IoT (or IoEE): Product Security Is Becoming a Strategic Risk
by Martin Kuppinger
For a long time, IT risks have been widely ignored by business people, including Corporate Risk Officers (CROs) and C-level management. This has changed recently with the increasing perception of cyber-security risks. With the move to the IoT (Internet of Things) or, better, the IoEE (Internet of Everything and Everyone), we are beginning upon a new level.
When a company starts selling and deploying connected things, this also raises product liability questions. Obviously, goods that are connected are more in danger than goods that aren’t. Connecting things creates a new type of product liability risk, by creating a specific attack surface over the Internet. Thus, when enthusiastically looking at the new business potential of connecting things, organizations must also analyze the impact on product liability. If things go really wrong, this might put the entire organization at risk.
Product security inevitably becomes a #1 topic for any organization that starts selling connected things. These things contain some software – let’s call this a “thinglet”. It’s not an app with a user interface. It is a rather autonomous piece of code that connects to apps and to backend services – and vice versa. Such thinglets must be designed following the principles of Security by Design and Privacy by Design. They also must be operated securely, including a well thought-out approach to patch management.
It’s past time for vendors to analyze the relationship of the IoEE, product security, and product liability risks.
Sounds like “security as the notorious naysayer”? Sounds like “security kills agility”? Yes, but only at first glance. If you use the security argument for blocking innovation, then security stays in its well-known, negative role. However, as I have written in a recent post (and, in more details, in some other posts linked to that post), security and privacy, if done right, are an opportunity not a threat. Security by Design and Privacy by Design drive Agility by Design. A shorter time-to-market results from consequently following these principles. If you don’t do so, you will have to decide between the security risk and the risk of being too late – but only then. Security done right is a key success factor nowadays.
Elementary, My Dear Watson
by Alexei Balaganski
A couple weeks ago, just as we were busy running our European Identity & Cloud Conference, we’ve got news from IBM announcing the company’s foray into the area of Cognitive Security. And, although I’m yet to see their solution in action (closed beta starts this summer), I have to admit I rarely feel so excited about news from IT industry.
First of all, a quick reminder: the term “cognitive computing” broadly describes technologies based on machine learning and natural language processing that mimic the functions of human brains. Such systems are able to analyze vast amounts of unstructured data usually inaccessible to traditional computing platforms and not just search for answers, but create hypotheses, perform reasoning and support human decision making. This is really the closest we have come to Artificial Intelligence as seen in science fiction movies.
Although the exact definition of the term still causes much debate among scientists and marketing specialists around the world, cognitive computing solutions in the form of specialized hardware and software platforms have existed for quite some time, and the exponential growth of cloud computing has been a big boost for their further development. In fact, IBM has always been one of the leading players in this field with their Watson platform for natural language processing and machine learning.
IBM Watson was initially conceived in 2005 as a challenge to beat human players in the game of Jeopardy, and its eventual victory in a 2011 match is probably its best publicized achievement, but the platform has been used for a number of more practical applications for years, including business analytics, healthcare, legal and government services. The company continues to build an entire ecosystem around the platform, partnering with numerous companies to develop new solutions that depend on unstructured data analysis, understanding natural language and complex reasoning.
In the hindsight, the decision to utilize Watson’s cognitive capabilities for cyber security application seems completely reasonable. After all, with their QRadar Security Intelligence Platform, IBM is also one of the biggest players in this market, and expanding its scope to incorporate huge amounts of unstructured security intelligence makes a lot of sense. By tapping into various sources like analyst publications, conference presentations, forensic reports, blogs and so on, cognitive technology will provide security analysts with new powerful tools to support and augment their decision making. Providing access to the collective knowledge from tens of thousands sources constantly adapted and updated with the newest security intelligence, Watson for Cyber Security is supposed to solve the biggest problem IT security industry is currently facing – a dramatic lack of skilled workforce to cope with the ever growing number of security events.
Naturally, the primary source of knowledge for Watson is IBM’s own X-Force research library. However, the company is now teaming with multiple universities to expand the amount of collected security intelligence to feed into the specialized Watson instance running in the cloud. The ultimate goal is to unlock the estimated 80% of all security intelligence data, which is currently available only in an unstructured form.
It should be clear, of course, that this training process is still work in progress and by definition it will never end. There are also some issues to be solved, such as obvious concerns about privacy and data protection. Finally, it’s still not clear whether this new area of application will generate any substantial revenue for the company. But I’m very much looking forward to seeing Watson for Cyber Security in action!
By the way, I was somewhat disappointed to find out that Watson wasn’t actually named after Sherlock Holmes’ famous friend and assistant, but in fact after IBM’s first CEO Thomas Watson. Still, the parallels with “The Adventure of the Empty House” are too obvious to ignore :)
Jun 28, 2016: Externes Beziehungsmanagement: Kommunikation und Kollaboration mit Partnern und Kunden sicher steuern
Mit der steigenden Nachfrage von Unternehmen nach engerer Kommunikation und Kollaboration mit externen Partnern und Kunden wächst auch der Bedarf an professionellem Web Access Management und Identity Federation. Geeignete Lösungen ermöglichen sichere Zugänge von und auf externe Systeme, auch aus der Cloud. Um die Vielzahl an Anforderungen für eine sichere Kommunikation und Kollaboration erweiterter und vernetzter Unternehmen nahezu lückenlos mit IT abzudecken und gleichzeitig agil zu bleiben, sind Standardinfrastrukturen notwendig.
Complexity Kills Agility: Why the German Reference Architecture Model for Industry 4.0 Will Fail
by Martin Kuppinger
The German ZVEI (Zentralverband Elektrotechnik- und Elektroindustrie), the association of the electrical and electronic industries, and the VDI (Verein Deutscher Ingenieure), the association of German engineers, has published a concept called RAMI (Referenzarchitekturmodell Industrie 4.0). This reference architecture model has a length of about 25 pages, which is OK. The first target listed for RAMI 4.0 is “providing a clear and simple architecture model as reference”.
However, when analyzing the model, there is little clearness and simplicity in it. The model is full of links to other norms and standards. It is full of multi-layer, sometimes three-dimensional architecture models. On the other hand, the model doesn’t provide answers on details, and only a few links to other documents.
RAMI 4.0 e.g. says that the minimal infrastructure of Industry 4.0 must fulfill the principles of Security-by-Design. There is no doubt that Industry 4.0 should consequently implement the principles of Security-by-Design. Unfortunately, there is not even a link to a description of what Security-by-Design concretely means.
Notably, security (and safety) are covered in a section of the document spanning not even 1% of the entire content. In other words: Security is widely ignored in that reference architecture, in these days of ever-increasing cyber-attacks against connected things.
RAMI 4.0 has three fundamental faults:
- It is not really concrete. It lacks details in many areas and doesn’t even provides links to more detailed information.
- While only being 25 pages in length and not being very detailed, it is still overly complex, with multi-layered, complex models.
- It ignores the fundamental challenges of security and safety.
Hopefully, we will see better concepts soon, that focus on supporting the challenges of agility and security, instead of over-engineering the world of things and Industry 4.0.
Kim Cameron - The Future of On-Premise AD in the days of Azure AD
Azure AD is here. It can act as a domain controller. It helps you managing your partners. It is ready-made for managing your customers. The application proxy builds the bridge back to your on-premise applications. That raises an important question for all organizations running AD on-premises: What is the future role for on-premise AD? What is the right strategy? Who can and should get rid of on-premise AD now or in the near future, who should focus on a hybrid strategy? Where is the overlap?
Darran Rolls - The Anatomy of Your Next Cyber Attack: IAM Pitfalls and Protections
Security breaches and cyber attacks have become a daily occurrence. Worse, in some cases it can take an organization months to realize they’ve been breached. Open the pages of the latest breach forensic report and you will find a litany of basic IAM errors that read like a horror story. Many companies are missing the basic IAM best practices that can help prevent, detect and mitigate attack. In this session, SailPoint's CTO Darran Rolls presents the anatomy of a typical cyber attack and explains where and how IAM controls should be applied to better enable close-loop cyber protection for enterprise systems. You may not be able to prevent an attack, but you can minimize the damage and your exposure.
Dimitra Kamarinou - From Suppliers to Consumers: Issues of Liability in Industry 4.0
This session looks at the responsibilities and liabilities of organisations involved in the ‘smart manufacturing’ process both internally (e.g. towards employees) and externally (e.g. other organisations, suppliers, consumers, the environment) and at the difficulties of attributing liability in a complex web of stakeholders that might include cloud service providers. We also discuss the importance of contractual and non-contractual liability as well as statutory and common law liability, including fault-based and strict liability. This session also looks at why these legal questions are important and at potential ways to clarify issues of attribution of liability in Industry 4.0.
Luigi de Bernardini - Industry 4.0 and IIoT: Different Approaches to a Smarter Industry?
In most cases, the terms Industry 4.0 and Industrial Internet of Things (IIoT) are used interchangeably. But these two terms, though referring to similar technologies and applications, have different origins and meanings. Industry 4.0 is focused specifically on the manufacturing industry and the goal of ensuring its competitiveness in a highly dynamic global market. The IIC is more focused on enabling and accelerating the adoption of Internet-connected technologies across industries, both manufacturing and non-manufacturing. That’s why it’s important to understand the differences between Industry 4.0 and the "Industrial Internet of Things" and where our mindset and approaches best fit.
The Need to Destroy in the Era of Populous Data and Cloud
What often gets overlooked in the conversation on cloud security is the subject of “deletability" of cloud data. During this session our expert panel explore the topic of whether cloud data that is “deleted” by an end-user is actually completely removed from the cloud? By end-user we mean the consumer and the cloud administrators.
Trends & Innovation Panel: What Are the Most Important Innovations and Who Are the Innovators?
The idea of this trends & innovation panel is to give each panelist the opportunity to tell the audience what company or companies out there are doing something innovative, what it is, why it is important and why the audience should care track the company. For example, one of the panelists might talk about how the perimeter is disappearing and it’s important to be thinking about governance, security and privacy for cloud properties like Salesforce, Workday, etc. The only restriction on panelists is that they are not allowed to talk about their own products or products from anyone on the panel.
Transforming Governance, Security and Compliance
The number of companies investing in modern “Big Data”-type SAP products and cloud-based SAP deployment models is growing constantly. Having formerly been stored in standalone database silos, SAP information from CRM, ERP etc. for Big Data deployments is now being migrated to a central high-volume and high-performance database. Deploying traditional SAP environments in the cloud and leveraging new cloud-based SAP applications introduce new groups of customers to SAP services and shift the focus of existing SAP users.
Executive View: PingAccess - 71507
by Ivan Niccolai
PingAccess is a web and API Access Management offering from Ping Identity. PingAccess is tightly integrated with PingFederate and provides a superior alternative to traditional Web Access Management products with its ability to provide policy- and context-driven access control to traditional on-premise web applications and cloud applications, as well as to REST-based APIs.
Fintech, Insurtech, Supply Chain, Automotive: Use Cases where Blockchain meets IoT and Identity
During the first part of the blockchain track at EIC 2016, we have learned a lot about the concept and technology of Blockchain Identity. In this session we build on this and have a look at what happens in different use case scenarios, if blockchain, the internet of things, identity and the need for privacy "collide". Has blockchain been the missing link to put the "platform" thought away from "Life Management Platforms" to make it a universally available privacy by design representation of humans in a digital world?
Proof of Identity for Refugees and Beyond: Blockchain Identity for the World
Recent research estimates that there are 1.5 billion individuals who do not have any means to prove their legal identity. Failing states lacking to perform even the most basic administrative tasks, supressed ethnic groups, and of course all those who have to flee their home due to conflicts or disasters.
New thinking is required to make identification available to all humans, and to help refugees and displaced people to cross borders and to apply for asylum. In this panel discussion, we will try to outline a blockchain based supranational identity infrastructure under the roof of an organization like UN.
How to Make the Blockchain a Reality
Blockchain is not yet ready to support industrial use cases. In this panel session we discuss the requirements across industries and how to improve and accelerate the maturity of this shared ledger technology through an open and coordinated approach.