Strong Authentication Using Your Mobile Phone

Google has been doing it for years, and now companies ranging from 37 Signals to Microsoft are incorporating it into their cloud hosted services: phone-based user authentication. Static passwords – the kind everybody uses to check their email, log into Facebook, etc. – are the weak link in online account security, and replacing them with…

Using NSA Tradecraft to Protect Data on Mobile Devices

Congratulations to our fellow members at the Trusted Computing Group for a successful Trusted Computing Conference this week in Orlando. I presented Using NSA Tradecraft to Protect Data on Mobile Devices, and I understand from the conference organizers that the video recording and slides will be posted. Hope to see you next year, same time,…

Check out the new “service capsules” design for http://www.jwsecure.com/

We’ve redesigned the JW Secure home page to focus on our four primary consulting practice areas: Application & Infrastructure Security Systems Engineering & Development Data Protection Network Access & Identity The service capsules on the new page are the four boxes below the main hero. The new design has more vertical elements than the old…

Secure Time-Bound Data Protection Keys

The TPM 2.0 security chip on most recent mobile devices supports measurement-bound cryptographic keys. Despite the fact that effective data loss prevention (DLP) and digital rights management (DRM) depend on a hardware root of trust, and on the issuance of limited user credentials and content licenses, this feature of the TPM remains relatively untapped. We…

Trusted Tamperproof Time on Mobile Devices

Data loss prevention (DLP) and digital rights management (DRM) scenarios require a hardware root of trust and a secure time source in order to be effective. Otherwise, DLP and DRM solutions are easily circumvented, and the data they protect are readily compromised. Until recently, such assurance has been prohibitively expensive to achieve on consumer-class hardware….

Layered Security: Using Attributes to Spot Bad Actors

Learn more about layered security, defense in depth, and The Case For Attribute-Based Authorization, in the July 2013 edition of the JW Secure Informer newsletter.

Business Value Proposition for Cloud Identity Management

As businesses expand their mobile and cloud services, the increased complexity of identity management represents both development costs and security risks. Each new service costs developer time and requires secure management of that application’s identity concepts. Redundantly implementing identity management strategies also requires excessive maintenance, and each instance potentially introduces flaws which lead to security…

The Value Proposition of Bring Your Own Device (BYOD) Security

Introduction A major component of cloud computing strategy is the support of service-connected devices in a variety of scenarios, including entertainment (e.g. the Apple App Store and Netflix) and productivity (e.g. Microsoft Office 365). The intersection between elastic cloud computing services and widely available, sophisticated smartphones and tablets is the origin of the bring-your-own-device (BYOD)…

Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust

Oh, yes! I’m speaking at DefCon again… The topic this time is Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust. And as an added bonus, unlike last year, it looks I won’t be speaking opposite General Alexander, head of the NSA, in the next room. My new talk builds on the previous…

My new book is out: “The Four Pillars of Endpoint Security”

My second book, The Four Pillars of Endpoint Security: Safeguarding Your Network in the Age of Cloud Computing and the Bring-Your-Own-Device Trend, is now available on Amazon. What are the four pillars of endpoint security? In short, a framework for analyzing and prioritizing security technology investment in the enterprise. The pillars are: Endpoint Hardening Endpoint…