Privacy, Security, And The Internet Of Things

By Erin Harris, Editor-In-Chief, Cell & Gene
Follow Me On Twitter @ErinHarris_1

March 2015 Integrated Solutions For Retailers

A Q&A with Erin Harris and Demetrio Leon Guerrero, CTO, Acuative

Adopting an effective data-centric security model and applying the appropriate technologies for each security control are the only way forward. No single technology will provide the silver bullet.

As the Internet of Things (IoT) expands, what decisions will need to be made about privacy and security?

Guerrero: As the IoT continues to unfold, closed networks that were never designed to interconnect with external networks are being integrated into complex ecosystems. For example, retailers are facing challenges to integrate their supply chain management (SCM) order systems with social media to reach consumers.

The largest growth in IoT will be the integration of machine-to-machine (M2M) ecosystems. We now have the capability to build simple telemetry or very complex ecosystems using M2M interactions. An example of a simple telemetry system, your heart-rate monitor uploads your cardio profile after a vigorous workout and integrates that information with a nutritional diet plan online. At first glance the data collected appears to be benign, but it’s personal information that requires privacy protection.

Each new integration point introduces the potential to expose vulnerabilities. The greatest potential for exposure is integration points connecting to the public Internet. Most organizations rely heavily on defense-in-depth or, as we call it, perimeter security, to protect systems. The issue with perimeter security is that it relies on the notion of trust — trusted systems inside the fence, untrusted systems outside the fence (e.g., Internet). Untrusted systems are granted limited trust through identity and authorization.

The continued high frequency of cyberattacks has demonstrated that perimeter security is no longer effective. In the world of IoT, there is no reliable method for determining trust, which leads us to the Zero Trust Model. Introduced by Forrester Research, the Zero Trust Model describes a data-centric approach to cybersecurity and protects valuable information while allowing ubiquitous access and interactions between systems. This model flips the mantra “Trust but verify” into “Verify and never trust.” Zero Trust focuses on data, which is central to protecting privacy.

"Retailers must take the lead and make information security a core competency."

Demetrio Leon Guerrero, CTO, Acuative

 

How will innovative technologies meet retailers’ data security challenges?

Guerrero: Generally, technologies evolve to protect against the last security breach but often fail to anticipate the next attack. Technologies applied using a data-centric security model is the way forward.

The interaction among the consumers, retailers, and payment services creates transactional data containing consumers’ personal and payment information. In many cases, the retailer becomes the de facto custodian for this transactional data. The retailer must retain the data to manage payment services, fulfill the orders, and, as needed, manage merchandise returns.

Retailers eventually find themselves in a conundrum of having to perform a critical business function, information security. Many retailers rely too much on their system integrators and third-party partners for information security. Retailers must take the lead and make information security a core competency. Due diligence for information security begins the moment the consumer initiates the electronic payment transaction with the retailer.

As new payment options evolve, how should retailers ensure security?

Guerrero: Retailers must protect data produced by the interactions of new payment systems in the same way they protect all data. The retailer should view data as having a life cycle — data can be created, manipulated/changed, published, obsoleted, and deleted/ erased. Data also has states:

Data At Rest — Persistence or time horizon: How long the data is at rest in a given location (e.g., disk, flash, tape). Measures to protect access to data and countermeasures disposing obsolete or unneeded data are primary concerns.

Data In Transit — Data in transit typically focuses on the “manin- the-middle” attack. For the most part, modern secure protocols and encryption techniques minimize the opportunity to intercept and subsequently digest protected data payloads.

Data In Use — Data in use deals with methods for securing memory and application. Data-in-use security controls are the most difficult to design. The challenge is that to use data it must eventually be readable, preferably in clear text. The exposure of data in clear text is a significant security risk and is highest when data is in use.

Data is an asset. Assets have quantitative value and qualitative importance. Further, data has sensitivity levels, and therefore each sensitivity level requires the proper security context and protection.