2. 02
By year-end 2020, IoT risk and security needs will add an average of 2% to the
total IoT project costs, up from 0% today.
Supply chain security needs through 2021 will account for 15% of total IoT
security spend, up from less than 1% today.
IoT security solutions enable organizations to securely manage IoT devices, and
ensure IoT endpoint and data security, and asset discovery.
IoT security and risk management leaders should use this research to understand
how to evaluate and select solutions to meet their IoT security requirements.
Source: Gartner
3. 03
Three eclectic types of product vendors are emerging for securing IoT: embedded
trust; device identity and key/credential management; and real-time
visibility and control.
Clients who are performing proof-of-concept trials are getting better clarity about a
product's compatibility with their organization's environment and
requirements.
Low complexity in IoT deployment, flexibility of IoT security controls, ease of
integration and competitive product pricing are the main selection criteria
for IoT security and risk management leaders.
Source: Gartner
4. 04
IoT security and risk management leaders selecting an IoT security solution should:
Justify investment in IoT security by evaluating the impact of improved visibility and
control on the organization's risk exposure.
Engage with vendors that offer technical support and professional services help
during proof-of-concept trials to mitigate risks and to ensure a
smooth alternative analysis.
Determine which security solutions are already installed on the IoT network, and
then identify and favor IoT security products that have direct
integration with these existing solutions.
Source: Gartner
5. 05
The scale of security risks in the Internet of Things (IoT) era is therefore much
greater than in the pre-IoT environment, and the "attack surface" is much larger.
Most sensor based things have minimal computing resources, and the
opportunities for antivirus, encryption and other forms of protection within things
are more restricted.
Therefore, IoT security products with a variety of capabilities emerged to help
dispel some of these challenges.
These IoT security products help IoT security and risk management leaders
Source: Gartner
6. 06
Device management:
Tackle secure cryptographic key provisioning and management challenges in cases
in which the mass number of IoT devices deployed
simultaneously and their environmental characteristics create a challenge.
Provide quick, secure, scalable and device-independent identity, access and
relationship management experience that customers, partners and
suppliers are looking for.
Have a means to provision IoT devices by downloading software, patches, updates
and other information periodically (a common requirement for
security management systems).
Source: Gartner
7. 07
Endpoint and data security:
Protect endpoints in cases in which traditional authentication and cryptography
cannot be implemented due to resource constraints and long device
life cycles outliving encryption effectiveness.
Obtain anti-tampering functions for devices used in high-risk environments, as IoT
devices require strong device identity and a root of trust as a foundation.
Satisfy personal data privacy expectations between individuals and organizations in
the IoT era.
Source: Gartner
8. 08
Asset discovery:
Detect IoT devices in enterprise networks when these devices are part of
proprietary or non-IT-standard engineering networks, or if they aren't
continuously connected.
Build an effective IoT "asset database" complete with attributes and entitlements
for access by those devices (a major requirement of identity and
access management as well as IT asset management [ITAM] systems).
Evaluators and buyers of IoT security products are security and risk management
leaders who are trying to establish end-to-end trust â from chip to
cloud â in their IoT use cases across all industry verticals and domains.
Multiple and wide-ranging IoT security technology providers are evolving to
address these technical requirements and the business opportunities.
Source: Gartner
9. 09
Product vendors, with varied levels of consulting and professional services
capabilities, in the IoT security market involve:
Embedded trust vendors that provide a hardware root of trust â that is, a
foundation to secure many variety of functions at the endpoint.
Device identity and key/credential management vendors that offer IoT-scale-
federated and secure device management implementations.
Real-time visibility and control vendors that offer complete real-time visibility and
control for every network-connected IoT device.
Source: Gartner
10. 010
The threat of a limited availability of security skills is also changing the manner in
which IoT systems are managed and operated, resulting in more automation and
more cognitive security controls.
To enable effective automation of functions originally performed by people in
security operations centers, vendors are embracing technologies, such as machine
learning and artificial intelligence.
High-profile cyberattacks and attempted compromises in the connected
automobile and medical device industries have driven early security spend
(digital as well as IoT-specific) in those verticals.
The effects of these attacks also highlight the overlapping safety regulation and
general safety management impacts of digital security.
Source: Gartner
11. 011
The potential scale of many IoT deployments drives market changes in how security
monitoring, detection and response must take place.
Cloud-based security services will play an indispensable role in providing IoT
security due to the scale of services required: IoT will not be viable in the long term
without the cloud.
The diversity of IoT devices and their life cycles drive hybrid security solutions for
legacy and modern IoT deployments, depending on the vertical industry.
Authentication for IoT devices will generate a substantial market opportunity. The
support for root of trust in devices and the "identity of things" model
will drive centralized and federated key and certificate management services,
lightweight encryption adoption, and multifactor authentication in security
markets.
Source: Gartner
12. 012
Smart city projects are spreading across regions at a fast pace.
These projects are developed in close integration with IoT, technology and security
related elements from utility, automotive and manufacturing industries as part of
advanced metering infrastructure, connected cars and smart home
initiatives.
The compound spend on IoT security relating to government, utility, building and
facilities automation, and manufacturing will continue to grow.
From a design and economics perspective, the balance of spending between IoT
endpoints and IoT gateways will shift toward a gateway-centric
deployment model over time.
We project that 2019 will be the tipping point at which gateway security spending
surpasses endpoint security spending.
Source: Gartner
13. 013
Most IoT security products from established traditional IT security vendors or small/midsize
new entrants are only in their development or proof-of-concept stage. While vendors are
working on improving their product and service offerings, IoT leaders, and security and risk
management leaders should work with IoT security consultants to:
Assess integration points in their networks for IoT implementations, and determine gaps in
capability and infrastructure.
Assess risk exposure from IoT-related initiatives, and assess their organization's security
posture.
Keep a record of all of their IoT assets, from sensors to large industrial equipment, and have
visibility into their whole IoT networks and topologies.
Analyze regulatory exposure to IoT security requirements.
Work on developing in-house IoT security expertise, and familiarize themselves with
successful implementations in their verticals (with the help of partnerships or consortia
activities).
Assign enterprise ownership for IoT technologies that are not already claimed by a business
unit. Join neutral consortia activities to gain access to IoT ecosystems.
Source: Gartner
14. 014
IoT leaders should use a scenario-driven approach in selecting discovery and provisioning
solutions, and should not attempt to acquire a "one size fits all" product or service at this
stage. The number and type of IoT devices and support systems will continue to resist clear
classification until at least 2018.
IoT leaders should not make large-scale investments in discovery, provisioning, access and
data protection at this stage until product and service
boundaries are more clearly defined. Where possible, consider short-term, service-based
leasing and minimal customization.
Adopt authentication frameworks that are flexible and meet the interoperability
requirements for all classes of devices in operation. Use trusted computing techniques, such
as hardware root of trust (HRoT), for device authentication to achieve the highest possible
identity assurance.
Press the device manufacturers and authentication solution providers to explore new
context data points â derived at various operational stages â and utilize them in
determining the risks associated with a particular device operation.
Assess product and service providers' preparedness for significant shifts in their product and
service roadmaps, depending on their target markets.Significant integration may be
required, and more specific choices in industry vertical solutions could result.
Source: Gartner
16. IoT is a Paradise for Hackers
16
Source: HP Security Research
Almost 90 percent of the devices collect personal information such as
name, address, date of birth, email, credit card number, etc.
Un-encrypted format on to the cloud and big data, thus endangering
the privacy of users
17. 26 billion devices on the Internet of Things by 2020
(Gartner)
15 Billion existing devices connected
to the internet (Intel)
Not adequately protected at the device level
⢠Cannot wait for a new generation of secure devices to be
developed
Require robust and layered security controls
90% of world's data generated over last two years
17
19. The Department of Homeland Security
⢠Investigating 2 dozen cases of suspected cyber security
flaws in medical devices that could be exploited
⢠Can be detrimental to the patient, creating problems
such as instructing an infusion pump to overdose a
patient with drugs or forcing a heart implant to deliver a
deadly jolt of electricity
⢠Encrypt medical data thatâs stored
PricewaterhouseCoopers study
⢠$30billion annual cost hit to the U.S. healthcare system
due to inadequate medical-device interoperability
Security Threats of Connected Medical Devices
19
www.computing.co.uk/ctg/opinion/2390029/security-threats-of-connected-
medical-devices#
21. 021
95% of cloud security
failures will be the
customer's fault
Source: Gartner
22. Sensitive Data in the Cloud
22
82%Of organizations currently (or plan to) transfer
sensitive/confidential data to the cloud in next 24 mo.
23. 23
Lack of Cloud Confidence
2/3Number of survey respondents that either agree or are unsure
that cloud services used by their organization are
NOT thoroughly vetted for security
24. 24
Data Breach: Cloud Multiplier Effect
2xA data breach in the cloud can be 2x more costly. 66 percent
of respondents say their organizationâs use of cloud resources
diminishes its ability to protect confidential or sensitive
information and 64 percent believe it makes it difficult to
secure business-critical applications
25. 25
What Is Your No. 1 Issue Slowing
Adoption of Public Cloud Computing?
27. Data Security Holding Back Cloud Projects
27
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
28. Security of Data in Cloud at Board-level
28
Source: Cloud Adoption Practices & Priorities Survey Report January 2015
29. High-profile Cyber Attacks
29
49% recommended Database security
40% of budget still on Network security
only
19% to Database security
Conclusion: Organizations have traditionally spent money on network security and so it is
earmarked in the budget and requires no further justification
33. DataâCentric Audit and Protection (DCAP)
033
Source: Gartner â Market Guide for Data â Centric Audit and Protection (DCAP), Nov 21 2014
Organizations that have not developed data-centric
security policies to coordinate management processes
and security controls across data silos need to act
By 2018, data-centric audit and protection strategies
will replace disparate siloed data security governance
approaches in 25% of large enterprises, up from less
than 5% today
Confidential
34. 034
Centrally managed security policy
Across unstructured and structured silos
Classify data, control access and monitoring
Protection â encryption, tokenization and masking
Segregation of duties â application users and privileged
users
Auditing and reporting
Source: Gartner â Market Guide for Data â Centric Audit and Protection (DCAP), Nov 21 2014
Confidential
DataâCentric Audit and Protection (DCAP)
36. Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are
several methods for protecting sensitive data.
Who should have access to sensitive data and who should not.
Security access control.
When should sensitive data access be granted to those who
have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy
is enforced.
Audit authorized or un-authorized access to sensitive data.
What
Who
When
Where
How
Audit
36
38. Rather than making the protection platform based,
the security is applied directly to the data
Protecting the data wherever it goes, in any
environment
Cloud environments by nature have more access
points and cannot be disconnected
Data-centric protection reduces the reliance on
controlling the high number of access points
Data-Centric Protection Increases
Security in Cloud Computing
38
39. 039
Through 2020, 95% of cloud security failures will be the
customer's fault.
By year-end 2018, 50% of organizations with more than
2,500 users will use a cloud access security broker (CASB)
product to control SaaS usage, up from less than 5% today.
By 2020, 85% of large enterprises will use a CASB product,
up from less than 5% today.
Source: Gartner
Clouds Are Secure: Are You Using Them Securely?
40. 040
Gartner released the report âSimplify Operations and Compliance in the
Cloud by Protecting Sensitive Dataâ in June 2015 that highlighted key
challenges as âcloud increases the risks of noncompliance through
unapproved access and data breach.â
The report recommended CIOs and CISOs to address data residency and
compliance issues by âapplying encryption or tokenization,â and to also
âunderstand when data appears in clear text, where keys are made
available and stored, and who has access to the keys.â
Another recent Gartner report concluded that âCloud Data Protection
Gatewaysâ provides a âHigh Benefit Ratingâ and âoffer a way to secure
sensitive enterprise data and files.â
Source: Gartner â xxxx
Confidential
Cloud Security
46. Risk Adjusted Data Leakage
46
Index
Index Data
Trust
Elasticity
Out-sourcedIn-house
H
L
Index
Leaking
Sensitive
Data
Index NOT
Leaking
Sensitive
Data
Sort Order Preserving
Encryption Algorithms
Leaking Sensitive
Data
49. Reduction of Pain with New Protection Techniques
1970 2000 2005 2010
High
Low
Pain
& TCO
Strong Encryption Output:
AES, 3DES
Format Preserving Encryption
DTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key
Management
No Vault
8278 2789 2990 2789
49
50. Cloud Gateway - Requirements Adjusted Protection
Data Protection Methods Scalability Storage Security Transparency
System without data protection
Weak Encryption (1:1 mapping)
Searchable Gateway Index (IV)
Vaultless Tokenization
Partial Encryption
Data Type Preservation Encryption
Strong Encryption (AES CBC, IV)
Best Worst
50
51. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Fine Grained Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
51
53. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
53
55. Examples of Protected Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
55
57. 57
Access to
Sensitive Data in
Clear
Low Access to Data High Access to Data
High -
Low -
I I
Risk Exposure
User Productivity and
Creativity
Traditional Access Control
58. 58
Access to
Tokenized Data
Low Access to Data High Access to Data
High -
Low -
I I
Risk Exposure
User Productivity and
Creativity
Fine Grained Protection of Data Fields
60. 060
CISOs should not treat big data security in isolation, but
require policies that encompass all data
New data-centric audit and protection solutions and
management approaches are required
Big data initiatives require data to move between
structured and unstructured data silos, exposing
incoherent data security policies that CISOs must
address to avoid security chaos
Source: Gartner â Big Data Needs a Data-Centric Security Focus, 2014
Confidential
Big Data Needs a Data-Centric Security Focus
63. Many Ways to Hack Big Data
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
63
HDFS
(Hadoop Distributed File System)
MapReduce
(Job Scheduling/Execution System)
Hbase (Column DB)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avro(Serialization)
Zookeeper(Coordination)
Hackers
Privileged
Users
Unvetted
Applications
Or
Ad Hoc
Processes
64. 64
Securing Big Data
3. Volume encryption in Hadoop
4. Hbase, Pig, Hive, Flume and Scope
using protection API
5. MapReduce using protection API
6. File and folder encryption in HDFS
8. Export de-identified data
1. Data protection at
database, application or file
2. Data protection in a staging
area
7. Import de-identified
data
9. Export identifiable
data
10. Export audit s for
reporting
68. The global shortage of technical skills in information
security is by now well documented, but an equally
concerning shortage of soft skills
"I need people who understand that they are here to
help the business make money and enable the
business to succeed -- that's the bottom line. But it's
very hard to find information security professionals
who have that mindset," a CISO at a leading
technology company told us
Security & Business Skills
68
Source: www.informationweek.com/strategic-cio/enterprise-agility/the-security-skills-shortage-no-
one-talks-about/a/d-id/1315690
69. Balancing Data Security & Utility
69
Index Data
Leaking
Sensitive
Data ?
Value
Preserving
Encoding
Leaking
Sensitive
Data ?
Classification of
Sensitive Data
Granular Protection
of Sensitive Data
70. Exponential growth of data generation
⢠New business models fueled by Big Data, cloud computing
and the Internet of Things
⢠Creating cybercriminal's paradise
Challenge in this interconnected world
⢠Merging data security with data value and productivity.
Urgently need a data-centric strategy
⢠Protect the sensitive data flowing through digital business
systems
Solutions to bring together data insight & security
⢠Safely unlock the power of digital business
Summary
70