Interview with Janne Uusilehto, Head of Nokia Product Security

Janne is Head of Nokia Product Security, responsible for product security development at the world’s number 1 mobile device manufacturer.

He is a member of several Nokia internal security related management boards, and Nokia’s main representative in the Trusted Computing Group and EICTA’s Mobile Security Group. He is a frequent speaker at security conferences.

What is your background and how did it prepare you to face the challenges in your current position?
If I look back over my career, there is one common denominator and that is the Internet. I started my working life in software development for small and medium sized businesses, while using the majority of my free time surfing the Internet. In the 90s I was working in the banking industry responsible for electronic banking related tools and software. This was the time when Internet sales, payment and banking systems really took off and this gave me great experience which I can rely on now as Nokia expands its focus from mobile devices to a range of Internet services.

What new security trends and technologies do you find exciting?
I believe that the transition from simple voice centric phones to fully open Internet and open source software based personal devices with standardized platform features is fascinating. The mobile industry has learned a lot from the PC industry and right now we can see how those learnings will make a difference. More generally, the evolution to multimedia experiences and complete freedom of time and place are very very exciting.

How does security integrate into the product manufacturing lifecycle of Nokia business phones? How important is security to Nokia’s overall product strategy?
I used to say that “security is equally important as any business enabler, no more, no less”. Security is a vital part of devices targeted to business segments, but has a significant role in other devices and segments as well.

Differences become evident if we look at security more closely. Platform and system security must be well defined and accurately targeted in both. The clear difference is in the area of security services for mobile devices, such as terminal management and VPN (Virtual Private Network) systems.

One key area where we have invested heavily is mobile device management, technology which allows IT organisations remotely manage their IT security policies on their Nokia business devices based on their individual and organizational requirements. Security must be part of the design process, right from the start of platform development. In order to be effective enough, security can not be added afterwards, when the device design is completed.

What is your policy when it comes to establishing security rules for new products?
The main principles that we bear in mind when designing new products are high usability and putting maximum control in the hands of the device owner and user. The settings are made to meet the standard needs, and after this, the user can decide what level of protection he or she needs.

Most of your high-end devices run Symbian but Linux is coming into the picture. In your opinion, which platform is more likely to stand the test of security over time? Do you plan to release more Linux-based devices?
My view is that there are no major differences between these platforms when it comes to security. Most of the protection is based on architectural design and applications used on top of the platform. Both are designed for demanding security environments. And both have their target customers and user groups.

My responsibility is to make sure that Nokia has an innovative and competent product security development organization for any platform that we use. We are exploring the use of Linux in our non-cellular device category through the Nokia N800 and 770 Internet Tablets.

What security strategy does Nokia have in order to maintain a firm grip on the variety of evolving threats targeting mobile devices?
Our strategy for security developments in Nokia products and platforms is based on detailed analysis of the demand for different features and services. When either the user or business case indicates that more security features and/or services are needed, those are made part of the default set. Platform security can also be adjusted based on needs identified in the analysis. Having an open platform means that the user of the device can increase the level of security as needed.

What security challenges does Nokia’s product portfolio face in the next 5 years?
What will happen in the future is hard to guess and I don’t have a crystal ball! Our work is based on a straightforward strategy that consists of thorough threat analysis, product by product, platform by platform. From experience, although technologies are evolving, the principle types of threat remain the same, though the details may vary. A structured approach such as ours allows us to plan and respond effectively.

As the mobile environment evolves, we are seeing that most of the threats today are familiar from the Internet and computer environments, attacks are just targeted to new implementations and new protocols. To prepare for this challenge, we are designing our devices today to deliver a robust set of security capabilities and also to enable our users to protect themselves without compromising the mobile experience that they love

What can enterprise customers expect from Nokia in 2008 when it comes to security?
Nokia business customers will be able roll out new and exciting mobile applications to securely liberate their workforce from their cubicles and enable cost savings with technologies such as mobile email and Voice over IP from Nokia and its partners and standardize on Nokia security platforms.