT.
“Many IoT objects are coming from relatively new players who are developing products, but are not aware of security technology in other industry verticals. So, to prevent these players from recreating the wheel we are evangelising the existing standards by helping look at sectors like telecoms and payments etc that have long been established and have models for security, data management, life cycle management, application provisioning and application isolation on common platforms,” explained Gillick.
Emerging technology security requirements in IoT will continue to remain focus for the organisation in near future.
“We see more and more discussions on IoT and on security in IoT, and organisational strategies are being built around it. We will see more consciousness around risk assessment. We will see tremendous growth in IoT, but today, comparatively speaking, it is still in its infancy. As the industry matures, we will see more understanding of the vulnerabilities and potential risks, and people becoming more careful of understanding security requirements before going to market,” concluded Gillick.
With its advantage of cross-industry experience and learning, and also ability to facilitate collaboration across industries towards secure ecosystem, GlobalPlatform has gained traction with over 2,600 professionals from 100 members companies.The growth in adoption is visible as for the previous eight-year period, 22 billion or 41% of secure elements were based on its technology, and by the end of 2017, it estimates there are five billion TEE-enabled processors worldwide. Yet, as the technology changes rapidly and as the industry and market requirements change, it would need to stay ahead of the curve and ensure that its security standards adapt proactively to not only current but also future technology challenges and security threats.