In a time of digital transformation, businesses are continuing to apply traditional security measures to an environment that has changed. Although it hasn't changed completely, it's like the same scene played out by different actors, and some of these new actors include tens of millions of unprotected Internet of things (IOT) devices.
So says Simphiwe Mayisela, group information security officer at Internet Solutions, who will be discussing 'Cybersecurity and privacy in the era of digital transformation - truth or myth?', during the ITWeb Security Summit 2017, to be held from 15 to 19 May, at Vodacom World in Midrand.
"With the advent of IOT, hackers are now exploiting vulnerabilities in Web cams and wireless keyboards, using tools such as KeySniffers to establish a toehold in an organisation for further compromises. IOT devices are always connected and always on, which can make them ideal infiltration and compromise points, as they are seen as seamless conduits from the outside."
This means the organisational perimeter has changed, he says. "Things like environmental sensors, wearable technology and employee devices are now the new perimeter. This calls for more decentralised computing and security architectures that can deal with huge volumes of data generated by these IOT device sensors."
Most businesses are going wrong by not converting these huge volumes of data into threat intelligence in such a way that they become predictive rather than reactive in their defence strategy, he explains.
"Another thing that businesses are doing wrong is that they want to use traditional identity and access management (IAM) approaches to discover, authenticate and manage devices in a digital transformation era. While IAM toolsets seem appropriate in identifying and authorising access to data and network resources, devices in a digitally transformed age come with their own degree of complexities."
He says an example would be an employee device being linked to a user identity, whereas other devices such as radio frequency identification (RFID) tags on the inventory stores may be linked to a physical asset. "Furthermore, these devices need to be classified based on their use case, for example, whether it is a consumer device or industrial device, and criticality."
This means that IAM technology should not only be 'context-aware', but 'scenario-based' too, explains Mayisela. "Another problem is the scale associated with IOT devices - managing a few thousand employees using IAM technology is different from managing millions of interconnected devices. Not to mention the difficulty in configuring the devices for secure communication - the volatile memory within these devices is often not enough to store unique certificate and or processing power to handle a cryptographic exchange required for secure communication."
Speaking of what they should be doing better, Mayisela says the competitive IOT market has spawned dozens of imitators for every product. "The market is under pressure is to get something out, not to secure it. So instead of hiring security engineers to spend countless hours ensuring that IOT devices are securely configured and patched on business premises, businesses should start looking at 'incentivising' IOT device manufacturers to ensure that these devices are secure by design. Alternatively, businesses can insist on implementing only the IOT products that meet the 'secure-by-design' standards such as the TrustZone ARMv8-M Standard."
The same applies to software tool and solutions, he says. "These should come out-of-the-box with built-in APIs and services for accessing cryptography, access authorisation, authentication, key management and other basic security functions. To achieve this secure-by-design approach, hardware manufacturers and software vendors are starting to collaborate. Already we are starting to see a convergence of chip makers and software vendors such as CoreLockr-TZ from Sequitur Labs, along with NXP, Renesas, Microchip, IAR and a range of RTOS vendors like ExpressLogic."
IAM technology vendors should come up with innovative ways of deriving unique identifiers from the physical aspects of very small device, in a very scalable and automated fashion, he adds. "Businesses should also shift their efforts away from traditional IAM to adaptable IAM with automated device identification, enrolment and provisioning, as well as a strong focus on relationships between machines, devices and users."
Delegates attending Mayisela's talk will learn about adaptive security architecture, which Mayisela says has been listed as one of the Top 10 Technology Trends for 2017 by Gartner, with a firm focus on continuous analysis of user and entity behaviour, external identity and threat intelligence, and adaptive and built-in security awareness.
"My talk will empower delegates to answer tough business questions such as: how to adapt their security strategy for the digital future, how to ensure that their security innovation budget is used effectively, and how to remain competitive in the increasingly connected, digital marketplace, while maintaining a good security posture."
Share