Story image

Securing trust in digital business

06 Jul 16

As smart devices are becoming autonomous, chief information security officers (CISOs) are being required to adopt new mechanisms and approaches to trust.

We asked Dionisio Zumerle, research director at Gartner, his views on what CISOs need to do to protect the integrity of Internet of Things (IoT) devices and employ adaptive trust.

Q: What is the relevance of security in digital business?

A: Digital business and the IoT may seem distant from certain enterprise scenarios; in reality, they are not. For example, commercial car sharing implementations leverage smartphone apps as car smart keys, while headless ATMs can deliver money via the customer's smartphone app.

From a security standpoint, the scale of these interactions can reveal more vulnerabilities and demand caution. In the past year, for example, more than 3.4 million vehicles had to be patched for security vulnerabilities that impacted passenger safety. The fears over the risks of interconnectivity are such that China has forbidden its armed forces from using internet-connected wearable technologies.

The traditional model of information security prioritises the confidentiality, integrity and availability of information. However, as digital business blurs the digital and physical worlds, digital breaches result in physical damage. As a result, the safety of environments and individuals becomes the primary goal.

Q: What is new about information security in digital business?

A: The change in the way we approach human-to-device and device-to-device trust is going to be fundamental. The IoT is composed of smart devices that take autonomous actions. Traditional trusted computing requires that the trusted device satisfies certain predefined properties. A device is either trusted or considered compromised.

Digital business use cases require that, much like humans, devices establish trust gradually, confirming expectations in recurring, small transactions. Devices must be able to operate under different levels of trust, joining a system at a minimum level of trust that then rises in time, allowing for more impactful actions. Like in human interactions, this allows trust to develop on less-important operations before a component is trusted with more-important operations.

In addition, trust assurance mechanisms will need to become more agile and granular to address digital business scenarios. For example, connected cars require that infotainment systems are connected to the car control systems to add convenient features, such as remote unlocking, remote ignition and heating, and vehicle geolocation.

Q: How do security leaders ensure the safety of their customers and/or employees?

A: Smart devices will increasingly need autonomy to make decisions and take actions that require trust. While the recurrent revelations about pervasive surveillance and the increasing invasiveness of mobile apps have turned the security industry's attention to confidentiality, trust in components mainly relies on integrity assurance mechanisms, not encryption.

Encrypted tunnels are of no use if the IoT devices that use them can be tampered without leaving a trace. CISOs should place increasing attention on integrity mechanisms and assurance when selecting IoT devices and building IoT systems.

CISOs should also contextualise their IoT approaches. Some principles will emerge, such as updateability. Take the example of the connected car: The average lifetime of a vehicle can be estimated at eight to 10 years, while a smartphone has a life expectancy of approximately two years, after which security and OS updates become infrequent or cease altogether. This situation would lead to connected cars being vulnerable to attacks for six to eight years.

It is paramount that CISOs ensure that connected components can be updated over the air, or are removable and exchangeable with newer ones. CISOs must also certify clear service-level agreements and boundaries of accountability with platform providers.

Gartner clients can read more detailed analysis in the report "Digital Business Mandates IoT Security Strategies."

Gartner Security & Risk Management Summits

Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2016 taking place in Tokyo, Sao Paulo, Sydney, Mumbai and London. 

Article by Gartner.

WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
Why the adoption of SAP is growing among SMEs
Small and medium scale enterprises are emerging as lucrative end users for SAP.
Exclusive: How the separation of Amazon and AWS could affect the cloud market
"Amazon Web Services is one of the rare companies that can be a market leader but remain ruthlessly innovative and agile."
HPE extends cloud-based AI tool InfoSight to servers
HPE asserts it is a big deal as the system can drive down operating costs, plug disruptive performance gaps, and free up time to allow IT staff to innovate.
Digital Realty opens new AU data centre – and announces another one
On the day that Digital Realty cut the ribbon for its new Sydney data centre, it revealed that it will soon begin developing another one.
A roadmap to AI project success
Five keys preparation tasks, and eight implementation elements to keep in mind when developing and implementing an AI service.
The future of privacy: What comes after VPNs?
"75% of VPN users said they are seeking a better solution for cloud networks."
'Public cloud is not a panacea' - 91% of IT leaders want hybrid
Nutanix research suggests cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits.