Close
  • Français
  • English

The Security of Executives: A Challenge for CISOs [by Guillaume Tissier, CEIS]

The security of executives’ data represents a real challenge for CISOs and enterprise security experts. Indeed, executives are particularly exposed owing to their roles and the concentration of strategic information that they possess. At the same time, they are very vulnerable owing to the exceptions made to security rules to meet their needs in terms of mobility, productivity and responsiveness.

What are the security needs?

The needs and cases of use are many. First and foremost, there are recurring needs (for example, securing of phone and email exchanges with the company’s key associates), but there are also occasional needs (a sensitive project such as a merger–acquisition, a board of directors meeting or a management meeting).

In these different scenarios, the challenge is to create a sort of security bubble, which may be occasional or ongoing and internal and/or external, around C-level executives and key business partners, with the ongoing concern of reconciling security and productivity.

The following are some examples of commonly identified needs:

– Traceability and integrity of documents;
– Securing of email exchanges (integrity and confidentiality);
– Secure sharing of documents (integrity and confidentiality);
– Surveillance of email accounts;
– Authentication of electronic signatures and their use in the context of dematerialisation of contractual processes;
– Securing of phone conversations;
– Security of mobile devices; and
– Security of meetings.

What are the features?

Several types of features to respond to these needs may be identified:

– Digital watermarks: This feature adds information to a file for purposes of traceability, copyright protection and verification of integrity. Watermarks may be static or dynamic (for example, a dynamic watermark may display the current user to dissuade the user from distributing a sensitive document bearing their name). Watermarks may also be visible or invisible. (Steganographic techniques are used to create invisible watermarks.) Solutions offering this type of feature are mainly found in the world of the media, where they are used for copyright protection, and the finance industry, where they are used for tracing of contract documents.
– Security data room: This feature aims to share documents within a community (whether in an internal or external infrastructure) by offering various collaborative-work features (workflow, change management, etc.) that include security features (rights management, traceability, watermarking, etc.). The associated software solutions generally come from the world of finance, as they dematerialise data room processes during merger–acquisition operations.
Securing of mobile devices (mobile device management): The aim is to manage the security of fleets of controlled devices but often also non-controlled devices (under a BYOD or bring your own device policy) by means of back-up features, access to an app library, updating of devices, monitoring, remote access, etc.
– Encryption: Data stored on a digital device (mobile device, wired phone, USB stick, disk, etc.) or exchanged by email, or even phone communications, may be encrypted.
– Email account surveillance: An executive may wish to ensure that no one accesses their email account either internally or externally by setting up discreet surveillance measures around their account.
– Jamming: The aim is to create temporary local jamming (note any legal restrictions) of communications to ensure that very sensitive discussions are kept confidential. The means used in this case are electronic and non-IT means.

To be used by executives, these features must be as transparent and ergonomic as possible. These specific considerations mean that the solutions implemented will not necessarily be security solutions, strictly speaking; instead, they will sometimes be more comprehensive solutions with a “role” feature and certain built-in security features.

What are the solutions in terms of apps?

In terms of apps, several virtual data room solutions offer some or all of these features.

Oodrive (France), for example, offers its iExtranet, DilRoom (for sharing sensitive information in merger–acquisition operations and bankruptcy proceedings) and BoardNox solutions[1] to make it easier to organise management meetings, meetings of boards of directors and surveillance meetings. BoardNox manages a meeting’s entire life cycle, from the sending of invitations and the reviewing of preparatory documents to the distribution of the report. Important point: these different products run on tablets and smartphones and include a security module dedicated to mobile apps (encryption of stored data, remote deletion of data, etc.). Oodrive also offers an optional HSM (hardware security module) device that generates, stores and protects encryption keys, which ensures that no administration will be technically capable of recovering encryption keys without consent and authorisation.

Another solution dedicated to productivity in management meetings: MeetX from Boardvantage[2] (United States), which includes validation and signature models and also runs on a tablet.
schema-boarnox-en
Source: http://en.oodrive.com/en/content/boardnox/show

Today, watermarking features that ensure document traceability are less widespread for text documents than for multimedia content. For the moment, they are primarily found in solutions from Intralinks[3] (United States) and RR Donnelley (United States). Intralinks’s offer includes Intralinks Dealspace to manage exchanges of documents in merger–acquisition operations “beyond the firewall”. The company also bought the French start-up Doctrackr in 2014, allowing it to offer the “IRM by design” (information rights management) solution, which brings together encryption and traceability. Each document possesses a unique encryption key. The solution then offers the option to very finely manage each user’s rights. RR Donnelley offers Venue[4], a solution for the finance industry that incorporates a watermark with the current user’s identity and time of access into the PDF documents accessed. This dissuades users from printing and distributing documents.

Surveillance of executives’ email accounts is another need that is frequently put forward, primarily by the interested parties themselves. The IDECSI ACCESS ANALYZER solution, developed by IDECSI[5] (France), is designed to meet this need. It performs ongoing surveillance of executives’ email accounts, analyses their behaviour using sophisticated analysis technologies and detects and stops abnormal events.

What are the solutions in terms of mobile device infrastructure?

In terms of infrastructure, it is essential to implement a good mobile device management (MDM) solution to manage a fleet of mobile devices (tablets and smartphones). This is especially true as most apps requested in SaaS form now include a tablet version, particularly to allow executives to access management scorecards from CRM and ERP tools and other software packages. Some examples of MDM solutions are: Good Technology, AirWatch, Check Point, MobileIron and Symantec.

These solutions ensure that data sent to mobile devices, and mobile devices themselves, are secure[6]. However, they generally do not ensure voice encryption, which requires the use of specialised devices. Several solutions (either software or software and hardware) are available on the market today:

– TEOPAD (Thales)[7]: A software solution that runs on Android devices. It comes in the form of a professional office containing the secure apps installed on the phone. It does both data encryption and voice encryption.
– Hoox (Bull/Atos)[8]: An Android-based hardware and software solution. It ensures end-to-end encryption of text messages, voice messages, emails and data by means of a hardware component. A company can retain full control and manage its fleet on its own thanks to an MDM feature available with the solution. The solution uses Cryptosmart technology from ERCOM, which has EAL5+ certification for its smartcard part and is used in French administrations.
– Uhuru Mobile from Nov’IT[9]: This Android-based solution ensures encryption of data, conversations and text messages and protection against malicious code. It also provides control of the apps offered and centralised management by means of an MDM console. This solution emerged from efforts co-financed by the French National Digital Company Fund (FSN) as part of the DAVFI anti-virus project.
– BlackPhone 2 from Silent Circle[10]: Unveiled in August 2015 at Mobile World Congress 2015, this device runs on SilentOS, a modified, secure Android-based operating system. Unlike the previous devices, this one targets companies, and its ZRTP protocol allows for calls that are secure from end to end.

Conclusions

The hyper-connectedness of executives today calls for specific consideration of their security needs. Solutions include both dedicated security apps and integration of specific features in generic solutions as well as implementation of an infrastructure base for their mobile devices.

 References :

[1] http://www.oodrive.com/fr/solutions-de-partage-de-fichiers-en-ligne/boardnox/show

[2] http://www.boardvantage.com/

[3] https://www.intralinks.com/

[4] http://www.rrdonnelley.com/venue/

[5] http://www.idecsi.com/en/

[6] They also offer a “store” that gives users access to verified apps. On this subject, see the analysis solutions developed by Pradeo (http://pradeo.net/fr-FR/), winner of the innovative SME prize at FIC 2015.

[7] https://www.thalesgroup.com/fr/teopad-solution-de-securite-pour-smartphones-et-tablettes

[8] http://www.bull.com/fr/hoox

[9] https://www.uhuru-mobile.com/

[10] https://silentcircle.com/products-and-solutions/devices/