Things just became really interesting.
The recent news is awash with worrying claims from a credible source of “hidden” spying chips embedded within the motherboard of a leading server manufacturer. As yet, no manufacturer has released a statement confirming their existence but the information illuminating the potential is compelling. Surely it forces us all to consider our own personal, personal and professional “digital state” in this heavily connected world. Do we technically appraise every computer based device we use at design and component level to determine the source, use and security impact of all of the minute elements that make the device work. Of course we don’t, not only would the majority of us struggle to find out how to even open the device (have you tried to open a modern mobile phone with the myriad of specialist tools and hidden pressure points to make things pop open), we no way of actually understanding the function and outcome delivered by the components (when they work in harmony).
Can we be sure the most innocuous of household device has no secret and potentially malicious embedded elements that whilst not explicitly installed to be utilized in a nefarious way in the right hands can’t be leveraged to invoke a surveillance, recording or tracking function? It is this total ambivalence to the likelihood of it, until possibly today that means the potential may be more likely that we ever dreamed.
The days of hardcoded firmware delivering static intelligence to all but the most expensive and programmable devices is from a bygone era. Even the simplest digital device consists of user or system driven remotely programmable aspects that in some cases are core to the function of the device. Whether it’s used from software updates, device troubleshooting or in the case of some advanced modern vehicles to deliver totally new functionality, device or system programmability is a fundamental aspect of modern IT that enhances the consumer or user experience by making it “personal”.
Could we be shifting to a position of worry so great that we “sweep for bugs” when entering a room or prior to switching a device on in true James Bond mode – highly unlikely. But I suggest the recent announcements will ensure many IT leaders and operational teams increase the priority of network based security visibility platforms, AI or machine learning systems that examine and re-examine the most granular elements of telemetry and security aware behavioral analytics platforms that understand things we can’t comprehend.
Ask yourself when considering the IT platforms that underpin your business (or social existence), what can you really see, are you sure you know how they work and do you really understand the security heart that beats within?
Who would have thought, we are not even close to the iconic year 2020 and already we may be worrying about the moral intent in the digital soul of our machines. The future ahead is likely to be way more interesting than we have ever previously dreamed.
Until next time.
LOB CTO UK – Computacenter Networking and Security
Darwin is frequently quoted in the midst of furious discussions about change. Whether it’s the mention of “the survival of the fittest or the most adaptable” (and not forgetting many question whether either statement was made by Darwin), change consistently invokes one human emotion with the power to nullify every others – “fear”.
Information technology (IT) for all of the seemingly endless change over the past 30 years has been somewhat consistent. Technology, with every new product launch via an endless release of “features” often dictated the “potential” for human benefit. And the result, technology vendors & the IT industry told the story of the future for an eager business (and more recently social) consumer to consume.
There was a reduced need for the IT buyer or user to appraise to a granular degree how the technology delivered impact or benefit, it was almost assumed that “newer” was better resulting in an upgrade to the “next or latest version” becoming standard behaviour. The balance of power rested with the “technology industry” and the user / consumer was at times a passive recipient of endless technological advancement. But as we enter 2017 the power base is shifting (some may say has “shifted”).
The user or IT consumer is now the power broker with the ability to dismantle 30 years of elegantly crafted IT system and process via a move to hybrid systems (combining traditional with public) or fully public IT service delivery. ”Feature glut” no longer rules the day, replaced by the need for consumer realised benefits or “standard service offerings with the potential for agile evolution”. This wholesale reset of everything deemed normal in IT and business is here and here to stay. But a move away from the safe “the old way” requires courageous decision making.
But the winners, whether consumer or IT service provider may not be those to accept “safe” or “old normal” but instead those willing to “be brave” and challenge “the old or known way” to evolve to a sustainable service consumption or delivery template viable for the dynamic, digital age. The buzz words are endless with digitisation, hybrid cloud, IOT, mobility, just a few. However with “solution relevance” a key consumer buying criteria, “buzz word bingo” will no longer find an audience, instead replaced by “win win” consultative solution selling driven by the value of positive disruption and “measurable” benefits for the consumer.
“Being brave” may result in human destabilisation as the status quo is defended and protected and “risk” as existing service delivery approaches move away from safety but the benefits are not potential, they are very real and highly realisable. The gateway to a new age exposed by the digitisation drive is positively transforming IT, business and the user with all likely to embrace a sustainable, enhanced experience. But that change of experience starts with a level of bravely not everyone can muster. “Can you, will you, be brave enough”?
Until next time.
Chief Technologist: Networking, Security and Collaboration – Computacenter UK
Picture this – your alarm clock goes off, you reach across the bed and take a look at your phone; it’s woken you up 30 minutes early – why? Well you have a meeting at 9:30am, but your car is running low on fuel so filling up will take 15 minutes, and traffic is a little worse than normal, so it will take an extra 15 minutes to get to the meeting. Welcome to the Internet of Things (IoT) a world where your phone can play your day ahead and your fridge knows when it’s running dry and orders the groceries itself.
IoT has captured the imagination of industry visionaries and the public for some time now; devices sending and receiving data, opening the door to a futuristic world previously the stuff of science fiction.
As the cities we live in grow into digital ecosystems, the networks around us will connect every individual device, enabling billions of new data exchanges. Industries will enter a new era, from medical devices that talk directly to medical professionals, to the emergence of smart homes that manage themselves efficiently, ensuring energy usage is checked and bills paid on time.
In the workplace it’s equally easy to see the potential advantages of the connections between devices, from intelligent service desk support through to printers, computers and other devices interacting with each other to deliver tangible user and business benefits.
The service desk is a key component for businesses in the digital age, acting as a communication hub for IT issues, a reference point for technology requirements and a tool for asset visibility. Organisations must ask themselves if their current service desk has the technological capacity and capability to manage the multitude of device and operational data in an efficient manner. An intelligent service desk can be the lifeblood of IoT implementation within businesses and enable automation to be realised.
A connected printer in a business ecosystem, for example, could effectively self-serve its own peripheral needs and order its own supplies when needed. However, the management of that data, effective registration and logging of the incident, as well as notification to the financial and technical teams would not be possible without an intelligent service desk – especially when you elevate this to an enterprise scale, with possibly hundreds of connected printers or devices.
When discussing the “connected office”, IT managers will understandably raise concerns around security. The more devices that are connected, the further the periphery is pushed, increasing potential entry points there are into a network.
An intelligent service desk will enable whitelisting to be integrated into communication protocols. This is a process which gathers and groups trusted individuals and their devices into a known category. This will enable any unusual requests from either IoT enabled devices or employee requests to be automatically flagged and questioned before action or access is given.
It is in this scenario that IT managers can reap the benefits of IoT, service desk and employee synchronisation. Through the IoT device communicating with the service desk, the service desk effectively managing all end points and the employee working in tandem with the service desk software, the minimisation of internal security risks can be achieved.
While much of this sounds quite out of reach, the benefits of IoT and service desk communication are already evident today, through use cases that are currently very fluid, personalised and often driven by an imaginative use of existing and sometimes emerging technology. Peripheral IT product vending machines holding keyboards and mice, for example, allow the realisation of this relationship to be seen.
However, with so much data being transferred and the IoT still very ‘new’, there are a number of challenges, the most critical being visibility of assets connected and operating under the network.
Communication between all end points and visibility should be fundamental considerations when planning for an IoT based implementation. Intelligent service desks, that can enrich the IT support experience as well as integrate and communicate with the business ecosystem, can host the technology capability to have oversight, communication and visibility of device end points communicating with a network.
While this may appear to be a straightforward concept, often enthusiasm to implement and complexity of service desk and technology transformation has a tendency to drown out and bypass the fundamentals – leaving potential backdoors open.
To ensure that there is a holistic approach toward securing connections with the IoT, organisations must challenge all stakeholders (vendors, integrators and consultants) to apply secure IoT principles to the service desk solution and IT operational unit, right from the “drawing board” phase.
Just when things look like they may stay the same, they change…
Amazon recently launched its first checkout and employee free retail site in the America as a natural complement to the existing Amazon web and mobile shopping experience. Products can be purchased via the existing Amazon web or mobile app and collected without Amazon employee intervention in the store. Or purchased in store from a limited selection based on a wholly store based experience with no in store Amazon employee oriented human interaction. This really is an example of digitisation “plus” at work where the historical customer buying cycle of instore person to person interaction with additional onus on the integrity of the financial transaction at the end of the cycle, has been reengineered to become a fully technology enabled experience.
Self-scanning checkouts in retail started the trend and are now somewhat accepted (if at times still challenging to use), but the human option for person to person engagement remained a key element of the instore experience based on the importance of cash collection and a customer satisfying end to the retail interaction. But could this be a “reset” of the customer retail purchasing script delivered in one swipe by the completely new Amazon retail approach. The Amazon experiment or pilot may signpost with tangible evidence the changing state of the workforce where system driven automation may augment or totally replace person to person engagement.
The Amazon GO launch has delivered a degree of shock and awe to both customers and the industry in equal measure and whilst much of the discussion has focused on the impact on jobs, i.e. the detrimental human labour effect, it further signposts the ever increasing importance of information technology in our professional and social lives. Secure wireless networking, high definition cameras, advanced AI, big data and analytics, IOT sensors and the sheer volume of IT elements required that must work in harmony with zero failure is immense. With the end result, promotion of the IT system from technology to augment human actions & intellect to a mission critical platform fundamental to both the business and customer experience. Via this new IT persona, failure, downtime or system breach is no longer an option – for any reason. Tomorrow’s user is already here today and deems a “Digital Me” experience, the only experience – the amalgam of imagination, technology and process allows that to happen.
Whether you are a supporter or detractor of this fundamentally new approach to retailing, the innovation and bravery of Amazon must be admired as the pilot of anything new of this style may suffer from the usual first mover teething challenges (shrinkage, reliability, miss set expectation issues). However, this really is a new dawn for the use of new technology, IOT and actionable AI in a real world customer centric environment. Personally, irrespective of the success or not of this Amazon initiative I have no doubt other retailers will be seriously considering this new customer engagement mode as the potential within is clear for all to see.
In my option human intelligence will NEVER be replaced by IT based systems, but standardised, repeatable human activity that can be automated and “systemised” certainly will be.
Forward now looks very very interesting
Until next time.
Chief Technologist – Computacenter UK: Networking, Security, Collaboration
Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
I started 2016 in bullish form with predictions for security based on the lows and highs of 2015. I touched on two on the many market catalysts set to transform both today and tomorrow’s worlds, enterprise mobility and the Internet of Things but highlighted I would mention three more. Part two of my security outline kicks off with my final three security focus areas for the first half of 2016, journey to the “cloud”, security for the SDDC and the need for intelligent people to “act smart”.
The enterprise journey to the cloud continues to be hindered by concerns robust enough to offset the unquestionable benefits. If enterprises are already challenged to secure local environments that benefit from additional levels of physical control and proximity, why would the need to secure information flowing through an external often multi tenanted service provider not highlight similar (and different) challenges. Pre 2016, it was straightforward for enterprises to deliver a blanket response “we don’t use the cloud” often citing security concerns and with no need for further explanation, but with shadow IT research validating authorised and unauthorised cloud usage exists whatever the policy, neither authority or ignorance seems to matter.
It’s therefore time to go “back to basics” and remove years of accumulated assumption of business functions and application flows and replace it with rigorous understanding. With a revisited / restated view of people, process, application flows controls and compliance expectations, “what” can be delivered via the cloud becomes clearer (“how is a whole different ball game”). Whether via internal or external assessment or audits, enterprises must obtain a robust and realistic “current state” view to calibrate the cloud trajectory and thus maximise the business benefits of cloud service delivery. This common sense view is my consistent response to mute the many often unfounded concerns of cloud service delivery or published negative cloud consequences. And I frequently pose the question “Can you really tell me now restated for now, the who, what, how of your business IT operations & applications calibrated by relevant controls”? If the answer is no, effective security for the cloud journey may have no effect at all. Time for change to make cloud service delivery a consistent, secure reality.
Following on from the cloud is the software defined datacenter (SDDC) snowball that continues to gather pace. SDDC ideals are no longer if or when for enterprise organisations with substantial workloads or IT services already delivered primarily via software elements. It’s the dynamic, frictionless, highly agile operational persona offered by a predominantly automated software driven environment that holds so much promise. But common to every “must have”, “must do”, “next big thing”, IT trend is the “what about security” question?
First off, will be a straightforward perspective – “avoid the security retrofit”, time for a security reset. Security must be the core deliverable of the SDDC outcome therefore can never be deemed an add-on or optional extra. When application dependencies and process workflows are in early draft mode (potentially in the earlier stages of the development cycle) the security expectations must be identified, qualified and externalised. Deferring security to later phases or accommodated via an assumption of inherent safety delivered by default is fundamentally flawed as applications and workloads become increasingly fluid in location and state.
A silver bullet of the SDDC ideology is the potential and proven reality of security moving always from a perimeter based ideal to an intelligent functional state as close to the workload as possible (in fact the workload is no longer a workload to be secured, but instead a “secure workload”). This new attitude to application and workload delivery must drive a “blank sheet of paper” review of security to ensure one of the most compelling benefits of the SDDC journey can be fully realised. An enterprise journey to the cloud presents the long overdue opportunity (and investment) to “get security right” – use it, don’t lose it.
And lastly its “people time”. The rise and rise and continued rise of the digital enterprise will fundamentally shift the way business services are operated, consumed and ultimately secured. We are venturing into the unknown and therefore wrestling to find answers to an endless stream of security questions. But is this state really unknown, I suggest not. The “enterprise” digital enterprise may be no more than the digital DNA already the vital fluid of the modern social network driven arena spilling over to and thus redefining the enterprise. Create and destroy data information instantaneously, join and graft multiple and previously unconnected data sources together to create new insight / new opportunities, always on, always now – isn’t this the digitisation defined “social world” already our norm.
And possibly with that Eureka moment appears an equivalent reality check, we still haven’t solved the security problem (s) in the digital social network world, in fact we at times we are not even close. And the main reason – “people”. As technology improves (both systems and security) people reduce their level of vigilance & diligence and increase their expectation that the “system will deliver protection”. Nothing could be further from the truth. I fear we may arrive at a state where there is little more that can be done from a security systems based neural or autonomic perspective. In other words, we have put as much logic and decision making in the system to determine and remediate as much as it can from a security perceptive in an acceptable timeframe. And then what or who is left in the chain as the primary attack vector, the same primary attack vector that has always existed – “people”.
Which drives me to highlight that 2016 may be the year enterprises revisit and reinforce the level of individual accountability that all system users are vigilant, diligent and aware of the security implications of their actions. Or sadly those same users may be affected by the double edged sword of compliance and personal liability. This is a step change forward from the never read acceptable use and security policies. Tough talking and a disappointing road to traverse, but the enterprise may no longer have a choice – systems cannot secure the organisation alone. With flexible working, dynamic workplaces, fluid workloads set to be a normal business state, every corporate endpoint whether human or system has the same responsibility to evaluate and maintain a company desired security state.
And this closes the security predictions overview for the first part of 2016. Whether it’s the increasingly mobile user or interaction with intelligent devices or “things” or dynamic services delivered by highly innovative new market entrants, optimum security will ensure the unquestioned benefits of this increasingly “digital” world arrive with minimal sting in the tail. I am not inferring optimum security has never been important before or isn’t delivered today by highly effective practitioners, it is and that fact it is, minimizes the negative consequences only a mouse click away. But everything we have delivered before is now under attack in a manner beyond our traditional level of understanding with the result it’s time to “deliver now” but with tomorrow’s expectations in mind. Time to change (ps, I am not advocating “patch management” for people – or am I?).
Until next time
Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration.
Happy New Year and may 2016 be your most successful and effective yet. It’s the time of year where every analyst, strategist and technologist delivers a number of market or technology based predictions for the year. In reality they are educated guesses because no one really knows what will happen, but the activity is essential (and one you should personally undertake) because it ensures you have an outward focus (external focus) that is as fundamental to your business success (or at least viable) as your internal view. And best of all with market predictions, they are not guarantees of change as they are based on all of the indicators, assumptions, dependencies or guesses remaining consistent. Over the coming months I will share three 2016 perspectives for the Security, Networking and Digital collaboration (UC in old school terms) marketplaces. The views are my own but leverage extensive market and customer research most notably based on real world customer dialogue and challenges through 2015.
The Security challenge in 2016 could be the back breaker the industry is currently dreading. There are numerous forces and events that will ensure 2016 requires so much business change (positive change) that the door will be widened to any party focused on attacks and breaching defences. There are numerous (too many to actually affect or process) security related impacts that any forward thinking enterprise must consider through 2016 – many are documented heavily within industry white papers and vendor solutions updates. However I will concentrate on six, a few common, others not that are currently giving me most food for thought as I work on strategies for 2016.
The relentless rise of the mobile enterprise (Mobility): Mobility delivers one of the most acute security challenges today. The mobile worker, enterprise, user is no longer a fad or a secondary persona – it is the norm for many enterprises and will ultimately become the norm for all. Driven via the smart device (most commonly a phone) bonded permanently to the hand of many a user and an almost infinite pool of “relevant” applications, the need (not desire) for every digital activity to be available, everywhere, all of the time will deliver a security challenge second to none.
The connectivity issue that previously stalled the mobility drive is somewhat alleviated with fast wireless connectivity available in the home and enterprise and pretty fast connectively (sometimes) outside and on the move. That has moved any business obstacles to launch a mobility drive away from networking and connectivity and pushed it straight into the hands of the security team to ensure where a connection is made it is sure, and where data is accessed it is controlled. Some say it is an impossible task but that is conceding defeat too easily. It is a challenging but not an impossible task and an enterprise serious about affecting security change could start with:
- A top down perspective on the attitude towards risk for the enterprise (what really are “business breaking events”)
- A rigorous understanding of the regulatory framework that governs the enterprise (compliance)
- Comprehensive visibility of data assets within (where are they, what are they, how important are they, do they need to be protected, and to what level)
- Full understanding of how can someone get to them (connectivity and access)
- A real time, dynamic view of the secure persona or posture of the users.
I have simplified the workflow and challenge greatly (and many other perspectives must be considered and the order could change) but tools, processes, services and systems exist today that will really make a dent in the “secure mobile enterprise” challenge. It’s too easy to blend a “mobile enterprise” persona into existing and potentially legacy approaches to mobilising users and delivering business services – resist the temptation and use the time for change to undertake a “back to basics” information security review. Do nothing or do slowly because only a small group are mobile is a flawed theory – now is the time to act.
The next big thing – IOT: The Internet of Things (and or the internet of everything) has captured the imagination of analysts and marketers alike. The connected world of “things” sending and receiving data, commonly over IP protocols but others are emerging, opens the door to a 21st century world previously impossible to imagine. Picture the world of connected cites, healthcare devices talking directly to medical professionals, smart homes exchanging data with utility companies – in fact forget the picture those services, solutions and “outcomes” are already here today. And there lies the problem, the IOT use cases are currently very fluid, personalised and often driven by imaginative use of existing and sometimes emerging technology. With IOT implementations and ideas so cutting edge, the challenge of securing the outcome becomes even greater.
At the risk of becoming an innovation “kill joy” only one recommendation exists of real validity, design any IOT / IOE solution with security acting as the core design frame to minimise the unthinkable challenge of a security retro fit to a solution beyond go live. This sounds like a simple and obvious recommendation (obvious yes, simple no) but is often bypassed due to the enthusiasm, complexity and excitement surrounding the implementation or benefit of the “things” solution. It is fundamental to success to challenge all vendors, integrators and consultancies on secure IOT principles as soon as the “drawing board” solution development phase begins. I fear the IOT security challenge with so many current and future unknowns will be one of the ticking time bombs of the greatest impact over the coming years.
It’s too early in the year for extra long blogs (you have barely cleared your Christmas inbox) so part two of this blog will be next week. I hope the richness of the outline above adds colour to your strategy and planning activities through Q1 to allow you to identify security topics that really require top priority focus through 2016. Two more topics next week and before January concludes the complete story will be told.
Until next week
Happy New Year
Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration (UC)