AREA-Directed Research: RFP Submission

Deployment of Wearable AR in Highly Secure Corporate Environments

Customer Problem

With appropriately increased awareness of cybersecurity threats, using unsecured devices is forbidden in most enterprise environments. AREA members need to be able to integrate AR hardware and software, including AR applications built with game engines such as Unity, with existing enterprise infrastructure while also ensuring proper access controls are in place, and that, if an individual device is lost or stolen, no information is compromised. Furthermore, the lack of convenient input on wearable AR devices provides a challenge for traditional username/password mechanisms, increasing the amount of time and energy required to use the device, and dissuading adoption.

To summarize:

• Implemented improperly, the use of AR devices could increase the attack surface for an enterprise, and impact organizational security and operations.
• AR devices are endpoints that introduce a new set of requirements to security architecture and engineering that has to scale across the enterprise.
• Users need to be authenticated via secure enterprise services when they begin to use a wearable AR display, including AR devices meant for use by multiple users, and before accessing instructions or any other corporate assets/resources.
• Due to the variety of enterprise authentication providers, the use of open standards to enable configurability is essential. Identification and use of standards to leverage existing security services within game engine-built AR applications, such as Unity, is highly desirable.
• AR experiences need to be able to dynamically access appropriate assets/content on network resources, without exposing those resources to unintended audiences.
• Input methods and user interfaces for AR experiences provide poor mechanisms for text entry, making the use of usernames/passwords used by many enterprises cumbersome, or impossible, on some AR interfaces. Alternatives to manual password entry on AR devices are needed, without weakening enterprise security.
• Many AR applications are being developed by startups that have little focus on enterprise security services, increasing the likelihood of having critical vulnerabilities, especially in the storage and transmission of credentials.

Project Goals

The project aims to inform AREA members about existing security technologies and approaches which can be leveraged to minimize or eliminate the number and types of novel attack surfaces created by introducing new devices into the enterprise. If there are any places where new attack vectors cannot be eliminated, this project aims to inform AREA members about what the potential risks are, and how the risk can be minimized now, or eliminated in the future.

This research project will clarify barriers to use of wearable AR in secure corporate environments and recommend best practices or requirements to be met in future enterprise AR display devices. Topics to be addressed include but will not be limited to:

• The applicability of existing open authentication standards for use in AR in the enterprise
• How federated identity and Single Sign On (SSO) works in the context of AR
• Assessment of how smartcards work via USB-C adapter, retina scanning and Bluetooth keyboards can be used for username/passwords
• How to implement identity gating and connect with existing enterprise IT security systems in AR applications built with game engines (e.g., Unity applications for HoloLens)
• Secure onboarding (connectivity, device management, and application configuration) of AR devices using established industry standards
• Open vs closed system architecture risks that should be considered.
• Understanding what is the right balance between security and user experience based on security controls.
• Understanding privileged access and conditional access requirements for AR use.
• Identification of appropriate physical security requirements (i.e. asset tagging and geofencing) for AR devices.
• Recommended mechanisms to perform authentication on systems with limited user input
• Mechanisms to keep sensitive proprietary data safe from risk vectors when authoring or using AR applications
• Designing systems to allow for changing authentication back-ends, as more organizations move towards zero-trust
• Frameworks to effectively assess the practical cyber threat of introducing new AR devices to a secure enterprise environment

With AREA member input, this project will identify barriers to entry in integrating AR devices and applications with existing enterprise environments, enterprise identity and security management systems in-use by members, AR devices in-use by members, and software utilized by members to build AR applications.

Deliverables

Deliverables will include:

• An updated framework to understand the areas of risk and potential impact unique to AR devices and AR software, so proper mitigations can be designed.
• A decision support tool (i.e. traceability matrix) based on the framework for the best practices
• A framework to understand what data needs to be consistently monitored by security operations centers (SOC) teams.
• Code and environment for testing SSO and secure data retrieval utilizing security systems such as Microsoft Enterprise SSO or Azure AD SSO within a hosted, known-working testing environment for use by AREA members and to be open for a period of no less than 60 days following delivery of final project deliverables.
• Recommended practices for securely integrating AR devices in enterprise environments with user-friendly input methods (user-friendly input methods in order to, as mentioned earlier, support, not dissuade, adoption).
• A gap analysis that can be published to guide future work in consensus-based Standards Development Organizations focusing on security protocols.
• Executive Summary of research findings for public distribution.
• Member-Exclusive Webinar about research findings.

Note: The research conducted can be published with a 6-month embargo period.

Proposal

The research project proposal will include (max 7 pages):

• Description of the research design and methodology (incl. explanation how it will measure requested KPIs and address the project topics)
• Project milestones and timeline
• Project risks, bias, and mitigation measures
• Potential or confirmed partners in the research
• Background and qualifications of the organization to perform research and any proposed partners
• Examples of other completed projects/reports (not included in page count)
• Names and contact information for up to three references

Selection Criteria

All proposals will be evaluated by the AREA research committee chairs and research manager on the following criteria:

• Experience in security and user experience with wearable AR devices
• Track record in research and development
• Research methodology and ability to deliver statistically sound research
• Timeline
• Feedback of references

Timeline and Deadlines

Please use the form below to submit your proposal on or before 12 PM Eastern Daylight Time 21st March 2023. The AREA will provide detailed replies to submitters on or before March 29th 2023.

Unless otherwise negotiated in advance, the research project is expected to take approximately 110 days. Research will be completed, and finished deliverables provided to the AREA by July 25th 2023.

Budget for this Project

The AREA Research Committee budget for this project is $15,000.

Questions

For answers to any questions concerning this project and the AREA Research Committee, please send an email to the Research Committee.