Controlling Fraud and Protecting Intellectual Property: Today's Challenge
Even though data privacy is high on the security agenda these days, security has other important goals including protecting corporate data and intellectual property (IP) as well as controlling fraud. The relative importance of this protection will always be driven by the likelihood of attack, coupled with the value of the information or product that is lost. Stakes are clearly highest for organizations performing transactions in untrusted locations and over the Internet, those whose competitive position is driven by the data they own, or manufacturers of high value products, particularly in outsourced facilities. Examples of fraud include:
- Transaction fraud. Providers’ systems that involve either online or in-person transactions are always subject to issues of non-repudiation--they must be able to establish proof and accountability. Financial transactions are an obvious area of focus but industries such as gaming and lotteries also need to be able to verify the accuracy, integrity, and timing of transactions, all of which are central to the organization’s ability to carry out these activities fairly—and all of which become more challenging with the rise of the smartphone.
- Voting fraud. Government agencies take the challenge of transaction fraud to an extreme in the context of voting where the levels of public scrutiny are unmatched. The challenges are compounded by the fact that voting systems are installed on a temporary basis, are highly distributed, and are typically operated by non-technical and potentially biased individuals.
- Document fraud. Paper documents and the signatures they contain have played an important legal role for centuries in processes such as patent submissions, land registrations, personal wills, or other claims of ownership. Validating the authenticity and integrity and legal standing of such documents is critical. These challenges expand in the era of electronic documents that are so easily copied and manipulated. A number of countries now enforce strict digital signature laws to increase confidence in electronic documents and the processes that create them.
- Product counterfeiting. Manufacturers of high-value products have wrestled with counterfeiting for decades, particularly in the fashion industry. But this issue has quickly spread to the world of high-tech products, covering everything from printer cartridges to mobile phones to games consoles to networking equipment. The widespread use of outsourced manufacturing compounds the challenge. Establishing a trusted manufacturing process that can accurately and reliably control device integrity and product volumes, while protecting intellectual property in a facility that is remote and often shared by other companies, requires the use of advanced security measures.
- Service fraud. Providers of online services involving digital content, such as music stores, app stores and online games, face challenges of content theft, content modification and account theft or abuse that go well beyond traditional password-stealing phishing attacks. The challenge becomes even more pronounced if these services are aggregators of third party content where other contractual responsibilities and liabilities come into play. And again, the rise of smartphone-accessed services compounds the challenge.
- License enforcement. Even in situations where products are almost entirely physical, such as the automotive industry, the use of software based licenses and the software-controlled enablement of high value optional extras is commonplace and likely to increase. As a result, fraud protection challenges that have been common in the online world are becoming relevant to a wider range of industries.
These examples focus on the challenges relating to fraud but there remains the need to protect corporate intellectual property, not just in products and services but also in corporate data centers and archives. The rise of advanced persistent threats (APTs) and cyber criminals changes the nature of industrial espionage and with the threat of state sponsored attacks against defense contractors and other service providers the issue of IP theft can reach national significance.
- In less-trusted manufacturing environments, insiders can potentially access valuable intellectual property, and authorize production overruns to build counterfeits. From a security perspective, they can manipulate device identities and corrupt embedded firmware and product configurations to stage wide-ranging attacks.
- Attackers can modify electronic documents, instructions, transactions and records to affect supply chain processes, legal claims, or the outcomes of decisions unless rigorous integrity tests are put in place.
- Organizations that cannot adequately protect outsourced manufacturing operations or online services will not only suffer direct financial losses but will also limit their flexibility to manage their business efficiently, potentially damaging their competitive position.
- Fraud and theft not only damage customer perceptions and experiences, but it also runs the risk of attracting the attention of regulators and compromising commercial and legal agreements with third parties such as content owners.
Controlling Fraud and Protecting Intellectual Property: Thales e-Security Solutions
Products and services from Thales e-Security can help many different types of organizations reduce the risk of fraud and theft of intellectual property. Cryptography can play a vital role in ensuring the confidentiality of information, particularly as it is exposed in hostile environments, and can be used to verify the integrity and authenticity of almost any form of electronic document or message. In some cases cryptographic protection, particularly in the form of encryption, can be easily deployed in a completely transparent way. Network level encryption using the Datacryptor family of encryption platforms can be used to protect virtually any form of backbone network connection and is particularly valuable in protecting virtual private networks (VPNs) to remote manufacturing or logistics locations.
Other forms or protection, specifically those that introduce the use of digital identities and digital signatures, rely on public key operations and typically rely on an underlying public key infrastructure (PKI). In some cases commercial applications support PKI-based techniques as standard; whereas in-house applications may need to be modified to support this more sophisticated but more secure approach to security. In all cases the protection of keys within a PKI and its associated applications needs to be strongly enforced and tightly managed. In this context the nShield hardware security module (HSM) is a perfect fit and benefits from pre-qualified integration with a host of leading commercial applications.
Looking beyond even key management, organizations also need to protect the application processes that actually use those keys, for example to approve the issuance of an embedded digital ID for a manufactured device, approve the loading of secure firmware, signing of a transaction, or counting of a vote. In remote and often untrusted locations these processes can be made secure only through advanced levels of physical and logical security. The CodeSafe capability of nShield HSMs enables high-tech manufacturers and software providers to create tamper-resistant processes that protect their critical processes, business models, and intellectual property, reducing the risk of abuses and counterfeiting. With CodeSafe, organizations can secure sensitive processes (such as identity management or metering) behind a physically tamper-resistant barrier. As a result, manufacturers can be more confident in their ability to outsource securely, while software providers can maximize revenue by enforcing license agreements through secure metering capabilities.
- Encrypt information to ensure confidentiality as it flows over networks, as it is stored, and as it is used—either within the corporate datacenter or at remote locations.
- Digitally sign documents, transactions, and messages to create a mechanism that can easily validate their integrity and authenticity.
- Comply with regional digital signing laws through the use of security certified HSMs to establish legally sound documents.
- Efficiently generate cryptographic keys and digital credentials to support high volume production processes with high assurance credential management capabilities for secure device authentication.
- Create secure outsourcing environments by establishing tamper-resistant, trusted environments to protect critical application processes such as software loading, license provisioning, and identity management.
- Strengthen critical web infrastructure with leading-edge DNS security capabilities (DNSSEC) to reduce the risk of web site spoofing and service disruption.