Friday, June 19, 2015

Information Security - Reducing Complexity


Change is constant and we are seeing that everything around us are evolving. Primarily, the evolution is happening on the following categories:

Threats:

There is a drastic change in the threat landscape between now and the 1980s or even 1990s. Between 1980 and 2000, a good anti-virus and firewall solution was considered well enough for an organization. But now those are not just enough and the hackers are using sophisticated tools, technology and sills to attack the organizations. The motive behind hacking has also evolved and in that front, we see that hacking, though illegal is a commercially viable profession or business. 

Compliance:

With the pace at which the Threat landscape is evolving, governments have reasons to be concerned much as they are increasingly leveraging the technology to better serve the citizens and thus giving room for an increased security risk. To combat such challenges, Governments have come up with regulatory compliance requirements making it even complex for the CSOs of enterprises.

Technology:

Technology is evolving at a much faster pace and as we are experiencing, we are seeing that the things around us are getting smarter with the ability to connect and communicate to internet. On the other side, considerable progress have been achieved in the Artificial Intelligence, Machine Learning, etc. These newer ‘smarter things’ are adding up to the complexity as the CSOs of the have to handle the threats that these bring on to the surface.

Needless to mention that the hackers too make the best use of the technology evolution and thus improving their attack capabilities day by day.

Business Needs:

The driver of adoption of these evolution is the business need. As businesses want to stay ahead of the competition, they leverage the evolving technologies and surge ahead of the competition. With a shorter time to market, all departments, including the security organization should be capable of accepting and implementing such changes at faster pace. Due to this time pressure, there is a tendency to look for easier and quicker ways to implement changes ignoring the best practices.


Consumerization

IT today is to simplify things to the consumers within and outside the organization and this raises the user expectation and thus leading to too many changes with some being unrealistic as well. This may include the users bringing their own anything (BYOA). This will soon include Bring Your Own Identity with chips implanted under the skin. As you would know, employees who work at the new high tech office campus in Sweden, EpiCenter can wave their hands to open doors, with an RFID chip implanted under the skin.

Connected world

Most enterprises are now connected with their business partners in terms for exchanging business data. With this the IT System perimeter extends to that of the partners’ as well to some extent. Rules and polices had to be relaxed to support such connected systems. Now that we are looking at things that we use every day will transform as connected things, adding up to the complexity.

Big data

Basically the need for big data tools to handle this. While this complexity did exist earlier, the attacks were not that sophisticated then. Today with the level of sophistication on the attack surface, the need for simplifying complexity of handling huge data is very much required.

Skillset

The threat landscape is widening and the attacks are getting sophisticated, which call for even better tools and technologies to be used to prevent or counter them. This means that there is a continuous change in the method, approach, tools and technology used, making it difficult to maintain and manage the skills of the human resources.

Application Eco System

A midsized organization will have hundreds of applications, needing to have different exceptions to the policies and rules. These applications may in turn use third party components and thus the chances of a vulnerability within these applications is very high. Given that these applications constantly undergo change and evolve, there is a possibility that the code or component left behind might expose a vulnerability.


How does this impact

Complexity impacts the security capability in many ways and the following are some:

Accuracy in Detection

The complexity makes the detection of a compromise difficult. Having to handle and correlating large volume of logs from different devices and that too different vendors will always be a challenge and this makes timely and accurate detection a remote possibility. A successful counter measure require accurate detection in the pre-infection or atleast in the infection stage. The later it is detected, it is complex to counter the same.

Resources

Each new security technology requires people to properly deploy, operate and maintain it. But it is difficult to add new heads to the Security Organization as and when a new tool or technology is considered. Similarly, managing the legacy solutions put in by older employees who are no longer employed in the organizaiton is likely to remain untouched due to the fear of breaking certain things.

Vulnerabilities and Exposures

With the huge number of applications used by the enterprise, this is a complex and huge exercise, unless the same is integrated into the build and delivery process by mandating a security vulnerability assessment. With innumerable number of applications, components, and the operating systems connecting to the enterprise network, this is almost impossible. Needless to mention that with the wearables and other smarter things connection to the network, who knows, what vulnerability exist in such smarter things and in turn exploited by hackers.

Methods for reducing complexity

Complexity is certainly bad and reducing complexity will beneficial both in terms of cost and otherwise. However, simplification by any means should not result in compromising the needed detection and protection abilities. A balanced approach is necessary so that the risk, cost and complexity are well balanced and beneficial to the organization. The following are some of the methods that may help reduce the complexity:

  • Integrated processes as against isolated security processes. Every Business process should have the security related processes integrated within, so that every person in the organization will by default contribute towards security. The security process framework shall be designed in such a manner that it evolves over a period based on experience and feedback.
  • Practicing Agile approach within the security organization, so that the complexity is hidden within tools and appliances by automating the same. Agile approach also helps the security organization to embrace changes faster, especially, when implementing changes in response to a detected threat or compromise. One has to carefully adopt such practices into the Security framework.
  • Outsourcing the security operations to Managed Security Service Providers(MSSP) is certainly an option for small and medium enterprises that brings takes some of the complexity away and thus benefits the organization. Needless to mention here that outsourcing does not absolve the responsibility of the security organization from any security incident or breach.
  • “Shrinking the Rack” – Consolidating technologies whereby devices combining multiple technology and capability within it may make it easier for deployment and administration. At the same time this has the risk of ‘having all eggs in one basket’, i.e. when such a device or solution is hacked, then it is far and wide open for the hackers.
  • Mandating periodical code, component and process refactoring, where by unneeded legacy code, component and process are periodically reviewed and removed from the system. This will help keeping the applications maintainable and secure. Also implant security as a culture amongst all the employees, so that they handle security indicators responsibly.

Saturday, May 23, 2015

Factors Affecting Software Resiliency

The digital transformation is happening everywhere right from small private firms to government organizations. On the personal front, connected things is coming on, where by every thing that we have or use will be smart enough to connect and communicate with other things(systems). This in effect means there will be an increased reliance on IT systems to accomplish various tasks. This will call for high order of resilience on the part of such systems and the absence of which may lead to disasterous situation.

As we all know, the word resiliency means 'the ability to bounce-back after some events'. In otherwords, it is a capability of withstanding any shock or impact without any major deformation or rupture. In software terms, resilience is the persistence of the avoidance of failures when facing a change or in a deviated circumstance.

To design a resilient system, one should first understand the various factors that work against the resiliency. Here are some such factors:


Design Flaws

Design and Architecture of the systems is a major factor that works in favor or against the resiliency requirement. The architects shall while designing the system or solution should have a good understanding of what could go wrong and provide for an exception handling ability, so that all exceptions are appropriately handled, making the system not to go down and instead recover from such exception and continue to operate. The architects have many options today in terms of tools, technologies, standards, methodologies and frameworks that help buidling resiliency within. It is the ability of choosing the right combination of tools, technologies, etc for the specific systems that will decide on the resilience capability of the system. 


Software Complexity

The size and complexity of software systems is increasing, thus the ways in which a system can fail also increases. It is fair to assume that the increase in failure possibilities does not bear a linear or additive relationship to system complexity. Typically, the complexity of the software systems increases as it evolves by responding to the changing business needs. This is more so as the tools and technologies used to design and build the software are becoming outdated, making it difficult in maintaining the systems. 

This complexity attribute makes it increasingly difficult to incorporate resiliency routines that will respond effectively to failures in the individual systems and in their complex system. The cost of achieving an equivalent level of resiliency due to the complexity factor should be added to that of the individual systems

Interdependency and Interconnectivity

We are living in a connected world and systems of many of today's businesses depend on connectivity with their partner entities to do their business. This adds multiple points of failures over and above the network connectivity. The system resiliency is increasingly dependent on the resiliency of systems different other organizations over which the entity has no control. This means that a failure or outage of a business partner's system can have a ripple effect. This situation requires the systems need to be aware and capable of such failure or outage with other connected systems and the ability to recover from such events should be designed within. 

Rapid Changes

Thanks to the evolving digital economy, the business needs are changing too frequently and thus needing system changes. Every change in an existing system, for sure will add a bit of complexity, as the architecture on which the system originally designed wouldn't have considered the changes that are coming through. Many a times, considering the time to market, such changes need to be implemented quicker than expected, leaving the software designers to adopt a quick and dirty approach to deliver the change, leaving a permanent solution for a later time period. The irony is that there will never be a time when the 'permanent solution' is implemented.

Change is one of the key source of adding complexity to the Software systems. However, the evolving tools, technologies and methodologies come to the rescue, so that the Architects design systems and solutions in such a way to pave way for embracing such changes and to embed the resiliency factors in the design.

A frequently held criticism of Common Criteria testing is that, by the time the results are available, there is a good chance that the tested software has already been replaced. The danger here is that the new software may contain new vulnerabilities that may not have existed in prior versions. Thus, determining that an obsolete piece of software is sufficiently resilient is not particularly indicative of the state of the newest version and, therefore, is not very useful

Conclusion

Higher levels of resilience can be achieved by leveraging Machine Learning and Big Data tools and techniques. As the world is moving towards more and more connected things, high order of resilience is critical. With Machine Learning capability, the systems and devices can be embedded with algorithms that make them learn from past events and the data collected from various other connected networks and systems in addition to the ambient data. The systems can be designed to predict the health of various underlying components and thus its own health as well. Based on such prediction, the components may choose to use alternate approaches, like using alternate network protocols like Wireless, Bluetooth, etc, or choose to connect to a different component or system altogether.

Sunday, February 1, 2015

Evolution of Wearables - What is in store?

Many of us are hearing more and more about fitness bands and some are using these. Big players are now rolling out smart watches, which has disrupted the basic fitness bands considerably in a very short span of time, as these smart watches have these basic fitness features within. Wearables like, glasses, jewellery, headgear, belts, armwear, wristwear, legwear, footwear, skin patches, exoskeletons and textiles, etc are also increasingly becoming "Smart". These emerging smart devices can be worn by human beings, which will collect various data based on embedded sensors and provide useful information that will help improve oneself, which could be on physical fitness, health, etc.

As one can understand, wearables is not just limited to the gadget that decorate your wrist and the number of wearable devices in different segments are growing very fast. With rapid evolution around this space, there are devices that are worn around different areas of the body and the following graphic shows the smart devices that are worn in different parts of the human body:



Who are at it?

Amongst many others, companies like Google, Samsung, Fitbit, Jawbone, GoQii, LG, Sony have been into Wearable devices and the competition is heating up as big players like Intel and Apple are betting big on this market.

Fitbit dominated the market for “basic bands,” according to Canalys’ market estimates, with more than 50 percent market share in the second half of the year. The Jawbone UP came second, cutting itself around a fifth of the pie, followed by Nike with its Fuelband.

The market forecast and the trend makes us feel that this wearable space could potentially disrupt many of the traditional devices. Thus many are looking at embracing this market either to see how this could disrupt their product line or to see if they have an opportunity in this space.

NeuroMetrix of Waltham will be jumping into the market for wearable electronic devices. But the company's new Quell device - an over-the-counter version of its Sensus device for management of chronic pain - is an actual medical device that is used to manage pain.

TomTom, the Dutch brand known for its standalone GPS navigators among other things, has brought its line of sports watches to India. TomTom launched four fitness wearables, which include TomTom Runner and Multi-Sport GPS watches, which deliever real time stats such as time, distance, pace, speed and calories burnt to runners, swimmers and cyclists.

Xiaomi said in a press release that local sales of its Mi Band - a fitness tracking bracelet that can be powered for 30 days on a single charge, has surpassed 100,000 units since it was unveiled. The Beijing-based company forecast that more than 500,000 Mi Bands will be sold in Taiwan by the end of the year, giving it the biggest share of the country's wearable device market that is currently led by Sony Corp. and Samsung Electronics Co.

Intel is firing on all cylinders to expand into the growing wearable technology arena such as smart watches and other Internet-enabled wearables. This investment in Vuzix Corporation is yet another effort by the chipmaker in this regard. Intel has unveiled Curie, a low-powered module no bigger than a button, as part of its vision to lead in the wearables field.

Rumors have said that HTC will be launching a smartwatch at the upcoming CES. The initially planned unveiling of the device was back in October, but the date was pushed back to CES 2015. Details of the device are unclear though, as it could be a smartwatch or a fitness tracker.

In addition to all these devices, there will also be wearable technology focusing on health and fitness, prosthetics and smart clothing.

The Trend

Shipments of smart wearables are expected to grow from 9.7 million in 2013 to 135 million in 2018, according to CCS Insight's new global forecast. The forecast predicts that wrist-worn devices will account for 87% of wearables to be shipped in 2018 — comprising 68 million smartwatches and 50 million smart bands with no screen or with a minimal, one-line display.

The smartwatch will be the leading product category and take an increasingly large share of wearable shipments. We estimate smartwatch shipments will rise by a compound annual rate of 41% over the next five years. Smartwatches will account for 59% of total wearable device shipments this year, and that share will expand to just over 70% of shipments by 2019.

The dominant sector will remain the healthcare sector which merges medical, fitness and wellness. It has the largest number of big names such as Apple, Accenture, Adidas, Fujitsu, Nike, Philips, Reebock, Samsung, SAP and Roche behind the most promising new developments.

Google's Android could be critical for developing the smart devices ecosystem, though significant changes will be required before it is suitable for all kinds of wearable devices. Google has already released Android Wear, targeted for smart watches.

Samsung, Google, Apple, with their massive war chests, have come into this market. They’re going to really help elevate the category for consumers. They’re going to help people understand the kinds of benefits that they can get from these products. The next few years, will see activity trackers with a little bit more biosensing data, and smart watches that people are going to have to charge every night.

If Wearables 1.0 was about creating the basic technologies for the wearable devices, Wearables 2.0 was and still is about crafting rich, robust business models based on these technologies. Wearables 3.0 will be all about perfecting, expanding and engaging customers at a level never experienced before. Big players in Wearable Technology and Internet of Things, from healthcare companies to insurance corporations, from high street retailers to music industry, Google, Apple, Samsung, Mercedes, Nike, Audi, just to name a few are all to give for free their devices in exchange for data.

What could be the future?

Though it’s easy to be pessimistic, one cannot ignore the potential that this market has in store. In any event, while we wait for this category to evolve, it’s entertaining to watch the puzzle pieces slowly come together. Convergence is expected, in much the same way that the smartphone extended the basic functionalities of the feature phone and disrupted certain traditional devices like point and shoot camera.

Medical and Wellness segment could be the one which will embrace this category of wearable devices and make health more affordable and self manageable for every one. For instance, one can wear a virtual doctor while on a specific treatment. A better example could be that the advances in wearable devices could lead to a scenario, where a diabetes patient may get appropriate doses of insulin administered into his body automatically based on various data collected by the sensors worn around the body. This could be risky, if the data, so collected are inaccurate and that is one of the major concern that is expected to be addressed in the coming years.

There has to be a marriage of fitness devices and medical management devices to really impact patient health. The future of wearable technology in fitness and health isn’t about the fitness bands and health monitors – it’s about what can be done with the data they collect, which means that these devices have to be supplemented by smart applications that are powered by big data and analytics tools.

A very large percentage of the population already owns a smart phone, which has lot many capabilities, including that of the basic wearable devices. As such, it will be critical that wearables provide a distinct value proposition that is separate and different than the smartphone, although the smartphone will likely still act as the “hub” to collect information.

We’re already starting to see sensor-embedded running vests and smart socks. But we could soon see jackets with solar panels (to recharge your gadgets on the go), 3D printed dresses that everyone can afford, health-monitoring underwear, even clothes that react to light. If we had the ability to change the look of all of our clothes, just by fiddling with our phones, it would mean less spending on new gear and plenty of spare wardrobe space.

Wearables need to move beyond the gamification of fitness to focus on monitoring and improving our health. With extra sensors and smarter and reliable algorithms, future devices should be able to warn us of high blood pressure and dehydration, fatigue and stress. Perhaps then, forewarned by data we understand, we’ll find wearables more compelling.

In Wearable Tech 3.0 Security is paramount. Six months from now and we’ll understand how poor the wearables 1.0 security was, if any! The big players in this market should finally draw, define and release the IoT and Wearables industry Security Standards. Wearable Tech 3.0 is the beginning of a new era where enterprises provide real value to their customers, a key technology benefit in the age of the customer.