Emerging Security Technologies










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Emerging Security
Technologies

by James G. Barr

Docid: 00021147

Publication Date: 2010

Report Type: TUTORIAL

Preview

There is a constant battle being waged between those who would do damage to
people, property, and institutions and those who are pledged to prevent such
damage. Worse still, the battlefield is ever-changing with emerging and
evolving security threats constantly testing the knowledge and adaptability of security professionals,
particularly as the perpetrators leverage technology advancements, like cloud
computing, to magnify their illegal exploits. In an effort to counteract these threats, security professionals continue to develop and deploy new security technologies, mostly in the area
of information security although interest in physical security is rebounding to
pre-Internet levels.

Report Contents:

Executive Summary

[return to top of this report]

There is a constant battle
being waged between those who would do damage to people, property, and
institutions and those pledged to prevent such damage. Worse still, the battlefield is ever-changing with emerging and evolving
security threats constantly testing the knowledge and
adaptability of security professionals, particularly as the perpetrators
leverage technology advancements, like cloud computing, to magnify their illegal
exploits.

In an effort to counteract these threats, security professionals continue to
develop and deploy new security technologies, mostly in the area of information
security although interest in physical security is rebounding to pre-Internet
levels.

From an enterprise perspective, the mission is twofold:

  1. To counteract known, but nonetheless persistent, threats like the theft
    of personally identifiable information (PII).
  2. To anticipate new threats like the
    crippling of critical infrastructure through cyber warfare means.

This mission is, perhaps, best accomplished by establishing two security
teams:

  1. A team to manage the "usual" threats, like malware
    and property theft.
  2. A team to erect defenses against next-generation threats, like
    artificial intelligence (AI).

The mission is made more complicated when technologies with high threat potential,
like the Internet of Things (IoT), are embraced by enterprise management owing
to the business opportunities they afford.

Consider the "smart grid," one of the first manifestations of the IoT
concept. The smart grid enables more efficient utilization of electricity
through the incorporation of "smart meters," devices which monitor energy usage
and permit consumers to make more informed energy choices. While the smart
grid saves money, smart grid components are subject to
hacking, meaning grid operators must invest in anti-malware
technology. Although the opportunity/risk trade-off often favors the implementation of
smart grids and other emerging business technologies, security professionals must remain vigilant in enforcing
information and physical
security, including cutting-edge security technologies..

Emerging Security Threats

[return to top of this report]

Cyber Warfare

The era of cyber warfare officially began with the launch of Stuxnet.

Stuxnet is a computer worm that
was primarily written to impact an industrial control system (or systems). Industrial control systems are used to regulate industrial processes, like those
performed in power plants, chemical factories, and oil refineries. Stuxnet was designed to reprogram industrial control systems by
modifying code on programmable logic controllers (PLCs), compelling the PLCs –
and, ultimately, the industrial control systems they power – to function in a
manner the attacker intended.

The worm is believed to have contaminated
centrifuge-controlling computers at one or more of Iran’s nuclear enrichment
sites, leading to speculation that Israel and/or the US might have been
responsible for development and deployment

Stuxnet signals a new – and disturbing – variety of cyber
attack. While the security community has largely adapted to attack
strategies targeting financial interests, they have virtually ignored
infrastructure threats. Traditionally, infrastructure elements have been
isolated from the Internet, the principal conduit for viruses and worms. In addition, most infrastructure elements have had limited capabilities; even if
compromised, they could not be co-opted for attack purposes.

Since Stuxnet, other nations have launched cyber warfare attacks, both
against infrastructure and non-infrastructure targets. North Korea,
famously, hacked Sony, a commercial entity.

In 2016, Russian hackers conducted a two-front assault against the US
electoral system, stealing e-mails from the Democratic National Committee and
probing state election rolls. Owing to political concerns, including
states’ rights, the extent of the Russian infiltration has been
under-investigated and, as a result, undetermined.

Only one thing is certain, the Russians are trolling again in advance of the
2020 elections, as are, quite probably, the Chinese, Iranians, and North
Koreans.

The IoT

While conceding that "the benefits of [the Internet of Things (IoT)] are undeniable," the US Department
of Homeland Security cautions that "[IoT] security is not keeping up with the
pace of innovation.

"As we increasingly integrate network connections into our nation’s critical
infrastructure, important processes that once were performed manually [or via
closed systems] (and thus enjoyed a measure of immunity against malicious cyber
activity) are now vulnerable to cyber threats. Our increasing national
dependence on network-connected technologies has grown faster than the means to
secure it.

"The IoT ecosystem introduces risks that include malicious actors
manipulating the flow of information to and from network-connected devices or
tampering with devices themselves, which can lead to:

  • "The theft of sensitive data and loss of
    consumer privacy.
  • "Interruption of business operations.
  • "Slowdown of Internet functionality through
    large-scale distributed denial-of-service [DDoS] attacks.
  • "Potential disruptions to critical
    infrastructure."1

According to President Obama’s National Security Telecommunications Advisory
Committee (NSTAC):

"IoT adoption will increase in both speed and scope, and [will] impact
virtually all sectors of our society. The Nation’s challenge is ensuring
that the IoT’s adoption does not create undue risk. Additionally … there is
a small – and rapidly closing – window to ensure that IoT is adopted in a
way that maximizes security and minimizes risk. If the country fails to do
so, it will be coping with the consequences for generations.2

Analyst John Leiseboer adds, rather ominously, that "Most IoT devices were never built to withstand even very simple
cyber-attacks. Most IoT devices are unable to be patched or upgraded, and will
therefore remain vulnerable to cyber hacks or breaches. If compromised, IoT devices with security vulnerabilities can result in a
range of issues, such as a simple denial of service, privacy compromises, major
infrastructure failures, or even death.

"There are well-known methods of
improving the security of IoT devices, such as implementing additional
protection steps and processes, but these have other drawbacks, such as higher
costs, and user inconvenience. Government regulation is needed to set national
frameworks in place to ensure devices have minimum standards of protection."3 

Artificial Intelligence

Like virtualization, cloud computing, robotics, and other technological
advances, artificial intelligence (AI) promises enormous benefits for businesses
and consumers. Consider, for example, how chatbots are changing the way we
interact with our environment, both at home and at work. Unfortunately, AI
can be employed for both good and evil, with security experts predicting a rise
in artificial intelligence-enabled cyber attacks. Thus, while AI
techniques, like machine learning, are being used to detect and deter
cyber crimes, some bad actors are using artificial intelligence as a negative
countermeasure, in an effort to ensure that AI-protected systems can still be
penetrated.

As reported by analyst Dan Patterson, Caleb Barlow, IBM Security’s vice
president of threat intelligence, warns that as, "we enter a world where we
start to see AI vs. AI, … this is all about staying one
step ahead of the bad guys with newer technology, better approaches, and better
analytics."4 It’s a high-stakes game where whoever has the best
AI wins. As analyst Leah Brown explains, "While an enterprise may use AI
to close every hole they may have in their system, a hacker uses AI to find that
one pathway they can exploit. They each use a different approach to AI
depending on what they want to accomplish."5

As analyst John Leiseboer warns, "Just as AI has the potential to boost
productivity for businesses and government, hackers will look to AI to find
vulnerabilities in software, with machine-like efficiency, to hack into systems
in a fraction of the time it would take a human being."6 

Edge Computing

As the term implies, "edge computing" is computing at the network edge.
According to Gartner, "Edge computing describes a computing topology in which
information processing and content collection and delivery are placed closer to
the sources of this information."7

If edge computing sounds like the latest incarnation of distributed
computing, it is. The principal difference between edge computing and earlier
distributed forms is that edge computing is essential to certain use cases. The
most frequently cited example involves self-driving or autonomous cars, in which
the onboard AI systems must make immediate, often life-and-death, decisions
based on vehicle sensor data. There is literally no time to transmit data to the
cloud for processing. The processing must take place within the vehicle, or at
"the edge."

As with any technology – especially an emerging technology – security is a
serious concern.

As analyst Brandon Butler observes, "There are two sides of the edge
computing security coin. Some argue that security is theoretically better in an
edge computing environment because data is not traveling over a network, and
it’s staying closer to where it was created. The less data in a corporate data
center or cloud environment, the less data there is to be vulnerable if one of
those environments is comprised.

"The flip side of that is some believe edge computing is inherently less
secure because the edge devices themselves can be more vulnerable. In designing
any edge … computing deployment, therefore, security must be … paramount.
Data encryption, access control and use of virtual private network tunneling are
important elements in protecting edge computing systems."8

Regulatory Compliance

While not classically a threat, the nation’s and the world’s renewed interest
in security and particularly privacy protection has generated a renewed interest
in security and privacy legislation.

Security
professionals – and the CEOs they serve – will be challenged to comply with
ever-more-rigorous regulations; in particular GDPR and CCPA.

GDPR – As of May 25,
2018, any organization responsible for collecting, processing, or storing data
belonging to the citizens of the European Union must comply with the EU General
Data Protection Regulation (GDPR). Analyst Andrada Coos cautions that "companies
that process EU data subjects’ personal information have very clear obligations
as data controllers and processors. Prior authorization for processing is needed
from data controllers and can only be done as per the documented instructions
provided by them. Confidentiality is imposed on personnel processing sensitive
data. Clear measures to protect personal data must be adopted and sub-processors
cannot be engaged without the explicit authorization of data controllers."9

CCPA – Commencing January
1, 2020, the California Consumer Privacy Act (CCPA) of 2018 grants consumers
various increased rights with regard to personal information held by a business.
Among the expanded rights are the right to request a business to delete any
personal information that is collected by the business, and the business is
required to comply with such a verifiable consumer request unless the data is
necessary to carry out specified acts.

COVID-19 Pandemic

SARS-CoV-2, the novel coronavirus that helped spawn today’s COVID-19 pandemic
– the worst public health crisis since the so-called "Spanish flu" of 1918 – is
steadily spreading around the globe.

While virologists have been busy seeking a solution to COVID-19 in the form
of a safe and effective vaccine (or, in the absence of a vaccine, safe and
effective therapeutic treatments), information technologists have developed new
digital methods for:

  • Conducting large-scale virtual meetings, even conferences. 
  • Replacing critical in-person appointments, like physician consultations,
    with remote sessions, like telemedicine briefings. 
  • Securing enterprise information that transits makeshift home offices and
    consumer-grade devices. 
  • Reducing congestion in public spaces via proximity warning devices. 
  • Allowing students to engage with each other and their teachers while
    studying at home.
  • Performing COVID-19 contact tracing and supporting quarantine
    operations.

These initiatives aimed at affected "social distancing," a behavior-based
deterrent to virus transmission, have greatly expanded the enterprise perimeter
and complicated the administration and delivery of network security services.

Emerging Security
Technologies

[return to top of this report]

Biometric I&A

The term "biometrics" encompasses a broad range of technologies that are used
to verify a person’s identity by measuring and analyzing his or her
physiological or behavioral characteristics.

While hardly new, biometrics seems to be ever-emerging as enterprises slowly
realize that cost and complexity should not be impediments to effective asset
security.

Biometrics based on physiological characteristics include:

  • Fingerprint recognition
  • Facial recognition
  • Hand geometry
  • Iris recognition

Biometrics based on behavioral characteristics include:

  • Voice verification
  • Signature verification
  • Keystroke dynamics

Used alone, or in combination with other access control technologies, such as
key cards and
passwords, biometric technologies can provide higher degrees of security than
traditional identification and authentication (I&A) schemes.

While new biometric modalities, like gait analysis and earlobe geometry, are
being developed, clear favorites are emerging among enterprise adopters,
principally:

  • Voice verification, where subjects
    speak to establish their identity, rather than entering passwords and PINs.
  • Facial recognition, ideal for
    high-traffic public areas like border crossings, airports,
    train stations, and stadiums, also for ATMs and consumer mobile and web
    applications.
  • Fingerprint recognition,
    excellent for smartphone, PC, and other device access.
  • Iris recognition,
    preferred for high-security access owing to its accuracy; also for next
    generation smartphone authentication.10

While potent on their own, biometric technologies are often paired with one
or two non-biometric identifiers, enabling multi-mode authentication.

Artificial Intelligence

A soon to become standard practice, artificial intelligence
is being applied to present-day security threats. For
example, Allied Universal is offering HELIAUS, which,
according to the vendor, "is

an advanced artificial intelligence platform
designed to improve safety and reduce risk by enhancing on-site guarding
services."

"The HELIAUS

visitor screening application "is fully configurable to support [a] client’s
visitor screening procedures. It offers screening questions based on Centers of
Disease Control (CDC) guidelines and implements customer-specific visitor
screening protocols such as instructing the security professional to take a
visitor’s temperature or asking the visitor to use a hand sanitization station
before entry.

"[U]sing
GPS and Bluetooth beacons, HELIAUS understands [the location of security
professionals] in real-time, even indoors. If they approach an elevator
bay, it might ask whether people are present, and if they are obeying social
distancing guidelines. These answers are then recorded. Over time, based on the
knowledge collected, the AI engine will make predictions about when enforcement
of social distancing guidelines is most likely to be needed and will notify
security professionals to inspect the elevator bays and encourage social
distancing at the right times."

Surveillance Drone

More than a child’s toy or a package-delivery device, drones are being tasked
to conduct security observations.

So-called "surveillance drones" – normally UAVs or unmanned aerial vehicles –
are being used to conduct routine security patrols or investigate active
incidents, recording and transmitting video, audio, and other data to security
officials.

Drone surveillance provides a number of advantages over traditional security
guard practices. Principal among these are:

  • Speed – Drones, especially
    UAVs, can often be dispatched to a particular location within minutes.
  • Accessibility – Drones can
    explore areas, like downed buildings, which cannot be readily reached or
    observed by human first responders.
  • Safety – Drones can enter
    areas where toxic gases, flammable fluids, and other hazards pose extreme
    risks to rescue workers.
  • Cost – Compared to
    human-based surveillance, drones are generally inexpensive to deploy and
    operate.

Security Robot

Effectively an earthbound drone, a security robot is an autonomous or remote-controlled vehicle designed to:

  • Perform routine security sweeps, in the manner
    of a security guard
  • Conduct military operations, sometimes lethal
  • Retrieve bombs and other munitions
  • Search for missing persons in hazardous locales

Virtual Guarding

While on-site security guards offer a measure of protection, some companies
are experimenting with a new concept called "virtual guarding," in which a
certified security guard monitors a property remotely via the Internet.

Virtual guarding enables a company to downsize its on-site security force
(saving salaries) while expanding the area that can be effectively monitored. A virtual guard leverages various crime-fighting technologies, such as video
surveillance and audio detection, to:

  • Establish the type and location of any
    anomalous activity;
  • Observe the site from a safe distance; and
  • Determine which, if any, interventions are appropriate, such as
    dispatching an on-site security guard or notifying the local police.

Crowdsourced Testing

Crowdsourcing is the practice of obtaining needed services, ideas, or content
by soliciting contributions from a large group of people, especially those, in a
business context, who are neither traditional employees or suppliers.11 Crowdsourcing is now being applied
to software testing, utilizing an online platform through which testers are able
to access the software being tested, and often using diverse platforms to make
sure the software works on each, accommodating, for example, multiple mobile
operating system environments.

With crowdsourced testing, testing is carried out by a temporary workforce
comprising a community of testers, often geographically dispersed and
representing a range of expertise, as opposed to testing conducted by in-house
professionals or hired consultants. Many organizations use the services of
crowdsourced testers in addition to their own quality assurance teams. Crowdsourced testing is touted for its ability to produce results in a
relatively quick and effective manner, as well as improving the quality of the
resulting software. Speed is attributed to the fact that testers, operating in
different time zones, can, in aggregate, enable 24X7 testing.

Crowdsourcing services can be provided via a self-service model in which an
organization finds its own testers, or via specialized crowdtesting companies,
where the services are generally provided in a managed service model.

Cloud-Delivered Security

With the increased adoption of cloud services by enterprise officials, it is
only natural that they would expand their cloud portfolio to include
cloud-delivered security solutions. As analyst Francisca Segovia Garcia
explains, "By consuming cloud-delivered security,[enterprises] can eliminate on-premises security appliances, thus
reducing capital cost and cutting the overhead – operational costs and IT
resources – normally associated with deploying security at scale. It speeds up
deployment time and reduces the time to protection by eliminating the need to
set up the typical infrastructure normally associated with security and
networking.

"In addition, [enterprises] can migrate to this
model at their own pace. Existing routers, firewalls, or SD-WAN edges can
connect to the cloud-delivered security platform where policies are globally
applied to ensure consistent security and a seamless user experience."12

Predictive Analytics

The US federal government is investing in predictive
analytics, which, as analyst Steve Delahunty declares, "can focus on three main
areas:

  • "Potential and likely future target points of a cyberattack,
  • "Analysis of large sets of expansive security data, and
  • "Automation of the analysis workload.

"The outcomes of the analysis serve as a strategy map for
additional cyber protections and/or hardening."13

Behavioral Analytics

Behavioral analytics (or user behavior analytics) is designed to discover
patterns in user behavior. Once established, any deviations from these regular
or "normal" patterns might indicate illicit or improper activity and are,
therefore, subject to security scrutiny. Analyst Steve Delahunty reports that
while behavioral analytics is often used to detect network-based anomalies, "it
is also now applied to user devices and systems. For instance, … abnormally
high data transmissions from a particular user device could signal a cybersecurity
issue."

A federal priority, "[both the US] National
Security Agency and the Office of Personnel Management are using
behavioral analytics to fight insider threats through the mining of log files
related to user activity."14

Blockchain Technology

Blockchain is a security method that will, potentially, significantly change
the way online transactions are made. In place of organizations like banks that
verify agreements between buyers and sellers, blockchain substitutes
peer-to-peer networks that verify transactions based on the majority consensus
of the participants. In short, blockchain enables parties to safely conduct
transactions online without an intermediary and without the parties knowing each
other. It also offers improvements over traditional transaction technology in
efficiency and redundancy.

The key security advantage of blockchain is that a single record is
collectively maintained by computers across a distributed network. This offers
the following benefits:

  • Transactions must be verified by consensus rather than being authorized
    by a single party.
  • The same audit trail can be reviewed by any participant.
  • There isn’t a single storage location that hackers can attack.
  • There isn’t a single point of failure, so the network is highly
    available.

Currently, blockchain is best known as the security method used by Bitcoin.
But it is being envisioned for a wide variety of other purposes, from securely
managing healthcare records to facilitating micropayments to artists for digital
content.

Zero Trust

Until recently, security has been based on the "perimeter" concept, which
involves the establishment of a barrier that surrounds an assemblage of assets,
and protects them against theft, destruction, or operational disruption. From a
security confidence perspective, what is outside the perimeter is un-trusted;
what is inside the perimeter is trusted. The purpose of the perimeter is to
regulate the passage of:

  • People and property (in the case of a physical
    perimeter);
  • People (in the case of a logical perimeter,
    like an enterprise hiring process); or
  • Information (in the case of a digital
    perimeter)

from outside to inside. In negotiating the perimeter, which consists of one
or more security filters, the once-outside, now-inside assets are afforded a
trusted status and generally remain trusted for the duration of their stay
within the perimeter.

The perimeter concept, however, is flawed:

  • First, because perimeter security mechanisms
    may fail (anti-virus software, for example, may not detect an invasive worm
    or other form of malware).
  • Second, because once-trusted assets may mutate
    from a harmless to a harmful state (as, for example, when long-time
    employees utilize their privileged information access to acquire and sell
    personally-identifiable information (PII) to hostile third parties).
  • Third, because even long-standing perimeters
    are eroding (as, for example, with the rapid expansion of telework
    opportunities).

To help address the deficiencies of perimeter security – at least the digital
variety – many enterprise security officials are embracing a new security
paradigm called "Zero Trust."

In an enterprise context, a Zero Trust Architecture is designed, developed,
and deployed – and, thus, defined – by certain fundamental tenets. Again,
according to NIST:

All enterprise data sources and computing services are considered
resources
. This may include employee-owned devices (like smartphones)
if they can access enterprise-owned resources.

All enterprise communications are secured regardless of network
location
. Access requests from assets located on enterprise-owned
networks must meet the same security requirements as access requests originating
from extra-enterprise networks (like the Cloud or networks operated by supply
chain partners).

Access to individual enterprise resources is granted on a per-session
basis
. Trust in the requester is evaluated before access is granted.
Importantly, authentication of the requester, and authorization to access one
resource, will not automatically confer access rights to a different resource.

Access to enterprise resources is determined by dynamic policy.
Policy is the set of access rules based on attributes that an enterprise assigns
to a user, data asset, or application. An enterprise protects its resources by:

  • Defining what resources it has
  • Who its members are (or ability to
    authenticate users from a federated community)
  • What access to resources those members need

For Zero Trust, client identity includes the user account and any
associated attributes assigned by the enterprise to that account, or artifacts
to authenticate automated tasks
. Least privilege principles are applied
to restrict both resource visibility and accessibility. The enterprise actively
ensures that all owned and non-owned, i.e., employee and business partner,
devices exist in the "most secure state possible." No device is inherently
trusted. To help achieve compliance, a robust security monitoring and reporting
system is required.

All resource authentication and authorization activities are dynamic
and strictly enforced before access is allowed
. An enterprise
implementing a ZTA would be expected to have Identity, Credential, and Access
Management (ICAM) and asset management systems in place.

The enterprise collects as much information as possible about the
present state of network infrastructure and communications and uses this
intelligence to improve its security posture
. An enterprise should
collect data about network traffic and access requests, which is then used to
inform policy creation and enforcement.15

Contactless Authentication

One potential opportunity made possible by the pandemic is using facial
recognition in lieu of finger scanning to authenticate an individual’s identity.
As analyst George Brostoff asserts, "Fingerprint scanners can quickly become a
source of infection, especially in public spaces." Facial recognition has the
virtue of being contactless. Moreover, it "can be implemented in almost all
scenarios that once used pins, badges, FOBs, or fingerprints." In addition to
businesses, health-conscious schools could be early adopters.16

In addition to facial recognition, iris recognition offers contactless
authentication. It also has the virtue of being extremely accurate.

Passwordless Authentication

Passwords have long troubled IT staffs and users alike. For users, passwords
are hard to remember, especially with a growing number of systems to access.
Further, forgetting how to log in to a service or storage location creates
frustration and disrupts work. And for IT staffs, password resets are among the
most time-consuming problems. (Even where self-service options exist, some users
are inclined to invoke help desk and other support personnel to change
passwords.)

More serious than these logistical matters, however, an estimated 80 percent
of hacking attacks take advantage of stolen or bad passwords.17

While these problems have been recognized for years, only recently have
alternatives become more feasible. These "passwordless" authentication
approaches are being used to complement or substitute for traditional log-in
credentials. By 2022, 60 percent of large organizations will employ passwordless
approaches for at least half of their authentication needs, predicts Gartner, an
increase from just 5 percent four years earlier.18 (Using passwordless
authentication over half of the time doesn’t mean that passwords won’t be used
in some of these cases. The methods can be used in combination.)

The transition to passwordless authentication won’t be quick, easy, or
predictable. There are technical and process changes to implement. The
marketplace is still taking shape, making it likely that new types of technology
will become available. It is also uncertain what approaches IT staffs and end
users will favor, so consumer demand will also influence the technology’s
development in the coming years.

Healthy Buildings

The COVID-19 pandemic is spurring innovation aimed at both enterprise security and
employee safety.

For example, in May 2020, Honeywell unveiled its Healthy Buildings solutions.
As described by the vendor, Healthy Buildings is "an integrated set of solutions
to:

  • "Help building owners improve the health of their building environments,
  • "Operate more cleanly and safely,
  • "Comply with social distancing policies, and
  • "Help reassure occupants that it is safe to return to the workplace.

"By integrating air quality, safety and security technologies along
with advanced analytics, … Healthy Buildings solutions are designed to
help building owners minimize potential risks of contamination and ensure
business continuity by monitoring both the building environment and building
occupants’ behaviors."

Contact Tracing

To help trace the spread of COVID-19, and identity any undiagnosed but
potentially infected citizens, Apple and Google have teamed to produce new
contact tracing software. The states of Arizona and California are currently
testing the software as part of a pilot project.

"The purpose of the pilot is for the state,
along with local health entities and academic partners, to study the efficacy of the app," said Dr. Erica Pan, California’s interim state public health officer.19

Unhackable Internet

Researchers in the Netherlands are pursuing the ultimate cyber prize: an "unhackable
Internet.

As revealed by analyst Yoshi Sodeoka, "An internet based on quantum physics will soon enable inherently secure
communication. A team led by Stephanie Wehner, at Delft University of
Technology, is building a network connecting four cities in the Netherlands
entirely by means of quantum technology. Messages sent over this network
will be unhackable.

"The technology relies on a quantum behavior of atomic particles called
entanglement. Entangled photons can’t be covertly read without disrupting
their content."20

Recommendations

[return to top of this report]

Evaluate Emerging Technologies

Advances in security technologies and methodologies can be crucial to
identifying and mitigating security threats. While exercising caution, of
course, enterprise planners should be open to innovative security and privacy
approaches. As analyst Jon Oltsik observes, "When new requirements arise,
it’s only natural to see if existing security controls can be fine-tuned to
address these needs. In some cases, this strategy is worth pursuing. For example, turning on advanced controls on endpoint security software can help
increase the efficacy of threat prevention. On the other hand, existing
security controls may be a mismatch for some new requirements."21

Promote Physical Security

While the impact of information security breaches is difficult
to ignore – virtually every week a new exploit is revealed – enterprise planners
should not be lulled into a false sense of physical security.

Enterprise
planners should approach their physical security providers to determine if any
new or improved physical security technologies are available to:

  1. Harden enterprise infrastructure (facilities and
    equipment).
  2. Safeguard enterprise supplies and product inventories; and,
    most importantly.
  3. Protect the health and well-being of enterprise employees, customers,
    business partners, and guests.

Seek Security Partnerships

Enterprise planners should pursue
public-private partnerships to promote leading-edge security research and
development, realizing that:

  1. Public sector agencies and private sector companies share
    some of the same vulnerabilities (especially in the information security
    arena).
  2. The cost of developing new security and privacy
    technologies can be steep.
  3. The forces aligned to penetrate the enterprise perimeter are smart,
    persistent, and well-funded (potentially state-sponsored, as may be the case
    with China and Russia, for example).

[return to top of this report]

References

1 "Strategic Principles for Securing the Internet of Things (IoT),"
Version 1.0. US Department of Homeland Security. November 15, 2016:2.

2 "National Security Telecommunications Advisory Committee Report
to the President on the Internet of Things." US Department of Homeland
Security. November 19, 2014.

3 John Leiseboer. "Technology & Security Trends in 2018." IDG
Communications. February 1, 2018.

4 Leah Brown. "Why Cybersecurity in 2018 Will Be an AI vs. AI
Slugfest." CBS
Interactive. January 5, 2018.

5 Ibid.

6 John Leiseboer. "Technology & Security Trends in 2018." IDG
Communications. February 1, 2018.

7 David W. Cearley, Brian Burke, Samantha Searle, and Mike J.
Walker. "Top 10 Strategic Technology Trends for 2018." Gartner. October 3, 2017.

8 Brandon Butler. "What Is Edge Computing and How It’s Changing
the Network." Network World. September 21, 2017.

9 Andrada Coos. "Shadow IT in the Age of
GDPR Compliance." Endpoint Protector. February 15, 2018.

10

“Biometric Security Boom.” Nuance Communications, Inc. 2017:5-8.

11 Merriam-Webster.

12 Francisca Segovia Garcia. "Five Reasons Why You Should Consider Cloud-Delivered
Managed Security." Palo Alto Networks, Inc. June 30, 2020.

13 Steve Delahunty. "Emerging Advanced Cybersecurity Technology
and Techniques in the U.S. Federal Government." Forbes. October 29,
2018.

14 Ibid.

15 Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly.
Draft (2nd) NIST Special Publication 800-207: "Zero Trust
Architecture." US National Institute of Standards and Technology. February
2020:6-7.

16 George Brostoff. "COVID-19 and Security: How We’re Moving to a
Touchless Future." Security | BNP Media. July 14, 2020.

17 "2017 Data Breach Investigations Report."
Verizon.

2017.

18 Gloria Omale. "Embrace a Passwordless Approach to Improve
Security". Gartner. March 6, 2019.

19 Jefferson Graham. "Tracking
Coronavirus: Are Apple and Google Contact Tracing Apps Available in Your State?
USA Today. October 5, 2020.

20 Yoshi Sodeoka. "Unhackable Internet."
MIT Technology Review. March 2020.

21 Jon Oltsik. "What’s Holding Back Enterprise Security
Technology Transformation?" IDG Communications, Inc. October 10, 2017.

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and

business writer with more than 30 years’ IT experience. A member of

"Who’s Who in Finance and Industry," Mr. Barr has designed,

developed, and deployed business continuity plans for a number of Fortune

500 firms. He is the author of several books, including How to

Succeed in Business BY Really Trying, a member of Faulkner’s Advisory

Panel, and a senior editor for Faulkner’s Security Management

Practices. Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this report]