In the age of all-out digitalization, attacks and data theft regularly make the headlines. And if the stakes are just as accurate as the awareness is massive, including from the general public, fingers crossed is not enough for companies. If data is everywhere, so must security.
Deperimeterization: It indicates a decompartmentalization of the information system, and without a precise scope, the data can be created, captured, processed, modified, stored anywhere, anytime. De-parameterization, therefore, offers a gigantic world of possibilities, aided by rich (structured,
unstructured, multimedia, etc.), polymorphic and multi-source data, with exponential growth further accelerated by connected objects, from the most miniature network sensor to the intelligent and connected car. Be careful, however, behind this apparent “nebula” of data, physical media remain (including wireless ones, because although using the principle of radio waves, immaterial, they remain physical media).
In this context, like matter, it is possible to characterize data according to three states: data at rest (solid-state) on storage disks, data in transit (liquid state) on networks, and data being processed (gaseous state) on servers. This educational analogy makes it possible to understand the link between data, their physical media according to their respective states, and the security that must result from it over the entire data lifecycle.
Secure The Data, Including During Its Processing
It has been recognized as a real asset of the company for a long time. Data benefits from special attention in its protection. In terms of storage, its confidentiality and integrity are most often ensured by access controls (physical and logical), encryption, and other partitioning mechanisms between disks, virtual machines, processes, etc.
Likewise, protocol security (IPSEC over IP, TLS over HTTP or WPA2 or three over WiFi, etc.) ensures data protection when it is in transit. With particular attention paid to wireless networks, it is so easy to “listen” to streams that are not protected there. When it is being processed, the data is also particularly vulnerable. Its protection is all the more difficult to understand in this context as it also involves the programs responsible for its treatment.
The risk is that a malicious modification of the program could lead to an action that would not be necessary, for example, a vehicle that does not break when it should (or vice versa). Therefore, the absolute integrity of the program, its configuration, and its intelligence (IA) must be preserved to ensure the security of the data.
IoT Security, The First Bulwark
With the proliferation of digital devices and the connectivity provided to objects that were not previously, such as vehicles, refrigerators, and even production lines, data is therefore everywhere now: it is even around these objects that data is often captured and digitized, and sometimes returned. External to the information system by definition, connected objects also represent a colossal attack surface, with many potential entry points to organizational data.
Therefore, they are the first elements to be secured to limit the risks of malicious acts, particularly in strategic sectors, impacting human health or with critical economic issues. This is the case for the automobile, medical (connected health), extensive networks and Operators of Vital Importance (water, electricity, telecommunications, army/defense), and all major industries, including production stoppages. Are economically dramatic.
For all these activities in particular, but also for the entire economy, only an integrated and homogeneous level of security from end to end, from connected objects to the depths of the Cloud, will ensure the safety of a world where data is everywhere.
The challenge today is, therefore, to think of unified security with coordinated policies (keying, maintenance, reaction in the event of an attack) and technologies correlated with each other, to obtain homogeneous levels of assurance, whatever the state of the data (solid/liquid / gas).
Security that must also benefit from better orchestration, in the face of a security value chain today very fragmented and the absence to date of a player in charge of the specific profession of security operator, who would supervise this value chain and assume its liability. Finally, and in a context of sovereignty, technologies allowing systemic security management must emerge.
Also Read: Five Design Principles For More IoT Security