INTERNATIONAL. As smart devices are becoming autonomous, chief information security officers (CISOs) are being required to adopt new mechanisms and approaches to trust.
We asked Dionisio Zumerle, research director at Gartner, his views on what CISOs need to do to protect the integrity of Internet of Things (IoT) devices and employ adaptive trust.
Q: What is the relevance of security in digital business?
A: Digital business and the IoT may seem distant from certain enterprise scenarios; in reality, they are not. For example, commercial car sharing implementations leverage smartphone apps as car smart keys, while headless ATMs can deliver money via the customer's smartphone app.
From a security standpoint, the scale of these interactions can reveal more vulnerabilities and demand caution. In the past year, for example, more than 3.4 million vehicles had to be patched for security vulnerabilities that impacted passenger safety. The fears over the risks of interconnectivity are such that China has forbidden its armed forces from using internet-connected wearable technologies.
The traditional model of information security prioritizes the confidentiality, integrity and availability of information. However, as digital business blurs the digital and physical worlds, digital breaches result in physical damage. As a result, the safety of environments and individuals becomes the primary goal.
Q: What is new about information security in digital business?
A: The change in the way we approach human-to-device and device-to-device trust is going to be fundamental. The IoT is composed of smart devices that take autonomous actions. Traditional trusted computing requires that the trusted device satisfies certain predefined properties. A device is either trusted or considered compromised.
Digital business use cases require that, much like humans, devices establish trust gradually, confirming expectations in recurring, small transactions. Devices must be able to operate under different levels of trust, joining a system at a minimum level of trust that then rises in time, allowing for more impactful actions. Like in human interactions, this allows trust to develop on less-important operations before a component is trusted with more-important operations.
In addition, trust assurance mechanisms will need to become more agile and granular to address digital business scenarios. For example, connected cars require that infotainment systems are connected to the car control systems to add convenient features, such as remote unlocking, remote ignition and heating, and vehicle geolocation.
Q: How do security leaders ensure the safety of their customers and/or employees?
A: Smart devices will increasingly need autonomy to make decisions and take actions that require trust. While the recurrent revelations about pervasive surveillance and the increasing invasiveness of mobile apps have turned the security industry's attention to confidentiality, trust in components mainly relies on integrity assurance mechanisms, not encryption.
Encrypted tunnels are of no use if the IoT devices that use them can be tampered without leaving a trace. CISOs should place increasing attention on integrity mechanisms and assurance when selecting IoT devices and building IoT systems.
CISOs should also contextualize their IoT approaches. Some principles will emerge, such as updateability. Take the example of the connected car: The average lifetime of a vehicle can be estimated at eight to 10 years, while a smartphone has a life expectancy of approximately two years, after which security and OS updates become infrequent or cease altogether. This situation would lead to connected cars being vulnerable to attacks for six to eight years.
It is paramount that CISOs ensure that connected components can be updated over the air, or are removable and exchangeable with newer ones. CISOs must also certify clear service-level agreements and boundaries of accountability with platform providers.
Gartner clients can read more detailed analysis in the report "Digital Business Mandates IoT Security Strategies."
Gartner Security & Risk Management Summits
Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2016 taking place in Tokyo, Sao Paulo, Sydney, Mumbai and London. Follow news and updates from the events on Twitter at #GartnerSEC.
Photo Caption: Dionisio Zumerle, research director at Gartner
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. The company delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in approximately 10,000 distinct enterprises worldwide.
Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 7,900 associates, including more than 1,700 research analysts and consultants, and clients in more than 90 countries.
For more information, visit www.gartner.com.