Mr. Francois Lasnier
Vice President and General Manager, Security
Gemalto North America www.gemalto.com
SecuritySolutionsWatch.com: Thank you for joining us today, Francois. Please give us an overview of your background and your role at Gemalto.
Francois Lasnier: Gemalto’s digital security solutions target three major markets, Telecom, Security and Secure Transactions. I manage the Security business in North America, and our focus is identity security and data protection for the government and enterprise sectors.
My history with Gemalto spans several years. Initially, I was in the banking sector within the product development team where I managed the first smart card implementation to use Visa’s Java-based Open Platform, now an industry standard. My early background was in program management, working on smart card-based electronic toll collection systems and RFID-based vehicle identification systems in Tokyo. I received my master’s degree in electrical engineering and computer science.
SecuritySolutionsWatch.com: Please give us an overview of Gemalto’s solutions in the Security Business Unit.
Francois Lasnier: Our core competencies are in smart card technology, cryptography and secure systems design. From this foundation, Gemalto’s Security business makes secure personal devices and systems that help people live, work and travel in our increasingly digital, wireless and interconnected world.
For example, Gemalto is the world’s leading supplier of government e-credentials, such as the electronic passport, or epassport. The United States and many other countries are now putting a smart card computer chip in passports to make them virtually impossible to counterfeit, and to make it much harder for anyone to alter and use someone else’s passport. Gemalto also provides many other government-issued e-credentials such as driver licenses, identity cards and electronic health cards.
Another important part of our Security business is smart card-based ID badges or USB tokens that authenticate identities on information systems. Sometimes this takes the form of a single employee badge that converge both physical and logical access control. We also make secure USB keys for portable data storage.
In addition to these personal security devices, our solutions also include software, systems and services such as strong authentication Web servers and personalized ID credential issuing systems.
SecuritySolutionsWatch.com: Gemalto’s H1-2009 results showed its profitable Security business is its fastest growing, up 29% year-on-year at historical exchange rates. Gemalto’s new three-year plan forecasts continued double-digit growth for this business. What market factors are driving the growth, starting with the government sector?
Francois Lasnier: Two factors are driving Gemalto's rapid growth in the government sector, an expanding market compounded by increased sales of software and services in addition to the personal security devices.
Gemalto is expanding geographically and entering many new markets as governments move ahead with eID programs of all types including e-passports, citizen IDs and electronic drivers licenses. One important driver is the global standard for secure epassports driven by ICAO, the United Nations organization that sets all types of standards for the global passenger air industry.
Equally important, however, are the goals of governments worldwide to simultaneously strengthen security for their citizens and make government more efficient. One factor is that smart card-based eIDs can prevent fraudulent use of government services and benefits, because they are more difficult to counterfeit and when combined with biometrics or other techniques they more effectively prevent the use of the ID by anyone other than the person to whom it was issued.
Here is one impressive statistic that shows how significant the impact can be from an eID program. Mexico implemented smart card-based driver’s licenses in five states to fight rampant counterfeiting, resulting in less unlicensed drivers on the road and achieving a 39% decline in road fatalities.
In addition, eIDs can be used on line to enable new egovernment services that reduce administrative costs, make services more available and accessible to citizens and improve the overall efficiency of government.
Compounding the growth of the market is the fact that Gemalto is increasing its value added through software and services. Often government agencies implement these programs using a Build Own Operate (BOO) or Build Own Transfer (BOT) model. This creates the opportunity for Gemalto to provide complete turnkey solutions in addition to the personal security devices.
SecuritySolutionsWatch.com: What threats are you seeing in the online world and how does Gemalto address these in the enterprise sector?
Francois Lasnier: Fraudulent activity is not only increasing, it is becoming more organized and sophisticated. Whereas in the past, online malware was often tied to just one individual, today networks of criminals are working together. Clearly, the motivation today is driven by financial gains.
The sophistication comes in two forms. First, criminals are becoming more adept at targeting online services or data networks that have high potential financial rewards. Second, the nature of the attacks is becoming significantly more dangerous and difficult to stop.
For example, one well known online threat is phishing, where criminals send out thousands of fraudulent e-mails attempting to trick people into giving away their username and passwords. That is dangerous enough, but even more insidious problems are man-in-the-middle and man-in-the-browser. In these attacks, the hacker eavesdrops on the Internet transaction and hijacks it, a threat that can exist right inside the Internet browser.
For example, if you operate a successful online auction account or merchant Web site, and someone hijacks your account they can conduct a series of fraudulent online transactions, selling merchandise that does not exist and then take the money and run. This leaves you with the mess to clean up, ruining your online reputation that took years to establish.
This threat creates a tremendous need for Gemalto’s solutions; the best way to stop these attacks is to use a form of strong authentication, meaning a personal security device with smart card technology that becomes an integral part of the transaction.
Gemalto sees opportunities in online authentication for banking, Internet retailing, eGaming, online auction and payment sites and virtually any form of e-commerce. Of particular interest is corporate and investment banking, who are increasingly the targets of the online criminal networks because of the large dollar value of their transactions.
SecuritySolutionsWatch.com: You mentioned that authentication of identities is important to data security. Care to elaborate on how this creates opportunity for Gemalto?
Francois Lasnier: High profile data breaches like Heartland and TJX demonstrate that data security is a major issue for enterprises. In financial or merchant networks like these, criminal networks were attacking to capture credit card information on millions of accounts.
These financially motivated attacks are serious, but even more frightening are the potential of a cyber-terrorism threats to government and critical infrastructure networks. The recent appointment of a new Cyber-czar, Howard Schmidt, by the Obama administration shows how essential it is to protect the energy, utility, oil and gas infrastructures that are the underpinnings of our economy and security.
Information systems in private enterprises are also at risk. For example, regulations like the Health Insurance Portability and Accountability Act (HIPAA) require high levels of consumer data privacy protection for health and medical records.
The way to counter threats to data security is to use strong two-factor authentication to identify individuals when they access and use information systems.
A good model to follow is a major initiative by the U.S. federal government over the last several years to provide every employee and contractor with a smart card-based identity credential called a Personal Identity Verification (PIV) card or in the case of the Department of Defense, the Common Access Card (CAC) card. These eIDs provide a more secure identity credential that is interoperable across the federal government. In addition, they can be used to secure access to government information systems.
SecuritySolutionsWatch.com: The security firm SySS recently published research showing how “secure” USB keys from SanDisk, Verbatim and Kingston could be easily unlocked without knowing the password. Gemalto explained its products are invulnerable to this attack. Can you tell us more about this?
Francois Lasnier: As this security vulnerability research makes clear, one must look carefully at how the security features of an encrypted USB key work to make sure it is truly secure.
In this case, researchers demonstrated that despite the encryption mechanisms the other manufacturers implement and the FIPS security certifications they obtained, data stored in them could be decrypted and extracted.
The problem is that these USB keys do not have any onboard computer. They rely on software applications stored on the drives to verify user passwords and allow unencrypted access to the stored data. These applications must be loaded into the memory of the PC to check the password, and that is where the hackers attacked. It is a fundamental architectural flaw, because the device does not control its own security.
Gemalto has several devices, including our Smart Guardian (SG) USB drive, that are invulnerable to this attack, because they incorporate a dedicated smart card security computer chip in the USB key. The tamperproof smart card chip securely stores the data encryption key and performs PIN/password verification.
Since both the encryption key and the verification of the user’s password are always inside the smart card on the USB key—never in the memory of the host PC—the Gemalto SG tokens are immune to attacks like the ones the researchers used on the USB keys from the other manufacturers.
In addition, our SG FIPS product meets the rigorous security requirements of FIPS140-2 level 3. This certification is more comprehensive in Gemalto’s case, because the encryption, PIN verification and access are all done in the smart card, so all of these functions are within the cryptographic module boundary validated by NIST under the certification. This contrasts sharply with the architecture and certifications of the hacked USB keys from other vendors, because in those devices the PIN verification/data access software is outside of the cryptographic module boundary tested by NIST.
Gemalto’s SG and SG FIPS achieve the highest level of security to protect sensitive corporate and governmental data.
SecuritySolutionsWatch.com: What final piece of advice would you give security-minded executives about the digital security of their enterprises?
Francois Lasnier: Security must be identity-based, to allow control over who sees and does what dependent upon their role. CIOs and CISOs understand that now, and are moving in that direction.
What I want to stress is that strong identity-based security requires strong two-factor authentication. Enterprises must eliminate their reliance on username and password; they are too easily stolen and once someone else has your password they have your online identity.
The only way to truly succeed with identity-based security is with a secure hardware device, like those based on smart card technology that acts as a second factor of authentication in establishing online identity and role-based access to information systems.
SecuritySolutionsWatch.com: Thanks again for joining us today, Francois.