Securing Trust in Digital Business

As smart devices are becoming autonomous, CISOs are being required to adopt new mechanisms and approaches to trust.

We asked Dionisio Zumerle, research director at Gartner, his views on what chief information security officers (CISOs) need to do to protect the integrity of Internet of Things (IoT) devices and employ adaptive trust.

Q:What is the relevance of security in digital business?

A: Digital business and the IoT may seem distant from certain enterprise scenarios; in reality, they are not. For example, commercial car sharing implementations leverage smartphone apps as car smart keys, while headless ATMs can deliver money via the customer’s smartphone app.

As digital business blurs the digital and physical worlds, digital breaches result in physical damage.

From a security standpoint, the scale of these interactions can reveal more vulnerabilities and demand caution. In the past year, for example, more than 3.4 million vehicles had to be patched for security vulnerabilities that impacted passenger safety. The fears over the risks of interconnectivity are such that China has forbidden its armed forces from using internet-connected wearable technologies.

The traditional model of information security prioritizes the confidentiality, integrity and availability of information. However, as digital business blurs the digital and physical worlds, digital breaches result in physical damage. As a result, the safety of environments and individuals becomes the primary goal.

Q:What is new about information security in digital business?

A: The change in the way we approach human-to-device and device-to-device trust is going to be fundamental. The IoT is composed of smart devices that take autonomous actions. Traditional trusted computing requires that the trusted device satisfies certain predefined properties. A device is either trusted or considered compromised.

A device is either trusted or considered compromised.

Digital business use cases require that, much like humans, devices establish trust gradually, confirming expectations in recurring, small transactions. Devices must be able to operate under different levels of trust, joining a system at a minimum level of trust that then rises in time, allowing for more impactful actions. Like in human interactions, this allows trust to develop on less-important operations before a component is trusted with more-important operations.

In addition, trust assurance mechanisms will need to become more agile and granular to address digital business scenarios. For example, connected cars require that infotainment systems are connected to the car control systems to add convenient features, such as remote unlocking, remote ignition and heating, and vehicle geolocation.

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download Free eBook

Q:How do security leaders ensure the safety of their customers and/or employees?

A: Smart devices will increasingly need autonomy to make decisions and take actions that require trust. While the recurrent revelations about pervasive surveillance and the increasing invasiveness of mobile apps have turned the security industry’s attention to confidentiality, trust in components mainly relies on integrity assurance mechanisms, not encryption.

Encrypted tunnels are of no use if the IoT devices that use them can be tampered without leaving a trace. CISOs should place increasing attention on integrity mechanisms and assurance when selecting IoT devices and building IoT systems.

Autonomous smart devices require CISOs to adopt new mechanisms and approaches to trust.

CISOs should also contextualize their IoT approaches. Some principles will emerge, such as updateability. Take the example of the connected car: The average lifetime of a vehicle can be estimated at eight to 10 years, while a smartphone has a life expectancy of approximately two years, after which security and OS updates become infrequent or cease altogether. This situation would lead to connected cars being vulnerable to attacks for six to eight years.

It is paramount that CISOs ensure that connected components can be updated over the air, or are removable and exchangeable with newer ones. CISOs must also certify clear service-level agreements and boundaries of accountability with platform providers.

Gartner clients can read more detailed analysis in the report "Digital Business Mandates IoT Security Strategies,”, by Dionisio Zumerle, et al.

More detailed analysis is available in the Gartner Special Report “Cybersecurity at the Speed of Digital Business”, a collection of research that addresses the new reality where IT organizations have little direct infrastructure and their biggest security concerns will come from services outside their control. Learn more in the Gartner webinar “Special Report: Cybersecurity is a Foundation for Digital Business.”

Visit the Gartner Digital Risk & Security hub for complimentary research and webinars.

 

 

 

Get Smarter

Gartner Security & Risk Management Summits

The latest insights on IT trends, evolving security tech and the ever-changing threat landscape.

Explore Gartner Conferences

2019-2021 Emerging Technology Roadmap for Large Enterprises

We gathered expertise from IT professionals across 198 organizations to benchmark adoption stages and risk and value factors for 108 infrastructure and operations technologies for this year. The emerging technologies profiled are spread across six technology buckets: compute and storage, compute and storage (cloud), digital workplace, IT automation, network and security.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching