GlobalPlatform’s technical evolution – new initiatives, built on strong foundations
Nils Gerhardt, Chairman of the Board, GlobalPlatform
Over the past 20 years, GlobalPlatform has become a trusted industry voice, renowned for creating a collaborative and open ecosystem where digital services and devices can be trusted. In my role as Chairman, I am proud to have presided over the organization for the past 18 months, watching it diversify its scope and grow from strength to strength.
As well as achieving great organizational successes, GlobalPlatform has made rapid advancements to address the challenges facing chip and device manufacturers, solution providers, regulators, certification bodies and the IoT giants. Let’s take a look at the progress we have made in such a short period of time, and how we can build on these to bring greater trust and enriched functionality and security to IoT.
Standing on the shoulders of giants
Our work began in 1999, where the GlobalPlatform community connected the payment and ID sectors to standardize the development, deployment and in-field management of multiple applications on Secure Elements (SEs) – including SIMs and embedded SEs – for a variety of form factors, including passports, smart cards and contactless cards. This provided significant benefits, offering trust and security, and enabling manufacturers to develop once and deploy across multiple markets and platforms.
The SE remains important to our work because of its penetration across various markets, and our success led us to standardize other technologies. Later, the GlobalPlatform community focused its efforts on the Trusted Execution Environment (TEE). Our members brought forward the very first public specifications available to the mobile industry, which created a platform for innovation, providing the framework for the TEE to thrive.
Now, the GlobalPlatform SE and TEE specifications are seen as de facto standards in the marketplace. To continue our legacy of success, we are now applying our expertise to securing the Chain of Trust between the device and the cloud, which is critical in today’s connected world. With our Device Trust Architecture framework we are standardizing access to secure services within the device. We look forward to continuing this tradition of leadership as we advance our efforts into the IoT ecosystem.
IoT trust is fundamental, not optional
Over the last few years, the narrative of our industries has shifted to focus on securing the IoT. With 75.44 billion IoT devices to be deployed by 2025, and some suggesting only 4% have adequate security, the ecosystem is facing a monumental challenge. To help address the challenges facing device manufacturers and digital service providers, GlobalPlatform introduced its IoTopia framework, a practical implementation guide to secure IoT devices across all markets and in line with global requirements.
One area that the IoTopia framework is bringing value to is the issue of device intent, which allows the device to tell the network what it needs. By leveraging IETF’s manufacturer usage descriptions (MUD) and uniform resource identifier (URI), IoTopia aims to effectively manage device permissions and access to networks.
IoTopia’s goal is to give the ecosystem the standards-based approach to IoT security implementation that it badly needs. Importantly, IoTopia is bringing together global and regional guidelines and requirements to help device manufacturers build products and services that satisfy regulatory mandates. I am excited to see how GlobalPlatform’s IoTopia committee will work to offer device makers a flexible security blueprint to build secure devices without having to become cybersecurity experts themselves.
Certification, certification, certification
Certifying secure components within devices, and devices themselves, is essential in facilitating collaboration and trust between service providers and device manufacturers. However, doing this in the IoT presents unique challenges because it is such a fast-paced landscape. Not all devices have the same requirements. For example, compare a connected lightbulb and a connected car. Each device has completely different lifespans, communication abilities and consequently security requirements (not to mention that a car is a collection of hundreds of components and devices) – so how could the devices be expected to have the same level of security certification?
Consequently, it has become more and more important for device makers to tailor their level of security certification for their specific use case. This year, GlobalPlatform has built on its already successful certification program with the introduction of support for the Security Evaluation Standard for IoT Platforms (SESIP) methodology. SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem with an evaluation approach that can be mapped to other methodologies like Common Criteria, reusable across IoT platforms and adaptable to the evolving needs of the IoT environment.
We are now working to support certification bodies and IoT device makers to adopt the methodology to bring consistency to the IoT.
Bringing assurance and interoperability to the billions of devices in the connected device ecosystem is an ambitious goal. We are committed to reducing complexity, costs and time to market for IoT stakeholders and, while there is much to be done, our members are working tirelessly to make this vision a reality. I look forward to keeping you updated as our technical initiatives and outputs evolve.