Security Task Force
- Jon Geater, Chief Technology Officer at Trustonic and Chair of GlobalPlatform's Security Task Force
In our latest industry interview, Jon Geater explains the reasons behind the decision to establish a Security Task Force, the role that it will play in communicating GlobalPlatform's place in the ecosystem and why he thinks security should be 'transparent'.
- What is the role of GlobalPlatform's Security Task Force?
Our work is about bringing GlobalPlatform's spectrum of specifications together in a way that best defends real assets from real threats in real devices and systems. The group won’t be creating any new technology, but will instead focus on defining specific industry use cases in order to tailor the best combination of GlobalPlatform Specifications to address the unique threats that each use case faces in the real world.
Our immediate priorities are to develop white papers to communicate GlobalPlatform’s role in the security ecosystem and to host workshops with industry representatives to explore the management of secure and non-secure applications on mobile devices. In order to achieve our goals, the group will facilitate discussions regarding security requirements for devices incorporating secure chip technology and actively contribute to industry efforts to streamline security certification.
- Why has GlobalPlatform created the group?
GlobalPlatform has been involved in security for a long time. As more entities, companies and people are interested and engaged with the development of security standards and solutions, the association has identified an opportunity to make security services more sophisticated and refined for the services that really matter to users.
Over the last few years, more and more valuable information is being deployed to mobile devices and we are using that information in new and different ways.
Protecting this data has become an increasingly complex challenge, one that requires a systematic and coordinated approach to curate security solutions that do not impair user experience. Delivering and ensuring security and user experience in the same implementation is no mean feat and that is why we have launched a dedicated Security Task Force.
- What are the guiding principles behind GlobalPlatform's approach to security?
Firstly, remembering at all times that functionality is primary; security should be there to preserve reliability and enhance functionality, never to compromise it. With this in mind, a far more innovative and finessed solution is achievable when specifications are combined to answer the specific questions posed by an implementation, rather than using an unnecessarily high level of security. Security is not about making something bigger or stronger. These concepts are comforting but are meaningless on their own: security is far more contextual than that.
If security is to be usable, though, it must be transparent (in that the user does not realize it is there). For it to be transparent, it must be designed into the system from the start. For it to be designed in, it must be tailored for the specific use cases it is protecting. And to tailor the security to a use case, that use case must be understood.
We are therefore listening to the requirements of the outside world and working to make storing and accessing sensitive information on devices easier through appropriate security. For example, leveraging the security that exists within secure chip technology to reduce the number of keystrokes needed to complete an e-commerce purchase, while maintaining the same or better level of security, will bring benefits to everyone.
- What are the next steps for the group?
Looking to the next few years, we will see the trusted execution environment (TEE) come to the fore as a part of the mobile device security infrastructure. While not yet a household name, TEEs are already in the handsets of millions of consumers around the world. It may seem disappointing that such an innovative technology is hidden in the shadows but GlobalPlatform can be proud that it is effortlessly and quietly working to provide a seamless level of appropriate and usable security.
This work is never complete, however. GlobalPlatform is constantly developing its specifications. We recognize that we are stronger together so we call on the ecosystem to come forward and contribute to our work in this area as we continue our journey to curate the security ecosystem.
- How can GlobalPlatform Members get involved?
With the group just kicking off, there is a real opportunity for players from both the developer and user sides of the ecosystem to come forward, get involved from the ground-up and shape the future of GlobalPlatform's security work and, as a consequence, the marketplace. Members can sign up to participate via the member website.
To participate in GlobalPlatform's security discussions please visit