MagicCube’s Nancy Zayed: ‘Security needs to think and look different’

10 Aug 2018

MagicCube chief technology officer Nancy Zayed. Image: MagicCube

With millions of internet of things products coming on stream, organisations need to rethink security, says MagicCube’s CTO Nancy Zayed.

Nancy Zayed is chief technology officer of MagicCube, a key player in PIN-on-glass security technology, the new frontier of point-of-sale terminals where shoppers enter their PINs on retailers’ or banks’ mobile phone screens.

Prior to her current role, Zayed was the head of engineering and operations at InnoPath, a founding member of OMA (Open Mobile Alliance), where she led the global engineering development and service teams responsible for shipping Android, Rex, iOS, Windows Mobile and Symbian products.

‘We keep educating the markets and the different industries that you’ve got to think beyond the enterprise and realise that millions and billions of devices that are coming into the market are new business models, new revenue streams’
– NANCY ZAYED

Zayed is an advocate of the social and economic empowerment of women in STEM careers. She held numerous leadership roles, including head of platform development at Cisco Systems. She also headed the CDMA (Code Division Multiple Access) mobile technology at Palm.

Zayed also spent more than 10 years at Apple, during which she helped secure the company’s second Emmy for the its efforts and impact on the television industry.

What is MagicCube’s technology focus?

Our mission is to create a software-only security solution that provides a comparable security posture as hardware beyond the enterprise perimeters. In essence, we cater to the security of a critical application; it’s a B2B2C (business-to-business-to-consumer) play.

We cater to the security of an application running on a mobile phone, an internet of things (IoT) device or any sort of embedded device that deals with critical data. We integrate with the enterprise to provide real-time feedback into the security status of the device, and we can work online and offline.

To do that, we created a breakthrough technology that won us a couple of patents in the EU, North America, Japan and South Korea, whereby we create the first software-only trusted executed environment that isolates the sensitive code and data from the native platform.

We are industry agnostic, but an example of a typical application could be in fintech for mobile banking or a payment application. It is that application that we secure to operate securely and give real-time feedback into the corporations behind it so that they have visibility into what’s happening in the field.

That is actually away from the enterprise application and really more about supporting your customers. If you are a bank and you have a customer and you are offering your service through a mobile app, that’s where we come in. We have major players in Europe and southeast Asia using the platform.

We are not based in browsers because browsers are a bigger attack surface. What we are doing is more app-based. That app could be on a mobile platform or on a small embedded IoT device, but we steer away from the browser-based applications.

As the mobile device becomes the new payment terminal, how does security need to evolve?

This was actually created and conceived based on what we saw as an unmet need, which is: how can I protect the end consumer if the end consumer doesn’t work for the enterprise?

Somebody has to offer the security and give the service – or the enterprise, or the bank – the flexibility of owning their own security instead of depending on the OEM [original equipment manufacturer] or telecoms carrier to defend against vulnerabilities.

In the digital age, to your very point, security is not only about encryption. It goes beyond it to a point where you have to have a proactive posture as well as a reactive posture.

With legacy solutions, when a breach happens or a vulnerability happens, then they develop a response. What we are saying is that, in a digital age and when all devices are converging and billions of devices are coming in, you have got to have a more proactive role and control your security immediately. You have got to be able to simplify and provide a consistent experience across multiple platforms. That’s where we saw the opportunity.

How does the technology work?

Let me put it this way: from a technical perspective, we come from a variety of backgrounds, mostly software and hardware, operating systems and reverse engineering etc. We take the view of how an app is exposed to the rest of the ecosystem, whether it is for data in transit under threat or even in the operational and run-time environment of the app.

The core principle is that if an app is doing something sensitive, you cannot depend on the integrity of the network. You really cannot depend on it because you can never know the passive network breaches that are actually happening, and you can’t trust the native operational environment on a mobile device.

On a mobile phone you could have your data hacked without ever knowing it. When zero-day attacks occur, it can often mean that the OEM of the hardware or the operating system can do nothing until they can formulate a response and go through the internal cycle. That same device can change its hostility at various times during the day and so, therefore, the guiding principle is you really can’t trust anyone or anything.

Hence, the idea is of an isolated run-time environment that is completely alternate to the hardware and the network, that is under the control of the app with a backhand to the monitoring at all times. When the network is not there we continue to operate securely, albeit in a flexible way, all under the control of the provider of the app – in this case, a bank or a payment gateway.

The secret sauce is more on the concept that you cannot fully trust anything or anyone, even the app that you are servicing.

We are now in a world of smart speakers where we can interact with banks or retailers with our voice. With all of these new ways of interacting with the internet and services, how does security need to evolve?

We approach new devices carefully and we recognise, based on many years of experience, that we are not a one-size fits all for all your security needs. We approach devices carefully and focus more on the sensitive applications as opposed to any application. It is the use case that we focus on and what is it that we are trying to protect, such as financial data or health data.

We are always thinking about what the different attacks might be. Our architecture, to a large degree, is OS-independent. We can run on connected cars, for example, and ensure the safety, security and the authenticity of the data.

How big is the attack surface you are defending now versus what it could be in a few years?

Each platform has its own attack surface and we analyse the attack surface and tailor our defences.

There is a core set of defences in terms of cryptographic protocols – those remain constant. But then it is the specific use case that changes everything. Any place the use case derives its security from the underlying network, encryption alone will not scale and is not enough.

The hacker community has a formidable pool of skills and talent. But there are also security people with an equivalent forte, technically speaking.

When we talk about connected cars, it is different than autonomous cars, different than a hospital bed with connected health devices around it. So each one is different. But all of them, when you think about it, require secure operation and execution of the sensitive code, and all require protection of sensitive data that is at threat and in transit, and this is where we start.

With cars, there is an internal network in the connected car and we ensure that commands that go along those networks are authentic. Our technology protects the execution of that command.

We keep educating the markets and the different industries that you’ve got to think beyond the enterprise and realise that millions and billions of devices that are coming into the market are new business models, new revenue streams. They cannot continue to adopt the same security and legacy context from IT and so forth. Security needs to think different, look different and recognise that part of the security is to be able to proactively not wait until the damage is done. When the damage is done it is done, so it is all about recognising an imminent threat or strange behaviour.

So that’s where we are at, and we have recognised an unmet need and it is a very interesting problem to solve. We’re proud and humbled by what we have achieved so far.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com