Insight series: The Evolution of Secure Components
By Gil Bernabeu, Technical Director
For over 20 years, GlobalPlatform has provided the industry with standards and certifications for secure component technologies - Secure Elements (SEs) and Trusted Execution Environments (TEEs). In this blog Technical Director, Gil Bernabeu, explains how the technology is evolving and extending to support the secure development of new types of connected devices, through solutions that give device makers and cloud service providers trusted platforms on which to innovate.
Secure components: A trusted platform for innovation
GlobalPlatform’s Secure Element and Trusted Execution Environment solutions protect keys, applications and data, and devices across a wide range of use cases.
A Secure Element (SE) is a tamper-resistant platform (usually a one chip secure microcontroller) capable of securely hosting applications and their confidential, cryptographic data. Tamper-resistance enables the highest level of protection available in today’s connected devices. SEs are used in smart cards, passports and ID cards, but also embedded in smartphones and IoT devices. Trusted Execution Environments (TEEs) on the other hand are a secure area within the main processor of a connected device, ensuring sensitive data is stored, processed and protected in a trusted environment. Secure components combine secure hardware and software, to protect assets and deliver secure services to applications and devices. These technologies meet different requirements and security levels, offering connected industries a secure-by-design platform to develop, deploy and manage digital services.
While secure components have been used to bring trust and security to telecoms, ID and banking industries for many years, new use cases are expanding their applicability and security benefits to more verticals and stakeholders. Automotive, smart home, payments and healthcare are just a few of the markets now leveraging GlobalPlatform-secured components to meet specific business, security, regulatory and data protection needs.
In 2019, GlobalPlatform conservatively estimates that over 7.6 billion SEs shipped globally were based on its specifications. This figure represents a 20% increase from 2018 and takes the total number of GlobalPlatform-based SEs deployed in the past 10 years to over 42 billion. We also estimate that over one billion GlobalPlatform-based TEEs were shipped in 2019 as the use of TEEs in use cases such as the protection of Android smartphones and enabling enhanced connectivity for smart TVs continues to gain traction.
More than 53 billion GlobalPlatform-certified components are used in devices across market sectors, including payments, mobile connectivity and IoT.
Enabling new, fully-digital use cases
In today’s connected world, markets adopting GlobalPlatform-secured components are accelerating deployment and evolution of digital use-cases. A recent example is the sudden increase in market adoption of contactless payments, caused by the COVID-19 pandemic; GlobalPlatform SE technology empowers the payments industry to unlock benefits for new and advanced use cases, such as fingerprint authentication on physical banking cards which, according to industry figures, were a key driver for SE shipment growth in 2019. Earlier this year GlobalPlatform released a new specification, the Secure Element Broker Interface, to simplify and bring greater trust to the authentication of digital services on smartphones, biometric-enabled cards and wearables.
SE architecture is also evolving to broaden access to advanced secure services within a device. For example, attestation mechanisms, network authentication, secure cloud onboarding and remote life-cycle management. Today, new form factors such as embedded Secure Elements (eSEs) and integrated Secure Elements (iSEs) are available to secure a growing range of digital applications across financial services and other industries.
GlobalPlatform simplifies the deployment of these form factors to ensure that secure components maintain the levels of flexibility required to secure a varied and expanding IoT. One example of this is the Virtual Primary Platform (VPP) specification, which enables the creation of a virtual secure area inside a SE, offering device makers a universal form factor on which digital services can be hosted and executed, while benefitting from the tamper resistance offered by the hardware backed platform. Similarly, TEE technology is also evolving to support the remote customer onboarding lifecycle. If smartphones are to be used to perform trusted remote KYC (Know Your Customer) functions they need to be secure. As does the functionality – image capture, biometric sensors, trusted location and secure communication with service providers – used to manage trusted authentication. This is why we are seeing more and more security certifications performed on devices containing a TEE.
Supporting the IoT to scale securely
In 2019 alone, 100% of SEs embedded in smartphone devices were based on GlobalPlatform, demonstrating the continued confidence in GlobalPlatform-certified technologies to meet globally diverse security and privacy needs, whilst offering stable and cost effective security assurance for the long term investment of device manufacturers. With attacks on IoT devices becoming more sophisticated, secure components offer a robust solution to help IoT developers prioritize security and answer to requirements.
A standardized approach is particularly useful to manufacturers in newly connected industries who do not have the expertise or resources to develop their own security architectures, and instead need to focus on the development and innovation of their products. By offering IoT industries a standardized, flexible approach to security, GlobalPlatform is facilitating the secure expansion of IoT, enabling end users to safely experience all the benefits offered by increased connectivity.
We are also looking forward to the upcoming development of a new secure component form factor, based on secure microcontroller (MCU) technology, which will be standardized by GlobalPlatform. Our recent collaboration with the RISV-V foundation to collaborate on the development of a secure core for TEEs in IoT is an important step. We plan to deliver a Protection Profile to accelerate the certification of Root of Trust (RoT) in secure MCUs, based on requirements that align with GSA and other GlobalPlatform industry association partners.
GlobalPlatform also supports solution providers in certifying their products, allowing them to demonstrate to the market that they have taken the necessary steps to ensure products are built upon a secure foundation. For solution providers using GlobalPlatform standardized components, certification is further simplified as 80% of global security requirements are already covered by GlobalPlatform technologies.
GlobalPlatform’s role in standardizing secure components
Using standardized and certified secure components, device makers can innovate and build solutions safe in the knowledge that they will meet the baseline levels of security required to successfully go to market. This greatly simplifies and speeds up go to market processes, leading to increased profits and security assurance, while bypassing the need for manufacturers to invest in hiring or training a raft of security experts.
IoT is offering fantastic benefits to end users and improving lives around the world through a range of use cases, but the time-tested approach of using certified secure parts is the vital foundation upon which this innovation can thrive.
Having established its role as the standard for SEs and TEEs, and increasing focus on secure MCU, GlobalPlatform is working to support the IoT ecosystem to utilize these technologies to build, certify, deploy and manage connected solutions. The Device Trust Architecture (DTA) provides a framework for accessing secure services within a device, the IoTopia Framework offers guidelines for the secure launch and management of connected devices, and with its SESIP Methodology GlobalPlatform is supporting IoT device makers and certification bodies to adopt and establish their own IoT device security certification schemes.