Progress intelligently planned has been the motto of the industrial and IT revolution. Today we are once again being tested by the unrestrained growth of technology unchained by the burdens of the human emotion. Technology itself has become the avenue of expression for the human condition. Human’s for thousands of years used logic and deductive reasoning to create and build what was needed to become efficient and effective.
How We Define Data
Today technology is deciding what is needed and what is not. We have become conditioned to thirst for advancements that enable our minds to continually interact with anything that keeps us occupied. We are aided by a digital device that allows us to maintain awareness. Only 20 years ago we valued being aware of things, but now awareness is handed to us by devices that think for us. The convergence of things with the fast-paced movement towards machine learning, deep learning and synthetic cognition/AI is leading our world into a unified symbiosis. For thousands of years, our world was disparate and separated however today it is unified and connected. We as humans have all agreed to drink from the chalice and move into the uncharted waters of unified thought. Data, metadata, converged technologies, IT, OT, PS, and IoT integration using deep learning, machine learning, synthetic cognition /AI are the keys to today’s industrial and IT revolution.
How does it all happen and how do we secure it from being built in the image of something that is not human. Are we building this connected, converged world in the image of us or will this new world be built in the image of something we don’t even understand? As convergence takes place four key elements are required to ensure that this new world is created in our image: secured communication and secured identity secured cloud and storage and finally secured entry. These four elements are the pillars of a world that inevitably will have to be controlled if it is to survive as a revolution that helps humanity. I will be focusing, however, on the first two Secured Communication and Secured Identity which are the initial elements that will begin this evolution.
Secured Communication
Traditionally defined when two entities are communicating and do not want a third party to listen in. Although, this is the key element it must add the underlying attribute of securing the movement of data between deep learning, machine learning, artificial cognitive thought integration/AI. The concept of secured communication must transcend the obvious layer and position itself as a tool to mitigate neural network communication and constrain the neural path of information so that we can still control data in transit and ensure we as humans are in control. The movement to fully hyperconverged solutions is positioning a synthetic cognition or AI to take control of a city, government, utility, etc.
Although most believe that segmentation can control things, we all know that the use of communication systems that are linked to a network cross communicating across siloes will lead to potential breaches. The premise behind the need to create secure communication within neural networks as well as infrastructure is key to the development of the IIoT “Intelligent Internet of things” explosion. The reality is that devices are too numerous and are being rushed to the market in such a high rate of speed that security is not a part of the equation nor will it ever be I believe.
Manufacturers are not motivated to take the time to secure devices since it truly does not typically affect their success. If a product works, then that’s the mark of success, not it security. Therefore, security must be dealt with through the end-user, ensuring that secured communication strategies are preventative in nature.
NIST has been the stalwart of the industry in helping to create a consistent cybersecurity framework. NIST 800- 53,171 revision 1, 173 and DFARS has helped establish and set the level of secured communication. However, as new solutions move forward at a dizzying pace, they challenge the NIST framework to either change to a more open platform allowing for technological advances, especially in the world of synthetic cognition/AI and its application to the security infrastructure. Inevitably, we must ask what the key elements regarding the use of secured communication are.
- Do systems presently communicate securely and is the connective communication tissue between organizations transferring, accepting, or defining data secured?
- Does the business operation or business purpose rely on communicating any form of data that inevitably produce revenue for your company, if so, is it done securely?
- Do you presently define data because of a transaction within your business or does it become a part of your defined process of operations that leads to producing or defining revenue?
- Is communication a part of your daily function as an organization and is that done securely internally and externally?
- Do you comply with federal or local regulations that would lead to fines if communication internally and externally would be compromised due to a breach and if so what are the strategies you have formulated to protect yourself from liability beyond detection strategies that lead to a “kill chain” reaction?
Secured Identity
This term has been defined as the ability to acknowledge a trusted source or a trusted individual. The road to trusted and secured identity has taken us from the use of trusted credentials such as the PIV-compliant credential to cyber-secure identity management. The path to which identity has been defined is a long and arduous one. From one-part, two-part, multi-factor, and biometric and now facial recognition algorithms. The use of alphanumeric and or two-factor authentication has been the standard in the IT environment and the use of access card technology with the use of alphanumeric configuration has been the standard in the PS and OT environment.
The movement towards frictionless and secured entry in the IT, OT, PS and IoT arena has created market confusion and misguided intent. In the world of identity management, there are a variety of strategies one may take, yet few have been accepted by those guiding the identity industry. Incremental solutions have been developed to define the marketplace and push the methodology as a turnkey approach, unfortunately, many define the “How” but rarely establish the “Why” of identity. Using solutions like facial recognition may be used as a stopgap since they are the new technology, but that application made not fit the security need.
This scenario is very similar to the creation of the first private key or PKI, which was produced over 25 years ago to secure an unsecured network environment. The challenge was that the original DNA of the Internet was never intended to be secure. As a result, many market sectors and organizations relied on detection systems as their first line of network defense. The processes of identity management are complex and not a one-dimensional conversation and therefore must not be centered on one strategy. So, what can be done to define the use of identity?
- Define the correlation of Business process, Compliance and Regulations, to the current use of technology.
- Establish the use of Technology surrounding its effect surrounding People and Processes (policy and procedures). Does governance or communication take place between siloes and divisions of the company or agency?
- How is identity defined within your organization and how does it lead to secure entry and secure communication between trusted individuals or companies?
- What level of identity is required to prevent unauthorized entry into a business environment in the IT, OT, PS, and IoT environment?
Building a secure identity management policy can no longer be implemented as a bandage but must rather be built as a holistic solution within the overall organizational process of security and not merely as an additional layer of redundancy that avoids the greater issues. Using ICAM or FICAM as a tool to help build a secured identity within an organization is a process that creates a roadmap that allows the company to mesh its own recipe of identity management and access control with the proper technology implementation. Business middleware that applies identity allows for results that create efficiencies and best practices within the organization ensuring that security is seen as an ROI rather than simply a cost center.
Organizations spend millions adding layers of useless technology to an already broken system. Defining one’s current state by evaluating your maturity in each area of IT, OT, PS, and IoT can allow you to build appropriate technology that is purpose-built rather than reactionary in nature. Evaluate your business operations with respect to security and define policies and procedures that effectively match prevention versus detection and proper response processes. Understand the necessity of making systems purpose-built rather than adding technology for the sake of technology aphasia.
Secured Cloud and Storage
The path to deep learning and machine learning is the use of metadata. The reality of the cloud and storage are byproducts of business and government efficiencies and desires to use data more effectively. The question of how we use data to benefit the process of doing our jobs more effectively is a constant. We must define how cloud is used and how storage can build the process of acquiring and maintaining that data securely. The balanced use of cloud and purpose-built storage is the key to leveraging the benefits of converged technologies. The balance between these elements will prove to be the path to integration and the use of data in correlating threat and risk. The foundational elements of storage will drive machine learning and the future of synthetic cognition AI.
Secured Entry
The development of numerous processes of entry has led to a complete state of confusion when connecting a human to an intelligent device or product. We seem to view entry as a byproduct of the building, computer, PLC, software solution or intelligent sensor rather than part of the prevention strategy that restricts those who are not authorized to enter. This is tangible and critically important since we have built a world around convenience. The goal of entry is primarily a byproduct of access and identity in the IT, OT and PS world. Entry into the physical domain is becoming more intelligent and more secure. Prevention strategies will be constructed on the premise of limiting egress to one person rather than entry to many. This is also occurring in logical and operational domains. Both are pressed by a lack of entry controls and have now been put on notice by expanding global threats that a converged physical, logical and operational approach to identity and secure access is not an option.
About the author: Pierre Bourgeix is the CTO and founder of ESI Convergent, a management consulting firm focused on helping companies assess and define the use of people, processes, and technology within the physical and cybersecurity arena. ESI Convergent was formed to not only help end-users but also manufacturers in defining the proper strategy to drive products successfully into the marketplace. As a thought leader in the Security Industry Pierre Bourgeix has helped companies successfully launch and position products and solutions globally. ESI Convergent can produce market analysis, product briefs, product specifications, Physical and cyber assessments, and advisory practice surrounding cyber and physical security convergence in the security and risk management arena.