Wibu-Systems Blog https://www.wibu.com/uk/blog.html Thu, 18 Apr 2019 17:12:58 +0200 Thu, 18 Apr 2019 17:12:58 +0200 t3extblog extension for TYPO3 A Security Policy Agenda for the Global Economy Tue, 09 Apr 2019 10:00:00 +0200 https://www.wibu.com/uk/blog/article/a-security-policy-agenda-for-the-global-economy.html post-113 https://www.wibu.com/uk/blog/article/a-security-policy-agenda-for-the-global-economy.html Daniela Previtali Given the significant impact of the software industry, it is critical to create new policies that generate economic opportunity. A Security Policy Agenda for the Global Economy by Daniela Previtali 09-04-19

BSA |The Software Alliance) released its 2019 Policy Agenda in early February to facilitate discussion and debate around what they believe to be some of the most pressing issues impacting the global economy. As a leading advocate for the global software industry, BSA points out that the software industry supports 10.5 million jobs and adds over $1 trillion to the U.S. economy alone, and because of its significant impact, it is critical to modernize outdated laws and create new policies that generate economic opportunity.

In their Policy Agenda, BSA emphasized 7 core policy areas where their organization was ready to collaborate with the U.S. Congress and Administration:

  • Consumer Data Privacy
  • Smart and Strong Cybersecurity
  • International Data Agreements and Digital Trade
  • Law Enforcement Access to Data
  • Realizing the Potential of Artificial Intelligence
  • Modern Workforce for the Digital Economy
  • Intellectual Property Protection

While we support all of these important policy areas, Wibu-Systems is, of course, particularly interested in intellectual property protection where we have focused our technology efforts for 30 years, and more recently, on industrial cybersecurity in the connected environment of the IoT and Industry 4.0. 

IP protections enable the research and development that drives innovation. As noted by BSA, software accounts for nearly 20% of all business. R&D and strict policies geared to protecting IP are critical to maintaining this investment. However, BSA’s 2018 Global Software Survey study found that the use of unlicensed software is still widespread, estimating that 37% of software installed on personal computers worldwide is unlicensed. Furthermore, use of unlicensed software greatly increases the opportunities for malware infections, making the cost impact of unlicensed software even greater. Thus, a global awareness and effort to address the issue continues to be of the utmost importance.

The evolution of connected IoT devices is creating a world of smart homes, smart factories, and smart cities. While this connectivity is serving to fuel our economy and improve our quality of life, it has broadened the attack surface for cybersecurity threats to our connected industries, workplaces, and homes. BSA’s cybersecurity recommendations to protect against these threats include:

  • Establishing risk-based standards for the IoT
  • Ensuring effective and secure supply chain management
  • Strengthening smart cities cybersecurity

For our part, we are actively working with organizations like the Industrial Internet Consortium (IIC) to make our security technologies and expertise available for the greater good. We have played an active role in creating the IIC’s Industrial Internet Security Framework and contributed to the fundamental tenets of Trustworthiness in Industrial System Design

We are also involved with industry collaborations with companies like Wind River, Infineon, and the Trusted Computing Group to integrate our security technologies into their industry wide solutions. We demonstrated several of these cooperative efforts and use cases at the recent Embedded World and Hannover Messe trade shows in Germany, and will do so again at the upcoming Embedded Technologies Expo & Conference in the USA in June.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Aligning the Technology with Customer’s Needs Thu, 04 Apr 2019 13:46:00 +0200 https://www.wibu.com/uk/blog/article/is-your-license-technology-aligned-with-your-customers-needs.html post-115 https://www.wibu.com/uk/blog/article/is-your-license-technology-aligned-with-your-customers-needs.html Daniela Previtali Whether your decision is driven by technology or market reasons, the migration to CodeMeter is smoother than you may think. Aligning the Technology with Customer’s Needs by Daniela Previtali 04-04-19

Over the past 30 years, we’ve helped hundreds of companies migrate from their homegrown or vendor-supplied licensing solution to our CodeMeter licensing and protection platform. While there are many reasons why ISVs and embedded systems engineers have evaluated CodeMeter and chosen to migrate, a common thread has emerged: Their current technology is lacking and does not enable them to keep up with the changing business complexities and the protection and licensing needs of their customers. In turn, this struggle has harmed their competitiveness in the market and potentially damaged their long-term customer relationships.

Here is a sampling of conversations we’ve had with our customers that led them to consider migrating their licensing solution to CodeMeter:

“We acquired a couple of companies in the last few years and now we find ourselves with three different licensing solutions in place. Can you please help us run an analysis of which features are crucial to us and consolidate the whole ecosystem?”

“When we started our business, we went for a simple copy protection solution. Now that we have a stable stream of income and even more ambitious plans for the future, we would like to use a more sophisticated license management system. Can you assist us?”

“Our current protection solution focused mostly on code obfuscation. However, we have come to realize that an approach which includes scrambled encryption algorithms and cutting-edge encryption methods is the way to go. What can Wibu-Systems offer in this direction?”

“The IoT is such an exciting opportunity that we decided to extend our portfolio. We would like a single technology for IP protection and license lifecycle management that works with computers, mobile devices, embedded systems, and PLCs. Is CodeMeter the right choice?”

“We are using a world leading IDE for PLCs to develop our IEC 61131 applications, but we feel like more stringent security policies could safeguard our know-how even better. Do you have a module that fully integrates and adds secure key storage, associated with a secure hardware element?”

“If the future is the cloud, we don’t want to miss it. So far, we have been using software and hardware-based license containers, but being able to move our applications as SaaS to the cloud would represent a pivotal business advantage. Is your cloud solution mature enough?”

“With our current licensing system, deploying licenses takes up too much of our valuable time. We want to be able to streamline the complete process in a way that our ERP system does automatically the heavy lifting for us. Which back office platforms do you support?”

“The VARs buying our CodeMeter-secured PLCs have expressed a strong interest in a similar solution that may protect and license the software they sell along with our units. Does your technology provide multivendor capabilities? How can you serve the entire supply chain with the lowest impact possible for all parties involved?”

Beyond these technology and market discussions, we’ve had customers contact us more recently with concerns about their chosen DRM vendor’s commitment to their investment in new technology and ongoing support. Amidst the confusion of mergers and acquisitions and other varied business interests of their suppliers, some ISVs have questioned whether their vendor is truly focused on their licensing technology needs.

If you are thinking about upgrading your current licensing solution, or perhaps you might be considering a new licensing vendor, you have a great opportunity to evaluate CodeMeter and learn more about Wibu-Systems at our upcoming Webinar, Your Migration Map to a Comprehensive Protection and Licensing System, to be held on Wednesday, April 10. You can learn more and register here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Time for IoT Security Standards? Tue, 26 Mar 2019 11:26:00 +0100 https://www.wibu.com/uk/blog/article/time-for-iot-security-standards.html post-114 https://www.wibu.com/uk/blog/article/time-for-iot-security-standards.html Marcellus Buchheit The U.S. Congress introduced legislation to address the cybersecurity concerns related to IoT devices. Time for IoT Security Standards? by Marcellus Buchheit 26-03-19

The U.S. Congress recently introduced legislation to address the growing concern for security on IoT devices purchased by the U.S. government.

Does the proposal go far enough? Let’s take a further look.

Legislators point out that connected devices are expected to exceed 20 billion units by 2020 and they say that insecure IoT devices are one of the “most important emerging cyberthreats” to U.S. national security. While the proposed bill wouldn’t require security standards for all IoT companies, it would require a bare minimum of security standards for any IoT devices that the federal government purchases. Their hope is that by improving security standards for the federal government, which is a prime customer, standards for the entire IoT market would improve along with it.

If the legislation passes, the IoT Cybersecurity Improvement Act would require that federal government use only IoT devices that meet the IoT security standards recommended by the National Institute of Standards and Technology (NIST).

To get a better idea as to where NIST is focusing their IoT standardization efforts, it helps to read their whitepaper published in October 2018, Internet of Things Trust Concerns. The publication identifies 17 technical trust-related concerns for individuals and organizations before and after IoT adoption. NIST emphasizes that trust should be viewed as a level of confidence. In their white paper, they consider trust on two levels: (1) whether a “thing” or device trusts the data it receives, and (2) whether a human trusts the “things,” services, data, or complete IoT offerings that it uses. This particular document focuses on the human trust, and as such, highlights technical concerns that can negatively affect one’s ability to trust IoT products and services.

The security concerns noted are: Scalability; Heterogeneity; Ownership and Control; Composability, Interoperability, Integration, and Compatibility; “Ilities”; Synchronization; Measurement; Predictability; Testing and Assurance; Certification; Security; Reliability; Data Integrity; Excessive Data; Performance; Usability; and Visibility and Discovery. All of these concerns are described in more detail in the white paper with suggestions, in some cases, to mitigate those risks.

In the security realm, they note that trust is a concern for all “things” in IoT systems. For example, sensor data may be tampered with, stolen, deleted, dropped, or transmitted insecurely, allowing it to be accessed by unauthorized parties. IoT devices may be counterfeited and default credentials used. Furthermore, unlike traditional personal computers, there are few secure upgrade processes for “things,” such as patches or updates.

The document elaborates on the issue of the usage of default passwords and credentials as an ongoing problem that has plagued the security community for some time. It further points out the weaknesses inherent in the upgrade process in which manufacturers deliver patches and updates for IoT devices that have yet to be mitigated with standard practices.

Finally, the white paper points out the significant differences in trust concerns for an IoT system compared to traditional IT systems, such as much smaller size and limited performance, larger and more diverse networks, minimal or no user interface, lack of consistent access to reliable power and communications, and many others.

The proposed legislation and NIST’s efforts to propose standardized security guidelines for IoT suppliers to the U.S. government is a move in the right direction. The risks in the IoT clearly necessitate new approaches to device planning and design to develop a firm root of trust in these devices. However, it is a movement that needs to be recognized and embraced by the global community as well.

In parallel to this effort, you might be interested in reading the Industrial Internet Consortium's view on the characteristics of Trustworthiness in Industrial IoT systems, in their Introduction into Trustworthiness.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

]]>
CmDongle in a Hyperledger Blockchain Wed, 20 Mar 2019 10:00:00 +0100 https://www.wibu.com/uk/blog/article/cmdongle-in-a-hyperledger-blockchain.html post-112 https://www.wibu.com/uk/blog/article/cmdongle-in-a-hyperledger-blockchain.html Andreas Schaad Using CmDongles as oracles with an Hyperledger Blockchain in the context of 3D printing applied to a healthcare environment. CmDongle in a Hyperledger Blockchain by Andreas Schaad 20-03-19

Blockchain frameworks enable the immutable storage of data [1,2]. A still open practical question is the so called “oracle” problem, i.e. the way real world data is actually transferred into and out of a Blockchain [3] while preserving its integrity.

We present a case study that demonstrates how to use an existing industrial strength secure element for cryptographic software protection (Wibu-Systems CmDongle / the “dongle”) to function as such a hardware-based oracle [8] for the Hyperledger Blockchain framework.

Our scenario is that of a dentist having leased a 3D printer. This printer is initially supplied with an amount of x printing units. With each print action the local unit counter on the attached dongle is decreased and in parallel a unit counter is maintained in the Hyperledger-based Blockchain. Once a threshold is met, the printer will stop working (by means of the cryptographically protected invocation of the local print method). The Blockchain is configured in such a way that chaincode is executed to increase the units again automatically (and essentially trigger any payment processes). Once this has happened, the new unit counter value will be passed from the Blockchain to the local dongle and thus allow for further execution of print jobs.

Introduction

Hyperledger is an open-source framework of Blockchain technologies [2]. It is a so called permissioned network, where participants are known and have been provided with an identity when joining the network. This allows support for more efficient proof of work concepts [2] than in traditional Blockchain frameworks such as Bitcoin [4].

The Wibu-Systems CmDongle is a secure element (a “dongle”) to enable cryptographic software protection and licensing of functionality. It can be attached to a device as a USB token or integrated into an embedded system [5]. Recently, a cloud-based solution has been presented [6].

Software can be cryptographically protected as fine-grained as controlling access to individual methods. A certificate chain rooted at the software vendor controls which customer should have access to which type of functionality (i.e. real-time decryption of code). This setup also supports commercial licensing where the same software is shipped but will be used differently.

The dongle consists of cryptographic hardware for secure key storage. One standard use case for such data are so called unit counters that allow measurement of how often a certain action has been performed or which threshold a data value may have reached.

Scenario

A real-world scenario we support is that of a leased industrial 3D printer limited to print only a certain amount of items (e.g. for printing dental inlays directly at a dentist’s workplace). With every print action the unit counter of the attached dongle is decreased by one unit. As soon as a 0 threshold is reached, the printer will be disabled until the lessee (e.g. dentist) acquires more print units from the machine’s actual owner via an online portal to obtain an activation code that will reset the unit counter. In parallel, the dentist has to order printing material from another vendor.

The reason why a Blockchain may make sense in this context is in part based on the decision criteria recommended by NIST [1]:

  • We need shared consistent data storage between participants
  • More than one entity needs to contribute data (dentist, machine owner, material supplier)
  • We only need Create and Read but no Update or Delete actions
  • No PII data is required to be stored
  • Our participants have a common economic interest but limited trust
  • Any data storage needs to be immutable

We thus considered using a Blockchain framework for:

  • Storing unit counter data
  • Defining domain logic (smart contracts) that automates transactions between participants in a value chain

As a suitable Blockchain framework we identified Hyperledger [2] which supports:

  • An operational model not based on a crypto currency
  • A private consortium
  • Lightweight consensus models
  • Coordination of participant activity through smart contracts

Figure 1: Blockchain-based value chain

Overall technical setup

Hardware

Our setup consists of several standard Intel NUCs [7] to simulate the entities participating in our scenario. One of the NUCs has an attached dongle and represents the 3D printer. The reason why we chose the largest available form factor of a dongle is because of an integrated LED that allows us to visualize the current unit counter status.

Figure 2: Intel NUCs with one attached Dongle (Wibu-Systems CmDongle) and activated LED (“orange”)

High-level logical Interaction

The interaction between the protected software (e.g. the simulated 3D printer), the secure element and the Hyperledger Blockchain is realized over several interfaces and follows the sequence in figure 3.

 Figure 3: Overall Interaction

In a protected application an activity that leads to a unit decrement is invoked via the CmAccess() function. CodeMeter is a locally running background process that controls cryptographic access to protected code. Any such access will request a CmCrypt() operation which will decrease the unit counter on the dongle by one (Figure 4).

Figure 4: Example Java Code Snippets for local (“dongle”) unit counter decrement

Right after the CmCrypt() command we address the Hyperledger network and issue a DecrementUsage API call (by calling a Python script from the Java code in figure 5). We discuss the implementation of this API in the following section on our Hyperledger implementation (Figure 8). This will lead to an immutable decrement of the current unit counter value we defined in the Blockchain (also defined in the following section). More precisely, a series of transactions allows to determine the current (world) state at any time.

 

Figure 5: Python API call of custom Hyperledger “DecrementUsage” function

Regarding the LED within the dongle, we use green to indicate that sufficient units are available, orange for a currently ongoing decrement operation and red to indicate that no more units are available.

Implementation of a Hyperledger-based value chain

Data Model

Our data model is rather simplistic as defined in figure 6. We distinguish between:

  • asset
  • participant
  • transaction

Assets are modified via transactions and represent our device that works on basis of a unit counter. A participant takes part in the overall value chain. Here “o” refers to an attribute, while “-->” refers to an object.

The usage attribute of the printer defines the current available units and reflects the unit counter of the CmDongle. The Debt asset is used to reflect that any “refill” of print units will create a relationship between Customer, Lender and Resourcer. Customer in this context is our dentist, lender is the owner of the machine and Resourcer is the material supplier.

The actual implementation of the DecrementUsage operation, for example, is done via the chaincode (Figure 8).

Figure 6: Hyperledger domain model

Access Control

We defined explicit permissions in an access control list using these entities (Figure 7).

Figure 7: Example rule “Only customer can invoke a DecrementUsage operation on a printer”

Domain Logic / Chaincode

Within our Hyperledger setup we used standard javascript to implement the domain logic. This is called chaincode and defines the actions that are executed when an external command from our printer application is received.

Figure 8: Domain Logic / Chaincode that is invoked with transactions

Demonstration

In a first step we imagine that the printer is currently equipped with 5 print units. The local CmDongle reflects this in an immutable fashion (Figure 9).

Figure 9: Local unit counter CmDongle

The same value is maintained in the Blockchain (Figure 10) when querying the Printer asset interface.

Figure 10: Unit counter maintained in Blockchain (“usage” attribute of “Printer” asset)

We now invoke the DecrementUsage API call (Figure 5) from our simulated printer. More precisely, through the integration of Wibu-Systems CodeMeter any print action will enforce such a decrement at the local unit counter as well as in the Blockchain (Figure 11).

Figure 11: Invoke local decrement as well as Blockchain chaincode

Such a decrement (here to 2 print units) can again be observed locally or in the Blockchain (Figure 12)

Figure 12: Both unit counters

Once the unit counter hits a zero value, we invoke a refill operation (Figure 13) via a Python script that calls the corresponding chaincode.

Figure 13: Refill operation

This will now lead to creation of a Debt transaction which reflects that between the three participants a certain monetary value has been created (Figure 14). At the same time the local unit counter was increased by the requested amount.

Figure 14: Final effect of refill operation

Summary and Conclusion

We have provided an integration of a Hyperledger Blockchain with the Wibu-Systems CmDongle as an oracle. Our scenario was that of a dentist having leased a 3D printer. This printer is initially supplied with an amount of x printing units. With each print action the local unit counter on the Wibu-Systems CmDongle is decreased and in parallel a unit counter is maintained in the Hyperledger-based Blockchain. Once a threshold is met, the printer will be disabled  (by means of the cryptographically protected invocation of the local print method). The Blockchain is configured in such a way that chaincode is executed to increase the units again automatically (and essentially trigger any payment processes). Once this has happened, the new unit counter value will be passed from the Blockchain to the local dongle and thus allow for further execution of print jobs.

Of course, this is only a basic demo with the intent to demonstrate how a local secure element (the Wibu-Systems CmDongle) could assist as a trusted hardware oracle for a Blockchain. We have not yet registered the secure element as a trusted Blockchain participant, but this should only be minor technical issue when using Hyperledger as a framework and its identity management functionality. We have also not fully provided an end to end scenario for processing payment information and resetting any unit counters. Again, this is seen as an engineering exercise as such an integration of payment solutions already does exist as part of the current Wibu-Systems technology stack. Likewise, we only implemented one example where chaincode invokes other chaincode (refill operation creates Debt).

Finally, as indicated in Figure 3, we currently investigate how to use Intel’s SGX (Software Guard Extensions) in a next step to increase trust in the communication of the local dongle with the Hyperledger Blockchain.

Authors

Andreas Schaad, University of Applied Sciences Offenburg, Germany

Alvaro Forero, WIBU-SYSTEMS AG, Germany

Thomas Falk, University of Applied Sciences Offenburg, Germany

Alexander Eger, University of Applied Sciences Offenburg, Germany

Literature

[1] NISTIR 8202. Blockchain Technology Overview. Dylan Yaga. Peter Mell. Nik Roby. Karen Scarfone.

[2] Androulaki et al.: Hyperledger Fabric: A distributed operating system for permissioned blockchains (ACM Eurosys 2018)

[3] Buck, J. “Blockchain Oracles, Explained.” Cointelegraph, October 18, 2017, cointelegraph.com/explained/blockchain-oracles-explained

[4] Antonopoulus, A.: Mastering Bitcoin: Unlocking Digital Cryptocurrencies. O'Reilly, 2017

[5] WIBU-SYSTEMS AG: www.wibu.com

[6] Schaad et al. Towards a Cloud-based System for Software Protection and Licensing. ICETE (2) 2018: 698-702

[7] https://www.intel.de/content/www/de/de/products/boards-kits/nuc.html

[8] blog.apla.io/what-is-a-blockchain-oracle-2ccca433c026

Andreas Schaad

Professor of IT Security and Corporate Technology Member at Wibu-Systems

Andreas Schaad is a Professor of IT Security at the University of Applied Sciences Offenburg. Before that he worked at Wibu-Systems AG Corporate Technology, as well as in various technical and managerial IT Security roles for Ernst & Young, SAP Research Security & Trust and HUAWEI Security Research. He holds 13 international patents and authored over 50 publications in the domain of IT Security.

]]>
The .NET Development Landscape Mon, 11 Mar 2019 06:01:00 +0100 https://www.wibu.com/uk/blog/article/the-net-development-landscape.html post-110 https://www.wibu.com/uk/blog/article/the-net-development-landscape.html Rüdiger Kügler One of the most frequent questions asked in developer communities is when to use .NET framework and when to use .NET Core. The .NET Development Landscape by Rüdiger Kügler 11-03-19

One of the most frequent questions I see asked in developer communities, like StackOverflow and Github, is when to use .NET framework and when to use .NET Core, as there seems to be confusion with the name and different flavors available. It is not uncommon for developers to ask:

Should I develop .NET desktop applications using the entire .NET Framework?
Or should I use ASP.NET Core web apps or Universal Windows Platform (UWP) with .NET Core?
Or, perhaps I should embrace Mono, the cross-platform, open-source .NET framework alternative from Xamarin/Microsoft?

Knowledgeable .NET developers seem to be very helpful in providing advice to other developers based on their personal experience with the platforms. For the newbies, however, it would be helpful to research some very basic information about the platforms before weighing in with questions on the forums.

Microsoft provides straightforward definitions of the various .NET platforms with a multitude of technical support documents. For the basics, they say:

  • .NET Core is a cross-platform .NET implementation for websites, servers, and console apps on Windows, Linux, and macOS
  • .NET Framework supports websites, services, desktop apps, and more on Windows
  • Xamarin/Mono is a .NET implementation for running apps on all the major mobile operating systems.

There are also many other sources that can help sort it out, one being a recent explanation of the differences between .NET Framework and .NET Core on C-sharpcorner.

Confusion with the name and different flavors of .NET developer tools can also affect companies like Wibu-Systems, who provide software products and services to .NET developers. As the developer of the CodeMeter software protection, licensing and security solution, it is critical for our customers that we support all flavors and versions of the .NET programming platforms.

Perhaps, unlike others in the .NET support community, we’ve adopted a unique approach to .NET compatibility by making our AxProtector encryption tool universally compatible with all variants of the .NET platforms. This approach eases the burden for our .NET customers (one less thing to worry about) as well as removes the potential for confusion from our own customer support team.

If you are curious as to how we make universal .NET support possible, watch our on-demand webinar recording, Protecting .NET Standard 2.0 Applications. Our security experts take a deep dive into our AxProtector encryption platform and demonstrate how it is configured to support applications developed on all .NET Framework and .NET Core versions.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

]]>
A Cybersecurity Roadmap for a Digitized Society Tue, 26 Feb 2019 09:00:00 +0100 https://www.wibu.com/uk/blog/article/a-cybersecurity-roadmap-for-a-digitized-society.html post-111 https://www.wibu.com/uk/blog/article/a-cybersecurity-roadmap-for-a-digitized-society.html Daniela Previtali The actors behind the SecUnity Cybersecurity Roadmap agree that effective security and privacy measures require a systematic and holistic approach. A Cybersecurity Roadmap for a Digitized Society by Daniela Previtali 26-02-19

Cybersecurity research is a “technological prerequisite” for addressing the numerous disruptive challenges brought on by the rapid progression of the digitalization of society. That sentiment is the basis for a comprehensive cybersecurity research project that has led to the development of the SecUnity-Roadmap, Cybersecurity Research: Challenges and Course of Action. SecUnity is a joint project organized by five institutions focused on IT security research. A total of six research institutes with seven groups participated in the SecUnity project.

The roadmap, which was officially released in Brussels on February 5th, was the creation of approximately 30 European researchers from academia and industry, who have collaborated on the project since early 2016. Over that period, the researchers exchanged their expert points of view on the pressing problems over the course of several workshops and integrated their consensus into the roadmap.

According to Joern Mueller-Quade, Spokesman of SecUnity and one of the co-authors of the roadmap, the researchers agreed “that effective security and privacy measures require a systematic and holistic approach which considers security and privacy from the ground up.” Professor Mueller-Quade, Director, FZI - Research Centre for Information Technology, & Professor, KIT Karlsruhe Institute for Theoretical Informatics (ITI), is also well known to Wibu-Systems as one of the collaborators on the Blurry Box cryptography project which produced the revolutionary encryption mechanism that has been incorporated into Wibu-Systems CodeMeter Protection Suite.

The traditional and new cybersecurity research fields and challenges examined by the group included securing cryptographic systems against emerging attacks, trustworthy platforms, secure lifecycle despite less trustworthy components, quantifying security, IT security and data protection for machine learning, and big data privacy. Each area underwent a thorough examination of potential and real-world scenarios. The roadmap also provides recommendations for courses of action to achieve short, mid-, and long-term goals in each area.

While Wibu-Systems is involved in many aspects of cybersecurity, one particular area of interest to us in the roadmap was the discussion around trustworthy platforms. The researchers noted that the long-standing concepts of perimeter-based security architectures with well-defined trust boundaries used in IT security up to now have been outgrown by the reality of today’s digital transformation. They pointed out that even on single devices, multiple (potentially untrusted) third-party applications are integrated and interact with each other. Such interactions occur inside smart phones as well as in virtualized cloud data centers and, in the future, will be found in smart factories and other critical infrastructures. They concluded that to address these rising challenges, it is necessary to reliably assess the identity and integrity of each involved entity and then to provide strong means for data secrecy and privacy using hardware-based trust anchors such as Trusted Platform Modules (TPMs) which would enable the design and integration of trustworthy applications and protocols.

To broaden our support for secure elements in connected devices, Wibu-Systems joined the Trusted Computing Group (TCG) in 2016, a not-for-profit organization, formed to develop, define, and promote open, vendor-neutral, global industry standards, supporting a hardware-based root of trust. In cooperation with the TCG and its member organizations, our CodeMeter hardware secure elements now support TCG specifications which will streamline software licensing to all TPM 2.0 users.

At the Embedded World 2019 in Nuremburg, Feb. 26-27, we participated with two other TCG member companies, OnBoard Security and Wind River, and demonstrated solutions for IoT and embedded security based on TCG specifications and technologies with a root of trust. One part of the demonstration explained how to manage licenses with CodeMeter using TPMs as alternative safe repositories for encrypted code keys.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Glimpse Ahead to the Dark Ages Tue, 19 Feb 2019 11:40:00 +0100 https://www.wibu.com/uk/blog/article/a-glimpse-ahead-to-the-dark-ages.html post-109 https://www.wibu.com/uk/blog/article/a-glimpse-ahead-to-the-dark-ages.html Daniela Previtali What are the collateral damages of a severe cyberattack for economy, healthcare system, water supply, electricity or transportation? A Glimpse Ahead to the Dark Ages by Daniela Previtali 19-02-19

What if a computer virus was capable of completely destroying the data on every Internet-connected device in the U.S. in a matter of minutes? Can you fathom the chaos?

Basic services like electricity, water supply, transportation, and retail goods and services would be unavailable. Communications systems – phones, TVs, radios, Internet would be rendered useless. The healthcare community would be in grave danger – hospitals and medical equipment unavailable and inadequate care for patients. As a citizen you could not access your own information, prove your identity, or the ownership of the house you live in.

Now consider the collateral damage that could occur with a cyberattack on other critical infrastructure. Such an attack could destabilize the global financial services system – ATM networks could freeze, credit card and other payment systems could fail, and online banking could be inaccessible: no cash, no payments, no reliable information about bank accounts. Ultimately, the global economy would come to a screeching halt, resulting in widespread panic, massive unemployment, unfettered crime, disease outbreaks and a government and its nation vulnerable to attack.

Fortunately, this is a fictional doomsday scenario dreamed up by bestselling author, James Patterson, with the help of former U.S. president Bill Clinton, in a novel they collaborated on in 2018. Titled The President is Missing, the book weaves a gut wrenching tale of a planned cyberattack on the U.S. unleashed by a malicious computer “wiper virus“ with the code name “Dark Ages.” The fictional virus is similar to a type of ransomware but different in that the objective of the terrorist attack is not monetary gain, but rather to inflict geo-political anarchy.

There are many twists and turns in the plot of the book, but what stood out was that the doomsday scenario created by the virus and the subsequent potential consequences were perhaps a bit too close to today’s reality. And, given the increase in the number of global cyberattacks in the past few years, perhaps it is easier to believe that it could possibly happen rather than not.

The heightened awareness to the dangers of cyberattacks has led to an intense resolve by governments, industry organizations, and security technology companies like Wibu-Systems to understand the nature of these threats and develop cooperative technology-driven solutions to protect against them.

At the Embedded World 2019 exhibition in Nuremburg, Germany, industrial and IoT cybersecurity was an important topic on the agenda and an event where many of the latest security technologies were on display. For our part, we demonstrated advanced protection mechanisms for the software, connected devices and machinery that represent the building blocks of Industrie 4.0. We also showcased novel security solutions in collaboration with a number of our partner companies, like Trusted Computing Group, SD Association, Intel, Wind River, and a host of others.

Visit our Embedded World event page and learn more about these and other novel technology solutions geared toward protecting industry, government, and the public from the threat of cyberattacks.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Holistic Approach to IoT Security Tue, 05 Feb 2019 11:00:00 +0100 https://www.wibu.com/uk/blog/article/a-holistic-approach-to-iot-security.html post-108 https://www.wibu.com/uk/blog/article/a-holistic-approach-to-iot-security.html Daniela Previtali The IoT Security Standards Gap Analysis from ENISA maps existing IoT standards against requirements on security and privacy. A Holistic Approach to IoT Security by Daniela Previtali 05-02-19

Is it possible to introduce an IoT device that can authenticate its user, can encrypt and decrypt transmitted and received data, and deliver or verify the proof of integrity, yet still be considered an insecure device?

Yes, says the European Union Agency for Network and Information Security (ENISA) in their IoT Security Standards Gap Analysis: Mapping of existing standards against requirements on security and privacy in the area of IoT. The organization is focused on developing advice and recommendations on best practices in IoT information security.

In their study released in December 2018, the organization found that there are no significant standards gaps for IoT security protocols – every requirement can be met by an existing standard which exists for the many different elements of making a device, service or system secure. However, IoT actually refers to a complete ecosystem of more than just devices and services, and one in which scalability and interoperability considerably complicate the environment. Therefore, if the security protocols inherent in the device or service are not considered holistically, it is possible to deliver an insecure device to the market, even if it meets all of the existing individual security standards.

As the analysis suggests, a gap in standards exists only insofar as it is unclear what combination of standards, when applied to a product, service or system, will result in a recognizably secure IoT. The challenge for regulators and suppliers, of course, is to bring only secure IoT devices to the market and this requires a different approach, which will have to be flexible enough to accommodate for the nature of the dynamic IoT ecosystem.

The primary conclusion of the study is that standards are essential but not sufficient to ensure open access to markets. In the particular case of security, a large number of processes as well as technical standards have to be in place to ensure that any device placed on the market is assuredly secure.

Whereas a checklist of IoT security requirements and its mapping to specific standards can serve as a springboard towards holistic and effective IoT security, the report notes that the complexity of the IoT ecosystem calls for more flexible approaches. Not only are the underlying technological challenges calling for adaptive, context- and risk-based solutions, but also the IoT market constraints have to be taken into account, so as not to hamper competitiveness and innovation.

Ultimately, the processes recommended in the analysis are intended in part to engender a change in attitude towards device security by making secure IoT the only form of IoT that reaches the market and to give confidence to the market through a combination of certification, assurance testing & validation, and market surveillance.

If you are involved with implementing secure IoT devices, products and services, I think you will find this investigation to be interesting reading. The complete report is available for download by ENISA.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Are You Ready for the Subscription Economy? Tue, 22 Jan 2019 11:00:00 +0100 https://www.wibu.com/uk/blog/article/are-you-ready-for-the-subscription-economy.html post-107 https://www.wibu.com/uk/blog/article/are-you-ready-for-the-subscription-economy.html Daniela Previtali In this new era, subscription experiences are built around services that meet consumers’ needs better than static, out-of-the-box offerings. Are You Ready for the Subscription Economy? by Daniela Previtali 22-01-19

Turn your customers into subscribers. That’s the mantra of Zuora Inc., a leading provider of a cloud-based subscription management platform. They have coined the term “Subscription Economy®” which embodies the idea that customers are happier subscribing to the outcomes they want and when they want them, rather than purchasing a product with the long-term burden of ownership. They will tell you that consumer preferences have changed. They are looking for new ways to engage with businesses that come with a new set of expectations: outcomes vs. ownership, customization vs. generalization, and constant improvement vs. planned obsolescence.

To make their point, Zuora stresses the popularity of new usage-based models that keep customers consistently engaged in long-term relationships, like Netflix, Amazon Prime, Uber, Salesforce and countless others. Who can argue? In this new era, subscription experiences are built around services that meet consumers’ needs better than the static, out-of-the-box offering of a single product as perpetuated in the “old” days.

Subscription preferences apply to enterprise software licensing as well as consumer goods and services. Back in 2016, we posted a blog about Gartner’s prediction that “by 2020, more than 80 percent of software vendors will change their business model from traditional license and maintenance to subscription.” That prediction was certainly on target and perhaps going mainstream sooner than expected.

In 2017, Gartner interviewed ISVs who had already made the transition to subscription licensing and reported they experienced stronger customer relationships, reduced cycle time for customer-requested enhancements and modular products with add-on capabilities, along with the advantage of being part of a community and enabling ongoing customer engagement. Gartner further noted that the subscription model also created a direct relationship with every customer, while allowing partners to leverage their relationships for additional services during migration and after deployment. Over time, these progressive relationships resulted in the ability for vendors to sell more capabilities to more customers.

In the report, Gartner cited the 5 most valuable lessons learned by ISVs who successfully transitioned to subscription-based business models. Here are their recommendations:

  • Ease into a subscription model
  • Break down entry barriers with subscription
  • Improve value and create recurring revenue streams through subscription
  • Use value articulation and pricing as levers to influence transition speed
  • Ensure partner and reseller revenue streams remain intact

Wibu-Systems has helped many of our customers successfully transition to subscription-based licensing, and as a result, they are realizing better monitoring and tighter control over software usage, more predictable and recurring revenue, and a greater deterrent to software piracy. For their end users, subscription licensing offers a lower upfront cost, pay-for-use only pricing, and ongoing access to the latest and greatest features and functionality. During these transitions, we stress the importance of three factors for success:

  • Ease of use for the subscription workflow and the user’s interface
  • Ease of use for automatic renewal
  • A pricing point that is proportionate to the perpetual license, most important for those ISVs who create both license models

If you are considering a transition to a subscription software model, or perhaps providing it as an option to your conventional perpetual license, I invite you to view our webinar where we present the basic foundations of subscription models and demonstrate how to configure and implement your own subscription model using CodeMeter License Central, our ultra-flexible license creation, management and distribution system. You can access the on-demand replay for “A Cash Machine for Your Software” here.

* Subscription Economy is a registered trademark of Zuora Inc.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
The New Breed of Engineers Thu, 10 Jan 2019 16:52:00 +0100 https://www.wibu.com/uk/blog/article/the-new-breed-of-engineer.html post-106 https://www.wibu.com/uk/blog/article/the-new-breed-of-engineer.html Daniela Previtali It is time to create a separate engineering discipline designed to cover the specific CPS and IoT knowledge. The New Breed of Engineers by Daniela Previtali 10-01-19

I read an interesting article recently, How Do You Create an Internet of Things Workforce?, that was published by the IEEE Computer Society. The gist of the article was that given the significant increase in the development of IoT applications and analytics, it was time to create a separate engineering discipline designed to cover the specific knowledge necessary to build "reliable, efficient, and safe" cyber physical (CPS) or IoT systems. Simply adding one or two IoT or CPS courses to an existing program, the authors argued, was not sufficient enough for students to thoroughly understand the reasons why IoT and CPS are different than existing engineering disciplines.

The authors cited a good example to make their case:

“There are also CPS/IoT applications for healthcare with the goal of improving a patient’s treatment regime. For example, the closed-loop insulin delivery system connecting a glucose monitor to an insulin pump can continuously alter the amount of insulin dosed to a patient to assist in managing the patient’s blood sugar. In fact, any product that continuously monitors patient activity to improve treatment would be an effective IoT application. Imagine how much more effective treatment could be for a Parkinson’s patient when a physician has more than a static snapshot from an office visit exam. With months of data and information, the physician could determine a more effective treatment plan.”

An important takeaway from their example is that an engineering or computer science curriculum developed and/or updated 10 or even 5 years ago would not adequately educate students on the recent and rapid developments in artificial intelligence, machine learning, sensors and the many other sophisticated technologies inherent in future IoT and CPS applications. Furthermore, standard engineering curricula most likely would not adequately address the safety and data security vulnerabilities that are being uncovered and compromised in the cyber-world on a daily basis.

Human safety and data security are key elements in the quest to build “reliable, efficient, and safe” CPS and IoT systems. While I fully agree with the author’s premise, I would add that security would be a major component to any engineering curricula designed to train the new breed of IoT and CPS engineers. And as the authors note, simply adding an IoT or CPS course to existing engineering degree programs is not adequate. Cyber-security is more than an add-on course or two, but rather a core component of an entire program.

This is where the term “security-by-design” comes in.  A security-by-design approach to software and hardware development places the emphasis on building security into the products from the start vs. an afterthought in development. One of the major challenges of IoT security is the fact that security has not typically been considered in product design for devices that have not traditionally been Internet enabled and accessible via a network. While in a typical industrial environment characterized by long machine lifecycles, retrofits in the brown field are still significantly important, as all other green field applications require a plan of attack right from the start.

This is also true for the Industrial Internet of Things, where the emergence of smart electrical grids, connected healthcare devices and hospitals, intelligent transport, smart factories and other types of cyber-physical systems have created large scale attack surfaces.

Hopefully, academia will keep up with the rapidly evolving environment where millions of connected devices are the norm and adequately train the next generation of safety-conscious IoT and CPS engineers. There is much to be learned on many fronts. One document I propose for any engineering curricula is the Industrial Internet Security Framework  published by the Industrial Internet Consortium (IIC). The document is a collaborative work containing the cybersecurity wisdom of IIC members from over 25 different organizations and provides guidance for improving organizational approaches, processes and the use of technologies for creating a trustworthy system. It is an important starting point to understanding the security challenges brought on by the IoT and CPS.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>