From left: Dialog Axiata M2M-IoT Strategy Development and Partner Management Head Dr. Indika Samarakoon, Duo World CEO and Chief Architect Muhunthan Canagey, Dialog Axiata Group Chief Operating Officer Dr. Rainer Deutschmann, Cyber Security, India and SAARC, CISCO Regional Manager Vivek Srivastava and Moderator CICRA Holdings Group Director-CEO Boshan Dayaratne

Experts at Daily FT-CICRA Cyber Security Summit 2018 discuss opportunities and challenges of security in the era of IoT

By Hiyal Biyagamage

Internet of Things (IoT) is no more a niche technical term. According to a number of reports from different research agencies, 20 billion IoT–connected devices will be online by 2020. IoT has become a major part of enterprises as well as the lives of consumers, with multiple innovations rolled out on IoT-based devices.

With such developments, IoT-based attacks have also become a reality. A recent Gartner survey found that nearly 20% of organisations observed at least one IoT-based attack in the past three years. To protect against those threats Gartner Inc. forecasts that worldwide spending on IoT security will reach

$ 1.5 billion in 2018, a 28% increase from 2017 spending of $ 1.2 billion.

The second session of the Daily FT-CICRA Cyber Security Summit 2018 saw local and regional cyber experts focusing on IoT where they discussed how regulatory compliances around the technology will become a key influencer for the uptake of IoT and its overall security.

 

The ‘hyper-exponential growth’ of organisations

Delivering the first keynote address of the session, titled ‘Security in the IoT Era’, Dialog Axiata PLC Chief Operating Officer Dr. Rainer Deutschmann outlined key technology trends that are driving our lives and businesses, and what successful businesses globally do to become top companies while aligning common technology elements with cybersecurity.

“There is a pace ongoing in what I call an exponential world, with exponential challenges with respect to cybersecurity. It is a fast-moving world so we have to be on our toes all the time.”

Explaining a chart on the past 120 years of technology advancements, Dr. Rainer said: “If I look back 120 years and plot the computing power of devices, earlier we had electro-mechanic computers but today we have computers which are used for crypto-mining. That is an exponential growth and what we have witnessed over the last few years is an acceleration of that growth as well. We can refer to that as ‘hyper-exponential growth’. There is no sign of stopping that.”

“However, if you look at all this growth from a linear point of view, it will look like there has not been much moving during the last 119 years, but during the last few years, the developments have been happening amazingly. If I advance to the next 10 years from now, it will look like we have not even started and we are actually living in the Stone Age,” said Dr. Rainer.

 

“That is the exponential power the world has witnessed during the past few years,” Dr. Rainer pointed out, stating: “It will be fair to predict that it will not stop in the future. So, we cannot rest today and only look at today; we have to be smart about what is going to happen in the future.”

Touching upon few key trends which are relevant for businesses and cybersecurity, Dr. Rainer said: “We are now living in a world which is fairly connected, not only through mobile phones on a voice connectivity but more than half of the population today are connected to the internet directly. Most of them are connected through a mobile phone and pretty much all of the people are active on social media. It is a highly connected world from a population perspective.”

“More people connected to the internet means more people are vulnerable to cyber attacks,” he said.

On the discussion around the cloud, he mentioned that the current spending on cloud, which is around $ 150 billion, would be doubled within the next four years, according to Gartner. “It is a significant movement to the public and hybrid cloud, and organisations can focus much more on innovation and strategy as they do not have to worry about the maintenance of infrastructure.”

“One of the important aspects to understand is that the security of being in a public cloud is higher. There are two parties involved in running a cloud service—the provider and the user. From a provider’s perspective, providing security from a physical point of view to an infrastructure point of view requires a lot of effort and resources. That is why instead of going into a public cloud, moving into a hybrid cloud is encouraged,” Dr. Rainer stated further.

IoT, machine learning and quantum computing

Continuing his discussion on IoT and different technologies, Dr. Rainer said there are more connected devices than humans on earth, with more than half of the population having access to the internet.

“We are not only talking about connecting people but also about connecting machines. The number will be exponentially growing during the next two to three years.”

Speaking about machine learning, Dr. Rainer said it is nothing other than pattern recognition.

“Pattern recognition is being used to monitor intrusions, malware and spams so the technology is well established to be used in the space of cybersecurity. The next level will be more exciting when we talk about more general AI because so far, the systems are specialised to solve one’s specific problem. The real fun starts when the systems do not depend on external data but evolve themselves. Systems are starting to become smart in a way to explain themselves and explain the rationale on how a certain prediction was made.”

On quantum computing, he said: “We have seen hype around the quantum supremacy which has been predicted to be starting beyond 49 qubits. Google’s quantum processor Bristlecone is currently 72 qubits. One of the main issues pertaining to quantum computing is its associated noise. Active research is ongoing to beat this exponential increase of noise in the system where we overcome the exponential computing power that comes with the addition of more qubits.”

 

 

A different world of IT

Summing up his keynote address, Dr. Rainer pointed out a few key factors on how organisations can become successful in the world of exponential development.

Being very close to the consumer – We have technologies which allow us to generate real-time insights from the customer every single minute in different dimensions. We can use those insights to improve security by taking the data and playing it in an appropriate way.

Atomisation of how we work – It used to be very large organisations with many employees. They are organised in a hierarchical manner and you have silos where everyone works at their own pace. In reality, there is a transformation where we see that monolithic setup—much smaller work cells which are cross-functional work cells from different areas—where teams work more or less with a design perspective independence.

However, you still have to maintain security guidelines. You have to think about not only bringing the user experience quality into the team but you have to have people that understand implications from a security perspective so that the product you deliver complies with security standards. Security should be seen as a key enabler for the user side.

 

The magnitude of data explosion – If you look at organisations practically, we find many islands of data. You find that data generated by different systems and different logs in various departments are not really combined. This means that you are unable to unlock the full power of your data. Not only do you have to make sure you collect the right data but you need to have a 360-degree view of your data streams for your customers, partners and employees.

You need to make data available in a secure manner through a visualisation tool like Tableau. The whole stack needs to be set in place and has to be complemented by a proper security framework.

A different IT environment – The atomisation in the workplace described earlier is also happening in IT. Rather than having monolithic applications where I am starting to implement one application, build this whole stack and implement another application, it has dissolved into a concept called microservices. They are communicating in a much flexible manner through APIs.

If you have that ecosystem of atoms that are communicating, it gives you a lot of flexibility but again, having the security in a more organic system is a new challenge, which I would urge everyone to think about from now on. We are living in a different IT world now as opposed to building monolithic applications 10-20 years back.

The transformation of future leaders – All the technology trends and activities we see today happening in our organisations are not static requirements in terms of who is going to be the leader of tomorrow. According to a recent McKenzie study, we see there is a significant change in terms of requirements what we need today and tomorrow. They will become more and more automated. There will be no reason for us to go and do any kind of a calculation — it will be faster and cheaper for these automated devices to complete those calculations for us.

However, what we do need is people who are able to embrace the power of technology that is able to develop solutions to bring new levels of customer experience. IT, user experience skills, and the ability to analyse big data and other data streams are top skills which organisations are looking for in the future.

 

 

Security for digital enterprises 

Regional Manager – Cybersecurity, India and SAARC for Cisco Inc. Vivek Srivastava delivered the second keynote address on how Cisco looks at enabling security for digital enterprises.

“What trend would you pick up when you want your organisation to be digital? The answer lies in the outcome. What is that you are expecting your digital transformation to be? Number one would be: can you create a new customer experience? Second would be: can you transform your existing business processes into digital? Third would be: can you improve your efficiency and performance with moving to digital? These are the primary areas where objectives lie for most of the businesses,” said Srivastava.

“Security becomes extremely important for the survival of an organisation today. Security is a necessity for every organisation, not a strategy,” he said.

From a digital transformation perspective, Cisco believes an organisation should follow certain steps to digitise their business successfully.

“First, it has to be outcome focused. It is not primarily limited to the IT team. It has to be aligned with the whole business as well. Security is one aspect and automation is another key focus area. Automation can resolve some of the main complexities of your business that come from people, processes and devices.”

He also said that analytics play a crucial role as well. “We have so many connected devices, touch-points, applications and conversations that generate vast volumes of data. Analytics can help you define how you make sense of that data and gathered data will give you intelligence insights for organisations to improve their processes and services.”

“Let technologies talk to technologies. Let devices talk to devices. When they talk to each other, you can avoid gaps which can be created from manual work,” stressed Srivastava.

Digital and security go hand in hand. If an organisation has a good digital strategy but misses on a good security strategy, Srivastava mentioned that it would not be able to run for a long period. Viability will be very low for the business to continue its growth.“IoT brings a set of different challenges. If you look at most of these IoT devices — be it consumer technology or industrial IoT — most of them might have not worried about including proper security features. They must not have run normal vulnerability management cycles. In such a context, these devices will be easy prey for hackers. Most of the time, it is very difficult to create visibility for these devices as well.”

To overcome challenges related to IoT and digital enterprises, Srivastava said that organisations have to start from people, address processes and technologies, and proper policies and governance need to be brought along the way. He discussed three important factors which are very important from the security perspective for a digital enterprise:

Complete security coverage – This means the visibility of everything happening inside your organisation. This is not limited to your IT infrastructure; we are talking about visibility into the cloud, IoT devices and other IT components.

Agile security operation – Most organisations tend to miss this part. The security operations are something that we look to primarily as a process of managing logs and reporting to different executives. Today’s new age security operations will help you to build a mechanism where your security operations can itself be a pre-emptive, prevention mechanism for the entire organisation.

Security-centric approach – Organisations need to focus on how to drive and empower employees of an organisation to have an understanding about cybersecurity and its impact.

Concluding his remarks, Srivastava said: “It is extremely important that when you are forming your digital strategy or you want to embark upon digital transformation, you take security along your way. Security and digital strategies have to be formulated together. Secondly, the visibility of control that you create for your environment will play a key role. The security technologies we use should address the entire attack lifecycle.”

“You may have tools and technologies for prevention, but you need to make sure that investments have been done on technologies which can help you detect threats and immediately take remediate actions,” opined Srivastava.

The dilemma of regulators

Joining the discussion as a panel member, Duo World Inc. Chief Executive Officer and Chief Architect Muhunthan Canagey talked about security and regulatory challenges for IoT’s development in Sri Lanka. He mentioned that regulators should get rid of their conventional thinking hats for the country to leverage technologies like IoT and cryptocurrency.

“IoT has already started and it is moving across so fast. There are so many devices available in the market right now. What you need to understand is that every IoT service would require an end-to-end service deliberate. If you take Amazon Dash Buttons, it is a situation of micropayments. How do you ensure that the entire transaction goes through? When it comes to the regulatory, that is where the problem is. There are innovators out there who are building innovative products and when they require something from the regulator that is where the problem comes in.”

“Regulation is something that is going to hold innovation in this country and regulators need to move away from conventional thinking. If regulators continue to think conventionally, we, as a country, are going to make sure those innovations will not get to that stage and we are going to be followers, not leaders. That change has to happen and that could only happen with a change in the people,” said Muhunthan.

Dialog Axiata M2M/IoT Strategy Development and Partner Management Head Dr. Indika Samarakoon spoke about different challenges pertaining to IoT.

“With any type of technology, we are supposed to empower either enterprises or consumers. Empower means driving adoption. In order for the adoption to happen, it has to be affordable. In a country like Sri Lanka where affordability and market size are limited, we do not have a large demand from consumers. When we try to develop devices, we face challenges since we do not have minimum order quantities (MOQ) to get the vendors to do what we prefer.”

“Another challenge is security constrained devices. We are talking about cheap, affordable devices that could run for years. It means that the device should wake up, do something and go back to sleep. How could you have encryption processes running on these devices to do that in real time, in order to provide the security you prefer?” he pointed out.

He also spoke about the challenges in IoT security standards.

“If we look at security standards, IoT standards are still emerging. If we look at technologies like Z-Wave or ZigBee, the transport layer is standardised but the application layer is not. How are we to bring out security if we do not have proper standards in place? That is another challenge. IoT is also a collaborative technology platform. You have vendors, manufacturers, developers, service provider and other stakeholders. Having multiple interfaces is also a challenge.”

Organised under the theme ‘Towards a Secure Digital Future’, local and global experts on cybersecurity spoke at the sixth Daily FT-CICRA Cyber Security Summit 2018, the premier cybersecurity event of the country, emphasising the importance of securing the future of organisations in a fully digitalised atmosphere, even though it appears to be an uphill task.

The Daily FT-CICRA 2018 Cyber Security Summit was supported by Cisco as the Principal Sponsor, Visa as the Strategic Partner, and Infowatch and Tufin as Co-Sponsors. LankaPay was the Official Payment Partner while Dialog was the Telecommunication Partner. Sri Lanka Insurance was the Insurance Partner. The Ministry of Telecommunication and Digital Infrastructure and ICT Agency of Sri Lanka endorsed the event. Cinnamon Grand was the Hospitality Partner of the Summit while Triad was the Creative Partner. The Electronic Media Partners of the event were TV Derana, FM Derana, Ada Derana and Derana24X7.

Pix by Upul Abayasekara

and Ruwan Walpola