We asked Dionisio Zumerle, research director at Gartner, his views on what chief information security officers (CISOs) need to do to protect the integrity of Internet of Things (IoT) devices and employ adaptive trust.
Q:What is the relevance of security in digital business?
A: Digital business and the IoT may seem distant from certain enterprise scenarios; in reality, they are not. For example, commercial car sharing implementations leverage smartphone apps as car smart keys, while headless ATMs can deliver money via the customer’s smartphone app.
As digital business blurs the digital and physical worlds, digital breaches result in physical damage.
From a security standpoint, the scale of these interactions can reveal more vulnerabilities and demand caution. In the past year, for example, more than 3.4 million vehicles had to be patched for security vulnerabilities that impacted passenger safety. The fears over the risks of interconnectivity are such that China has forbidden its armed forces from using internet-connected wearable technologies.
The traditional model of information security prioritizes the confidentiality, integrity and availability of information. However, as digital business blurs the digital and physical worlds, digital breaches result in physical damage. As a result, the safety of environments and individuals becomes the primary goal.
Q:What is new about information security in digital business?
A: The change in the way we approach human-to-device and device-to-device trust is going to be fundamental. The IoT is composed of smart devices that take autonomous actions. Traditional trusted computing requires that the trusted device satisfies certain predefined properties. A device is either trusted or considered compromised.
A device is either trusted or considered compromised.
Digital business use cases require that, much like humans, devices establish trust gradually, confirming expectations in recurring, small transactions. Devices must be able to operate under different levels of trust, joining a system at a minimum level of trust that then rises in time, allowing for more impactful actions. Like in human interactions, this allows trust to develop on less-important operations before a component is trusted with more-important operations.
In addition, trust assurance mechanisms will need to become more agile and granular to address digital business scenarios. For example, connected cars require that infotainment systems are connected to the car control systems to add convenient features, such as remote unlocking, remote ignition and heating, and vehicle geolocation.
Q:How do security leaders ensure the safety of their customers and/or employees?
A: Smart devices will increasingly need autonomy to make decisions and take actions that require trust. While the recurrent revelations about pervasive surveillance and the increasing invasiveness of mobile apps have turned the security industry’s attention to confidentiality, trust in components mainly relies on integrity assurance mechanisms, not encryption.
Encrypted tunnels are of no use if the IoT devices that use them can be tampered without leaving a trace. CISOs should place increasing attention on integrity mechanisms and assurance when selecting IoT devices and building IoT systems.
Autonomous smart devices require CISOs to adopt new mechanisms and approaches to trust.
CISOs should also contextualize their IoT approaches. Some principles will emerge, such as updateability. Take the example of the connected car: The average lifetime of a vehicle can be estimated at eight to 10 years, while a smartphone has a life expectancy of approximately two years, after which security and OS updates become infrequent or cease altogether. This situation would lead to connected cars being vulnerable to attacks for six to eight years.
It is paramount that CISOs ensure that connected components can be updated over the air, or are removable and exchangeable with newer ones. CISOs must also certify clear service-level agreements and boundaries of accountability with platform providers.