According to security technologist Bruce Schneier: “Modern networks are more like cities, dynamic and complex entities with many different boundaries within them. The access, authorization, and trust relationships are even more complicated.”
Schneier was describing the IT network (in a foreword to Security in 2020
) but he could have easily have been discussing the mobile network because, thanks to convergence and the developments in mobile broadband, they’re fast becoming one and the same.
Mobile service providers, vendors and end users are subject to similarly significant challenges (and opportunities). For example, how is the switched network to protect itself from the viruses in the IP world, now LTE is bringing true convergence? Can IP based services accessed on the mobile device, and tapping into the user’s identity, ever be truly secure? Also, how can consumers protect their data from advertisers and brands bent on gaining as deep an insight as possible into their psyche and buying behaviour? Indeed, do they want to?
There’s a strong argument that consumers are increasingly happy for their personal details, preferences and location to be shared – certainly with friends and colleagues on social networks, but also increasingly on entertainment and gaming networks owned by major corporations. And with the promise of opt-in advertising offering free access to, for example, online music sites such as we7
and reduced tariffs and money-off coupons in the mobile world, more information is being willingly shared.
But move into the world of eHealth and mobile banking and it’s a very different story. Suddenly the user’s identity becomes sacrosanct. A thing to be protected at all costs, and from all comers; whether they be illegitimate hackers or insurance companies for whom health related data is of premium value (if you’ll excuse the pun).
There are rarely easy answers to such expansive questions, yet answers the converged mobile industry must find if we are to capitalise on the huge opportunities offered by a combination of IP, NFC, Machine to Machine and the kinds of services and potential revenue opportunities these deliver. >
Today’s SIM, the Universal Integrated Circuit Card (UICC), of course delivers most of the security and functionality (watch the video here)
but the core of the discussion rests not on the enabling technology, because it’s already here, but on the business models, the revenue share and the standardisation and regulatory compliance.
And the latter can paint a truly confusing picture. Take the example of mobile banking applications. With NFC and contactless technologies set to be big in 2011, banks and retailers are understandably keen to get customers familiar with using the handset as an account access and payment device.
In today’s applications generation, that means offering a download via an app store or more traditional browser access. The problem is that many such ‘mobile specific’ services have vulnerabilities created by the use of the inherently unsecure IP channel and compounded by an unclear standards environment.
For example, towards the end of last year PayPal had to patch a security flaw
in its iPhone application that made it possible to intercept users’ passwords. Again this week an SMS-spewing Trojan
, common in the world of mobile malware, has affected devices running Google's operating system. Similar issues
have been highlighted in financial services applications from the United Services Automobile Association and Bank of America – to name just a few. According to reports these have now been fixed, but if nothing else such incidents highlight the critical importance of getting identity management right in a mobile context, preferably using the sort of standardised control mechanisms found on the SIM.
Confidence here is key and repeats of such incidents will only discourage consumer adoption and make brands reconsider the viability of the mobile channel.
From a health application perspective, protecting the identity and details of the patient is paramount. The fear of electronic patient data being intercepted was, and to a very real degree continues to be, one of the major reasons for the limited adoption of truly connected healthcare networks. Healthcare in the cloud is a scary prospect for regulators and clinicians alike; whether that’s professionals collaborating online or hosting patient records in the cloud. The move to the mobile (tablet) is perhaps viewed with greater suspicion, although arguably the opportunities for improving patient care are higher.
So we’re right back to the headline issues: how and when to protect identity in the mobile world; when is it acceptable and even preferable to share that data; if it’s being shared, who with and to what end; and where is the opt-in/opt-out dividing line. It’s all getting pretty blurred out there.
The mobile environment is a case in point for Schneier’s view that ‘modern networks are complex entities with many different boundaries’ [making] access, authorization, and trust relationships even more complicated’. The raft of different network standards and the host of access devices, running on discrete operating systems add a further dimension. Standardised applications are critical here but from the ongoing Apple, Android (and Windows) o/s wars, that seems a long way off – but again, this is a business not a technical barrier.
For the SIMalliance, the answer lies in the very thing that mobile communications allows us to do well: collaborate. The business and regulatory issues are immense and it is only by working together and building a cross industry consensus can consumers, the brand, the network and the specific industry regulators – from advertising to banking – effectively tie all the elements together.
Today’s SIM the most widely distributed secure application platform in the world and has a central role to play, but technology alone isn’t going to solve this particularly thorny problem.