The deep mesh of connected devices and ubiquitous sensors popularly known as Internet of Things (IoT) – and big (really big!) data – are making inroads into IT landscapes and strategies. Extending beyond internal firewall-protected networks, and into the cloud, IT data centers today comprise not just internal systems, but also sensors that collect and transmit data from mobile devices and social networks. Tech-driven business operations have become information extensive and privacy intrusive. As businesses transform into social, connected enterprises, they're not only becoming smarter, but also more vulnerable and risk prone. Customer and business sensitive information collected from connected devices can easily put individual privacy at stake – putting businesses at risk of violating strict regulatory norms and losing customer loyalty.
Let's understand the context better with a few industry examples. A new visual search engine helps users discover internet connected devices in their proximity. While this is great functionality to have, it could also be a potential havoc creator. Webcams connected to the search engine could become Trojans for hackers, offering them visual access to extremely personal and sensitive user information. In the utilities sector, the use of Smart Meters has raised security concerns from both the business and its end-customer. Sensitive information collected from these devices can put individual privacy at stake. In the Energy & Resources domain too, where embedded sensors often determine vital plant operations, safety and compliance are of utmost concern.
Given the variety of applications and devices that make up a typical IoT implementation, it's difficult to hardwire a pre-defined, one-size-fits-all security strategy. Sadly though, and maybe because the IoT and connected devices are recent innovations, most domains do not yet have an established set of ground rules for security system design – a white space this post tries to address, by answering four important questions:
- Is your security strategy agile enough to adapt itself to new changes in the connected ecosystem? And is it robust enough to deal with evolving malicious attacks?
- Is the automation quotient adequate, and can it facilitate quick security assessments and even quicker deployments?
- Does your security assurance work with zero or minimal human intervention?
- Is your strategy intelligent enough to anticipate failure, and in case of failure, can it recover quickly and learn?
With the range and scale of vulnerabilities and threats continuously on the rise, assuring security cannot just be a static one-time practice. Whoever said Agile was just a development methodology was wrong. It's applicable to quality assurance and testing as well. An agile security environment must be viewed in perspective of being a continuous, ongoing practice that generates business value. And for that value to be significant, we must accord enough thought to the design board. Just like any product or solution that must be designed before it is developed, security strategies too must be well thought out and only then deployed.
Security risks present new opportunities for quality assurance (QA), one of which is Design Thinking (DT). When injected into the QA and security universe, DT can pre-empt hacks and strengthen security. The proactive nature of design thinking ensures that security is pre-planned – and not just force-fitted as an afterthought – into the IoT ecosystem. Neural automation and artificial intelligence offer powerful capabilities to combat real time security challenges faced by IoT-driven pervasive enterprises. Adaptive learning and intelligent fault tolerance are other differentiators of a design thinking enabled security strategy. Such security strategies are robust and smart, and can deliver and protect even under duress.
Let me share a recent project initiative with you. We worked with the CTO team of a large Utilities company to create a customized assurance offering – a Smart Meter Assurance Lab, which pre-empts security concerns by making Design Thinking part of the QA universe. This smart, thinking approach resulted in a security design that's always ready for the future enterprise, however vast the scope of that enterprise may be.
The learning from this project gave us a set of ground rules, which can be summarized in one sentence – Kick-start with automation, build intelligence into security, and make the security assurance apparatus continuously learn. Errors can be costly, but not learning from them can prove fatal. Besides, it's important for security systems to be intelligent. Because the rest of the world is.