Business operations have changed a great deal with an accelerated digital transformation and multi-geography cloud infrastructure, end points and services. The new normal era of hybrid work force, diverse corporate (“work”) devices, and distributed SaaS-based tools to support business communication, collaboration, and productivity has significantly expanded the corporate attack surface, exposing data privacy and compliance risk. Endpoint management of devices such as desktops, laptops, BYOD, & other network connected gadgets with the internet of Things [IoT] has magnified the risk landscape of the business with cyber-attacks on unsecure business communication, information-stealing raids, and ransomware.
Threat on Data Privacy Internal to Organization
With global workforce and remote working, tracking employee’s business communication on multiple channels is becoming increasingly difficult for organizations. Often leading to data privacy breach and resulting in hefty fines for fortune financial institutes. This security assessment gap has pushed enterprises across several verticals to invest in secure compliant communication channels.
Threat on Data Privacy, Interconnected network devices: External events
With IoT becoming more pervasive, connected endpoints are becoming a target for malicious agents. As per the global survey report, by 2022, close to 14 billion of active devices which are heterogenous serving IIoT, smart home &city, vehicular communication etc. are connected on the internet with Internet of Things. This huge land scape provides an opportunity of a compromised device which can act as a foot hold to exploit the network to induce malware, steal data and ransomware. One common attack surface on above use cases is the ability to intrude the telecommunications network which plays an important role and provides channel for communication and connectivity.
The next generation of IGR [Intelligence, Governance and Reconnaissance]
This distributed system of connected edges provides cyber attackers an opportunity to exploit the security loopholes with phishing campaigns, DDOS attacks on remote working endpoints, vulnerabilities of VPNs & RDP accounts with brute force mechanism. Isolated security assessments and prevention mechanisms are inadequate to deal with this ever-increasing risk. Hence companies must adapt a wholistic intelligent analytic assessment platform to discover, determine, analyze, predict and selfheal when compromised.
The security risk assessment framework must base on objectives to address the threats.
| Transportation | Retail | Industrial | Digital Surveillance System | Federal/Govt | |
| Compliance
Need |
Standard | Remote Manageability | Intrinsic security to IIOT Gateways | Intrinsic security: Network Video Recorders& Gateways | Robust |
| Assessment Objectives | {Handling of Data at rest and in-transit } { Identity and Integrity of Devices}{Storage integrity}{Management of connected peripherals} {Identity of the control authority} {Root of Trust} {Verification of software updates, configuration & workloads} {Whitelisting of applications and network end points} | ||||
| Threat surfaces & Threats | {Physical Access, In-network, wireless(or other communication channels)} {Device hijacking; Device Masquerading } {Boot integrity compromise} { offline Storage attacks} | ||||
| Defense in Depth:
HW / SW Security Defenders |
{Data :PII} {TEE: SGX, VM} {Secure Boot} {Secure Storage: PTT/TPM} {PKI Device ID} {Crypto: HW accelerated} {FIPS 140-2} {Device, Network Harness} {OATH} {AES256 Encryption} | ||||
| Regulatory Standards | PCI DSS/ HIPPA, GDPR, California Data Privacy Law, EDPS, e SAE J3101, FIPS 140-2 L2/3 and NHTSA
|
||||
| Intelligence Based Predictive Analytics defender | Implement an AI based Surveillance and Reconnaissance framework that will monitor the anomalies on the network, records events, perform analysis by ML algorithms and provide the insights for decision | ||||
A common security assessment framework for cross vertical solutions could like one below:
These systems and frameworks need to be constantly learning. This puts a lot of onuses on balancing the following needs:
- Power and battery optimizations at the edge
- Compute and Storage optimizations at the edge
- Efficient transfer and transformation of information – needle in the haystack
- Scalable and distributed infrastructure – latency of observations and preventive / corrective actions
- Mutability to avoid total collapse
Summary: Organizations to be dynamic in their thought process, technology designs and human capital management. The future of Risk and Governance is a unique combination of technology, processes, and human ecosystem – leading to strategic enablement and value creation.
Acknowledgements:
Jaganmohan Rao Navulur
Movius
Jaganmohan Rao Navulur <Jaganmohan.Rao@Moviuscorp.com>