Securing mobile devices with multi-modal biometrics encryption, partitioning, and multi-role access controls is the norm. Critical information containing encrypted company and biometrics data about you is stored in the protected partition of your mobile device.
You register your mobile device with your company's Mobile Device Management server, so that if your device gets lost, the administrator can remotely wipe out all data on the lost device.
You never lose your device. You are careful with it when you are done with it. No one will take your device, or so you thought.
What you may not know is that you can be observed as to how you use your device. This can happen while you are:
- On public transportation on your way to work
- In an airport's crowded waiting room
- Any other place where your adversaries (business competitors or criminals) can easily observe your movements
You can secure it the OPSEC (Operational Security) way so your adversaries won't easily observe you. These adversaries would love to have your biometrics data and critical information on corporate data you have on your device. I've described how biometrics can be maliciously changed in my previous blogs on fingerprinting, iris scans, face scans, retina scans, and voice recognition (Protect Multi-Modal Biometrics With Defense in Depth, for example).
As a member of the OPSEC professionals group, I designed the original mobile website (which has changed since then). I included the OPSEC Process (from the laptop website) on protecting critical information. To access the mobile website, I designed a purple dragon icon just for fun for the home page of my BlackBerry. Purple Dragon is the name of the team that was formed during the Vietnam War to stop the enemy from getting information on military operations.
The OPSEC process consists of four steps: identifying critical information (biometrics), analyzing threats and vulnerabilities, assessing the risk levels of information you have on your mobile device, and then applying countermeasures to mitigate risks to a more acceptable level.
Reducing vulnerability of critical information always has the highest priority. If the adversary successfully gets the biometrics and sensitive corporate data from your mobile device, he can maliciously change your personal details by inserting or modifying the data in a biometrics template. The resulting business impact for your company could be grave. Your company may lose reputation and profitable business.
Countermeasures for highest-risk vulnerabilities are effective when they show significant return on investments. Make sure you have countermeasures in place to stand between the adversaries and your device.
Tell us your thoughts on the OPSEC method of securing biometrics.