English   Deutsch   Русский   中文    

KuppingerCole Blog

Windows 10: new anti-malware features and challenges

Aug 19, 2015 by Alexei Balaganski

Offering Windows 10 as a free upgrade was definitely a smart marketing decision for Microsoft. Everyone is talking about the new Windows and everyone is eager to try it. Many of my friends and colleagues have already installed it, so I didn’t hesitate long myself and upgraded my desktop and laptop at the first opportunity.

Overall, the upgrade experience has been quite smooth. I’m still not sure whether I find all visual changes in Windows 10 positive, but hey, nothing beats free beer! I also realize that much more has been changed “under the hood”; including numerous security features Microsoft has promised to deliver in their new operating system. Some of those features (like built-in Information Rights Management functions or support for FIDO Alliance specifications for strong authentication) many consumers will probably not notice for a long time if ever, so that’s a topic for another blog post. There are several things however, which everyone will face immediately after upgrading, and not everyone will be happy with the way they are.

The most prominent consumer-facing security change in Windows 10 is probably Microsoft’s new browser – Microsoft Edge. Developed as a replacement for aging Internet Explorer, it contains several new productivity features, but also eliminates quite a few legacy technologies (like ActiveX, browser toolbars or VB Script), which were a constant source of multiple vulnerabilities. Just by switching to Edge from Internet Explorer, users are automatically protected from several major malware vectors. It does, however, include built-in PDF and Flash plugins, so it’s potentially still vulnerable to the two biggest known web security risks. It is possible to disable Flash Player under “Advanced settings” in the Edge app, which I would definitely recommend. Unfortunately, after upgrading, Windows changes your default browser to Edge, so make sure you change it back to your favorite one, like Chrome or Firefox.

Another major change that in theory should greatly improve Windows security is the new Update service. In Windows 10, users can no longer choose which updates to download – everything is installed automatically. Although this will greatly reduce the window of opportunity for an attacker to exploit a known vulnerability, an unfortunate side effect of this is that sometimes your computer will be rebooted automatically when you’re away from it. To prevent this, you must choose “Notify to schedule restart” under advanced update options – this way you’ll at least be able to choose a more appropriate time for a reboot. Another potential problem are traffic charges: if you’re connecting to the Internet over a mobile hotspot, updates can quickly eat away your monthly traffic limit. To prevent this, you should mark that connection as “metered” under “Advanced options” in the network settings.

Windows Defender, which is the built-in antivirus program already included in earlier Windows versions, has been updated in a similar way: in Windows 10, users can no longer disable it with standard controls. After 15 minutes of inactivity, antivirus protection will be re-enabled automatically. Naturally, this greatly improves anti-malware protection for users not having a third party antivirus program installed, but quite many users are unhappy with this kind of “totalitarianism”, so the Internet is full of recipes on how to block the program completely. Needless to say, this is not recommended for most users, and the only proper way of disabling Windows Defender is installing a third party product that provides better anti-malware protection. A popular site AV Comparatives maintains a list of security products compatible with Windows 10.

Since most anti-malware products utilize various low level OS interfaces to operate securely, they are known to be affected the most by the Windows upgrade procedure. Some will be silently uninstalled during the upgrade, others will simply stop working. Sometimes, an active antivirus may even block the upgrade process or cause cryptic error messages. It is therefore important to uninstall anti-malware products before the upgrade and reinstall them afterwards (provided, of course, that they are known to be compatible with the new Windows, otherwise now would be a great time to update or switch your antivirus). This will ensure that the upgrade will be smooth and won’t leave your computer unprotected. 


Google+

Windows 10: Finally - Stronger Authentication

Aug 18, 2015 by Matthias Reinwarth

Windows 10 comes with the promise of changing computing from ground up. While this might be marketing speak in many aspects that might be true for one central aspect of daily computing life: secure user authentication for the operating system, but also for websites and services.

Microsoft goes beyond the traditional username and password paradigm and moves towards strong authentication mechanisms. While traditionally this was only possible with having costly additional hardware, infrastructure and processes available, e.g. smartcards, Microsoft does it differently now.

So, although the comparison might be difficult for some readers: improving security by implementing all necessary mechanisms within the underlying system is quite similar to what Apple did when they introduced secure fingerprint authentication with the recent models of the iPhone and the iPad, beginning with the iPhone 5S (in comparison to ridiculously inadequate implementations within several android phones as made public just recently).

The mechanism called "Windows Hello" supports various authentication scenarios. So with Windows 10 being an operating system designed to run across a variety of devices, Microsoft is going for multifactor authentication beyond passwords for authentication purposes for mobile phones, for tablets, mobile computers, the traditional desktop and more flavors of devices. One factor can be a device itself and can be enrolled (by associating an asymmetric key pair) to be part of a user authentication process.

The account settings dialog offers new and additional mechanisms for identifying valid users: User authentication with user name and password can be augmented by alternative authentication scenarios using PINs or gestures.

While passwords are typically used globally across all devices, PINs and gestures are specific to a single device and cannot be used in any other scenario.

Picture authentication records three gestures executed with any pointing device (e.g. stylus, finger, mouse) on any desired image (preferably cats, as this is the internet). Reproducing them appropriately logs you into the specific Windows 10 system without the need of typing in a password.

Actually, the combination of your device (something you have) plus PIN or gesture (something you know) can be considered as two-factor authentication for access to your data, e.g. in the OneDrive cloud service.

Other factors deployed for authentication include biometrics like the fingerprint scan, whenever a fingerprint sensor is available or a retina scan when a capable camera is available. Finally, "Windows Hello" adds facial recognition to the login process, although this might be scary for several users to have a camera scanning the room (which of course is nothing new for Xbox users deploying Kinect having their living room scanned all day) while the login screen is active. The requirement for deploying cameras that are able to detect whether it is a real person in 3-D or just the picture avoids simple cheating scenarios.

Once authenticated a user can access a variety of resources by deploying the Microsoft Passport mechanism which deploys asymmetric keys for accessing services and websites securely. A user successfully authenticated towards Microsoft Passport through Microsoft Hello will be able to access information securely by applications acting upon his behalf deploying the necessary APIs. This brings asymmetric key cryptography to different types of end-users, ranging from business users to home users and mobile phone users alike. Depending on the deployment scenario the user Data is then stored within the corporate Microsoft Active Directory infrastructure of the individual organisation, within Microsoft Azure Active Directory for cloud deployments, or -for the home user- within the associated Microsoft Live account, e.g. at Outlook.com.

While Microsoft has been contributing to the standardisation of the FIDO (Fast IDentity Online) protocols for quite some time now, Windows 10 finally claims to come with support for the current versions of the final protocol specifications. This will allow Windows 10 users to connect securely and reliably to Internet sites providing services based on the FIDO standards, especially to prevent man in the middle attacks and phishing scenarios. As of now the FIDO standard implementations were relying on the support from e.g. browser providers like Firefox or Chrome. Support for the FIDO standards built into the Windows 10 operating system might give the standards an enormous boost and allow for a win-win situation for security and the OS.

Windows 10 is now in its early weeks of deployment in the field. It will be interesting to see whether the new authentication mechanisms will be broadly understood as a real game changer for securing identity information and providing stronger authentication. Any appropriately secure way allowing to get rid of password authentication is a chance to improve overall user security and to protect identity data and every connected transaction. So each and every Windows 10 user should be encouraged to deploy the new authentication mechanisms ranging from biometrics to PINs and gestures and to the deployment of the Fido standards through the Microsoft Passport framework. Why not at least once use Windows and be a forerunner in security and privacy?


Google+

Windows 10: How to Ensure a Secure and Private Experience

Aug 13, 2015 by Mike Small

Together with many others I received an offer from Microsoft to upgrade my Windows 7 desktop and Windows 8.1 laptop to Windows 10. Here is my initial reaction to successfully performing this upgrade with a specific focus on the areas of privacy and security.

As always when considering security the first and most important step is to understand what your requirements are. In my case – I have several computers and I mainly use these with Microsoft Office, to use the internet for research and to store personal ‘photos. My main requirements are for consistency and synchronization across these systems together with security and reliability. The critical dimensions that I considered are privacy, confidentiality, integrity and availability. Let’s start with availability:

Availability

  1. Make sure you back up your files before you start the upgrade! My files were preserved without problems but it is better to be safe than sorry. It is also a good idea to understand how you could roll back if there is a catastrophic failure during the upgrade. One really big improvement over Windows 8 is the ability to restore files from a Windows 7 backup.
  2. Check that your computer is compatible with the upgrade. The Microsoft upgrade tool checks your computer for compatibility and some manufacturers provide information on which systems they have tested. The Dell support site informed me that my new laptop was tested but my old desktop wasn’t. However both upgraded without problems, but I did need to re-install some software – for my HP printer.
  3. Consider whether you want new features as soon as they are available (with the risk that they may cause problems). The default setting for updates is for these to be automatically installed. You can change this through the advanced setting menu by checking the box to defer upgrades. You will still receive security fixes but new features will be delayed.

  4. Windows 10 has a number of recovery options – you can roll back to your previous OS for up to 30 days after the upgrade as well as performing a complete reset. 

Integrity

  1. Windows 10 automatically includes Windows Defender for protection – make sure this is activated. If you prefer another anti-malware product you will need to install this yourself.
  2. If you already use OneDrive then you will notice some changes. Previous versions of the OneDrive App supported a placeholder function that allowed File Explorer to display files that were held online but not sync’d onto your PC. This is no longer available; any directories that are not sync’d are not visible through file explorer. I experienced sync problems with files that were previously held online only. I was able to resolve this using the OneDrive Setting menu – first uncheck the folder(s) and save the settings. The folders and files are then erased on your device (scary!). Then repeat the process but this time check the folders for sync in the menu. When you save these settings the files in the folders are re-synced from the cloud. 

Confidentiality

  1. The user accounts are copied from your previous OS – if these were all local accounts then they remain so. If you have a Microsoft account than you can link this with one of these local accounts. Doing this allows you to use a PIN instead of a password to log-in.
  2. If you are using Office 365 you will already have a Microsoft Account, you can also set up a free account which provides some free OneDrive space. However if you use the Microsoft account it is a good idea to understand and manage your privacy settings.
  3. The files in OneDrive are all held in the Microsoft cloud and you need to accept the risk that this poses bearing in mind that most breaches result from weak user credentials.
  4. If you are using BitLocker to encrypt your files then the encryption key will also be held on your OneDrive unless you opt out. 

Privacy

  1. You should review the privacy setting from the Express setup and decide what to change. 



    A future blog will provide more detailed advice on what these mean and how best to set things up. My short advice is to go through these settings carefully and chose which Apps you are happy to allow to access the various functions. In particular I would disable the App Connector since this gives access to unknown apps. I would also not allow Apps to access my name, picture and other info – but then I’m just paranoid.
  2. You also need to consider the privacy setting for the new Edge browser. These are to be found under “Advanced Settings”. Consider whether you really need Flash enabled since this has been a frequent target for attacks. Also consider enabling the “Do not Track Requests Button”.

  3. If you decide to use Cortana – this may involve setting region, language and downloading language pack – make sure you check out the privacy agreement:

My personal experience with this upgrade has been very positive. The upgrades went smoothly and the performance especially the boot up time for my old Desktop is much faster than with windows 7. The settings are now much more understandable and accessible but you need to take the time to review the defaults to achieve your objectives for privacy and confidentiality. KuppingerCole plan a series of future blogs that will give more detailed guidance on how to do this.


Google+

Trust, security and business benefit – Consumer identities done right

Aug 04, 2015 by Matthias Reinwarth

The Digital Transformation is a game changer for many traditional organisations and a business enabler for many new trading companies and service providers in the digital world. When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance.

Handing over personal data to a commercial organisation the consumer typically does this with two contrasting expectations. On the one hand the consumer wants to benefit from the organisation as a contract partner for goods or services. This should be as efficient as possible at a sophisticating level of user experience. Customer-facing organizations get into direct contact with their customers today as they are accessing their products and services through various channels and deploying various types of devices. It is essential to know the relevant attributes of that customer at the right time. The reasons for this are obvious: An improved user experience leads to customer satisfaction and thus to returning customers. User self-service leads to high effectiveness and cost-efficiency while speeding up processes.

Selecting the right items of information and a proper understanding of the quality and reliability of that data are essential management tasks. Customer identities are the result of the ongoing consolidation of data from various sources, including initial registration information, payment data, search requests, purchase history or helpdesk interaction. Consumers use various devices to access required services and they use different accounts in different contexts. Data gathered from external sources can be outdated, partially inaccurate or even deliberately wrong or misleading, especially when collected from social media. Business-relevant information is a superset of several types of information, including business-internal information, which has to be consolidated and assessed well.

On the other hand, the act of providing personal information to a commercial organisation will only be possible when the consumer can expect the required level of trustworthiness and security being applied to personal data. Trust is essential and losing this trust will inevitably endanger the business model and thus threaten the existence of an enterprise. This has been made evident by the high number of recent, massive data breaches. And losing trust into e.g. an online picture printing service or the payment card service provider potentially corrupts trust into many types of online services.

The key challenge is finding the right balance between collecting and consolidating all business-relevant data for the benefit of the consumer and the organization itself, while acting as a trusted custodian of data the consumer has entrusted the organization with. When aiming at long-term sustainable customer relationships it is mandatory to integrate the proper handling of collected, personal data into all business processes, while being compliant to regulatory requirements and data protection laws. This has to be accompanied by a continuous review and improvement process as security and compliance are evolving processes themselves.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Google+

Making Use of Consumer Identities

Aug 04, 2015 by David Goodman

Companies across multiple vertical sectors are encountering challenges and opportunities that are shaping the future direction of consumer identity-centric business. Faced with the erosion of revenues from the rapid encroachment of challengers into their traditional market strongholds, many companies are realising that data represents their most significant asset to provide added value to their customers in the future. Key to this transformation will be how companies manage users’ digital identity data better and position themselves as secure identity brokers/providers in a highly competitive market. The enterprise’s data sources are as diverse as billing and payments, the CRM database, web portals, social media and customer services which can then be translated with good analytics into improving the customer experience and relationship as a whole. The most transparent business opportunities are driven by insights based on user behaviour which when connected to business processes can drive actions. When automated and real-time, decision-making becomes quicker and more efficient.

For most businesses, leveraging consumer identity profiles was not seen as a value added service or a revenue generator. But it’s recommended for that to change by:

  • Exploring ways in which to refresh or cement relationships with customers by reaching out and offering new identity-based services.
  • Collating and analysing the data that exists across customer-related databases to provide comprehensive profiles that can be shared with users.
  • Working with regulators to benefit from the new EU legislation on electronic identities, authentication services and data protection that will be mandatory in 2018: those companies that embrace the changes early can turn the regulation to their advantage.

Until recently most users were oblivious to the personal information held by the public and private sectors, which when collated through sophisticated analytics offered comprehensive and often revealing profiles. Or at least they were. With the recent revelations on data breaches, users everywhere are very concerned about the security and the privacy of their online identity personas. The Snowden revelations inter alia have revealed the susceptibility of the records kept by governments as well as the private sector. It is only a matter of time before all organisations’ data handling comes under scrutiny, added to which the EU is bringing in legislation to harmonise how data is handled by all companies operating in Europe.

Today it’s clear that being a formal identity provider would not even cover the necessary infrastructure costs. But, given the revenue shrinkage elsewhere and the fickleness of customer loyalty, with cheaper alternatives emerging to providing key products and services, this is an ideal time for more companies to step forward and embrace the emerging requirements of digital identity management.

All industries are going to be affected by the legislative changes in digital identities, trust services, privacy and data protection that are coming to both the public and private sectors in Europe. Many businesses may consider becoming identity service providers as a luxury rather than a necessity to remain in business and succeed, but, if the opportunity is taken, the results could well turn out to exceed expectations.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Google+

Dealing with risks in IoT and Smart Manufacturing: Time to rethink your (not only IT) security organization

Aug 03, 2015 by Martin Kuppinger

Let me start with two recent experiences I have had.

Just recently, I was sitting in front of a number of CISOs and had the opportunity to ask them how many of them also had responsibility for IoT and smart manufacturing in their organization. The simple answer: none of the CISOs had. At best, they were informed, but neither responsible nor accountable.

The other one was a conversation in which a business partner, in the context of my recent blog post on Shodan, started complaining about the ignorance of CIOs and CISOs regarding the risks for both Operational Technology environments in smart manufacturing and for IoT in connected things.

While these days we can read a lot about the future role of CIOs, the even more important question appears to be the new role of the CISO and what the future IT security organization must look like.

The fundamentals for restructuring the (not only IT) security organization are:

  • Governance and operations must be kept separate.
  • Operational aspects of security must move into the business divisions, e.g. manufacturing or R&D (when e.g. developing connected things)
  • There must be a comprehensive responsibility for security, across business IT, OT (including but not limited to smart manufacturing), and IoT security.

Just as we have legislative, executive, and judiciary split in government, we need to split responsibilities in our organization. That, in consequence, means that the CISO must not be a subordinate to the CIO, but part of the governance organization. Given the current state of cyber risk, the CISO should be a direct report to the board, in particular to the board member owning responsibility for governance, which most commonly is the CFO or COO.

Unfortunately, the role of CISOs is heavily undervalued in many organizations, which might relate back to the days where organizations did not need a CISO but only had a corporate data protection officer with limited responsibilities. That has changed, and it must become reflected in the organizational structure. I have seen large multi-national organizations where the CISO is three levels below the board, which is just ridiculous.

For the (not only) IT security organization, keeping governance and operations separate also means that there is security governance and security operations. Implementing security is an operational task. It must become an integral part of organizational entities. There must not be separate security organizations anymore, but security must be part of each area of IT, wherever applicable to manufacturing, and part of everything from research to support around connected devices. But governance, from guidelines to auditing, is the job of the CISO.

Notably, there is one part of the security organization that appears to be operational, but should belong to the CISOs department: what we commonly call Security Operations Centers (SOCs) is from my perspective part of the governance function, not the operational function within security. Aside from that, it is cross-divisional (Business IT, OT, etc.), thus it is best placed in the CISOs responsibility.

With the broader view on security, beyond business IT, and the hyper-connected environments we already have, we must get rid of siloed approaches. Smart manufacturing is about connecting business IT and manufacturing. Thus, there must be a central responsibility for IT governance, while operational implementation of security must happen in in the various divisions, with well-defined communication and interfaces in between.

As implementing security becomes part of the operational responsibility, it also should become one of the manager’s objectives. If a manager fails in risk identification and mitigation, he has failed in achieving his business targets. As of today, risk ignorance appears to be the better choice for many managers in trying to achieve their targets. Risk mitigation causes cost. This is a challenge from a short-term, personal perspective. From a mid-term perspective, understanding risks, mitigating these or at least preparing for incidents will save money – which is a positive from an enterprise perspective. Fixing audit findings in “panic mode” costs far more than any other approach.

Redefining the role of the CISO the way described above will also help in getting better in dealing with risks ahead of incidents, because the CISO’s job is to identify risks and propose mitigations – not to ignore them.


Google+

Why security increases agility, not inhibits it

Jul 30, 2015 by Martin Kuppinger

A common complaint against Information Security (be it IT security, OT security, or IoT security) is that security costs money but doesn’t deliver business benefits. Wrong!

In a short-term perspective, security incurs cost. Thus, quarterly reporting by organizations and short-term targets pressure security to be an afterthought. However, mid-term and long-term, this changes. It obviously is cheaper to code using simple APIs for security functions than hard-coding security into every application and maintaining that code. Application Security Infrastructures reduce cost. Even more, it makes application development more rapid and agile – the security infrastructure can be changed, updated, and enhanced without affecting applications.

Or, to bring up an example from another recent post:

But that is only one part of the problem. The lack of Security by Design and Privacy by Design is also becoming an inhibitor for the Digital Transformation. An essential element of the Digital Transformation is the change of business models, including rapid innovation and (ever-changing) partnerships.

A simple example that illustrates the limitations caused by the lack of security and privacy by design is the black box EDR (Event Data Recorder) becoming increasingly common an increasingly mandatory by legislation. Both automotive vendors and insurance companies are interested in “owning” the data held in such devices. While I come to the complexity of dealing with data access demands and requirements of various parties later in this post, it is obviously impossible to easily solve this conflict with technology that e.g. relies only on a single key for accessing that data. Modern concepts for security and privacy would minimize such conflicts by allowing various parties to have defined and controlled access to information they are entitled to access.

Cynically said: automotive vendors are rushing to roll out new features to succeed in the Digital Transformation, but by failing to do it right, with Security by Design and Privacy by Design, they are struggling with exactly the same transformation. Neither security nor privacy can be an afterthought for succeeding in the Digital Transformation.

Another example is the scenario described in the recently published Lloyd’s report “Business Blackout”. This report describes the cost of cyber-attacks against the US power grid. While this is more about the cost of security as an afterthought, there is also an indirect agility aspect: new regulations will require better security – and then security by design drives agility.

In general, the ability to provide services in these times of ever-changing (and ever-tightening) regulations as well as massive differences in regulations depends on the ability to re-configure your services, instead of re-coding them.

And maybe even Facebook would have been better advised in spending money for security and privacy by design instead of for lawyers and lobbyists in Europe. Then many more Europeans might use Facebook actively then do today, with more controls for privacy they could use to configure Facebook’s behavior.

The good thing, though, is this: once you have prepared your organization for security by design and privacy by design, it becomes more agile. It is ready for faster development of software or connected things and for more agile transformation of business models. It is a one-time investment, so to speak – with massive long-term, as well as near-term benefits.


Google+

It really is worse than your nightmares – try Shodan

Jul 28, 2015 by Martin Kuppinger

Shodan is a computer search engine. They call themselves the “world’s first search engine for Internet-connected devices”, including buildings, refrigerators, power plants, the Internet of Things (IoT), webcams, and whatever else you can imagine. Shodan isn’t new. The search engine has been online for several years now. The only new thing is the change in the URL from www.shodanhq.com to www.shodan.io.

When talking about the challenges we are facing in the IoT and in Smart Manufacturing, I commonly bring up Shodan as an example of what is visible today in this hyper-connected world. Interestingly, most CIOs and other Information Security Professionals, not to mention the rest of the world, are unaware of the fact that such a website exists.

Just the fact that there is such a search engine around is scary. It allows searching for everything that is connected to the Internet. It even allows downloading results and creating reports or using that information in other ways. Running automated attacks based on search results is just one example, even while there clearly are “good” use cases as well.

What is even scarier, though, are the results a simple query such as

“default password” country:de

will show. Just run such query. It proves that reality is worse than your worst dreams. When I ran it today, it delivered 664 results containing default passwords of a variety of systems. Even while you could argue that some of these are not current anymore, quite a number of these passwords will do their job.

The important lesson to learn from the fact that there is Shodan (and that there are others around) is to do the best job you can do on security. Understand your potential attackers, know which devices expose themselves on the Internet (and stop the ones that don’t need to from doing so), avoid standard usernames and passwords, change passwords regularly, harden your systems, etc. At least follow the standard best practices for security. And clearly, “security by obscurity” is not the best, not a good, not even an acceptable practice – it never worked and clearly will not in the age of computer search engines.

Furthermore, when providing connected things or moving towards smart manufacturing, first understand that all these connected things will be visible to the Internet. Thus, they can be attacked. Security must not be an afterthought in IoT and Smart Manufacturing, because the attackers already are waiting for you to connect more things or even entire plants.


Google+

Connected Vehicle: Security First

Jul 27, 2015 by Martin Kuppinger

The recently discovered remote hack vulnerability of Fiat Chrysler Jeep cars, based on their Uconnect functionality, puts a spotlight on the miserable state of connected vehicle security these days. Another recently published article in a German newspaper not only identified a gap in functionality but also illustrates on how in particular German automotive vendors and suppliers implement (or plan to implement) security in their connected vehicles.

While the U.S. has introduced the Spy Car Act (Security and Privacy in Your Car Act) which is about defining industrywide benchmarks and standards for security and privacy in connected vehicles and forces the industry to collaborate, similar legislation is still lacking in the EU.

The automotive industry currently is in a rush to roll out new smart and digital features (or whatever they perceive as being smart), emulating many other industries facing the need for joining the Digital Transformation. Unfortunately, security is an afterthought, as recent incidents as well as the current trends within the industry indicate.

Ironically, the lack of well thought-out security and privacy features is already becoming an inhibitor for the industry. While the cost of sending out USB sticks with a patch is still considerably low (and the approach is impressively insecure), the cost of calling back 1.4 million cars to the garages is significant, even without speaking of the indirect cost of reputation loss or, if something really goes wrong, the liability issues.

But that is only one part of the problem. The lack of Security by Design and Privacy by Design is also becoming an inhibitor for the Digital Transformation. An essential element of the Digital Transformation is the change of business models, including rapid innovation and (ever-changing) partnerships.

A simple example that illustrates the limitations caused by the lack of security and privacy by design is the black box EDR (Event Data Recorder) becoming increasingly common an increasingly mandatory by legislation. Both automotive vendors and insurance companies are interested in “owning” the data held in such devices. While I come to the complexity of dealing with data access demands and requirements of various parties later in this post, it is obviously impossible to easily solve this conflict with technology that e.g. relies only on a single key for accessing that data. Modern concepts for security and privacy would minimize such conflicts by allowing various parties to have defined and controlled access to information they are entitled to access.

Cynically said: automotive vendors are rushing to roll out new features to succeed in the Digital Transformation, but by failing to do it right, with Security by Design and Privacy by Design, they are struggling with exactly the same transformation. Neither security nor privacy can be an afterthought for succeeding in the Digital Transformation.

From my perspective, there are five essentials the automotive industry must follow to succeed with both the connected vehicle and, in its concept, the Digital Transformation:

  1. Security by Design and Privacy by Design must become essential principles that any developer follows. A well-designed system can be opened up, but a weakly designed system never can be shut down. Simply said: security and privacy by design are not inhibitors, but enablers, because these allow flexible configuration of the vehicles for ever-changing business models and regulations.
  2. Modern hardened implementations of technology are required. Relying on a single key for accessing information of a component in the vehicle or other security concepts dating back decades aren’t adequate anymore for today’s requirements.
  3. Identities and Access Control must become key elements in these new security concepts. Just look at the many things, organizations, and humans around the connected vehicle. There are entertainment systems, engine control, EDR systems, gear control, and many other components. There is the manufacturer, the leasing company, the police in various countries, the insurance company, the garage, the dealer, and many other organizations. There is the driver, the co-driver, the passengers, the owner, etc. Various parties might access some information in certain systems, but might not be entitled to do so in others. Some might only see parts of the EDR data at all times, while others might be entitled to see all of that information after specific incidents. Without a concept of identities, their relations, and for managing their access, e.g. for security and privacy by design, there are too many inhibitors for supporting change in business models and regulations. From my perspective, it is worth spending some time and thoughts in looking at the concept of Life Management Platforms in that context. These concepts and standards such as UMA (User Managed Access) are the foundation for better, future-proof security in connected vehicles.
  4. Standards are another obvious element. It is ridiculous assuming that such complex ecosystems with manufacturers, suppliers, governmental agencies, customers, consumers, etc. can be supported with proprietary concepts.
  5. Finally, it is about solving the patch and update issues. Providing updates by USB stick is as inept as calling back the cars to the garages every “patch Tuesday”. There is a need for a secure approach for regular as well as emergency patches and updates, which most become part of the concept. Again, there is a need for standards, given the fact that every car today consists of (connected) components from a number of suppliers.

Notably, all these points apply to virtually all other areas of IoT (Internet of Things) and Smart Manufacturing. Security must not be an afterthought anymore. The risk for all of us is far too high – and, as mentioned above, done right, security and privacy by design enable rapidly switching to new business models and complying with new regulations, while old school “security” approaches don’t.


Google+

Amazon enters another market with their API Gateway

Jul 15, 2015 by Alexei Balaganski

What a surprising coincidence: on the same day we were preparing our Leadership Compass on API Security Management for publication, Amazon has announced their own managed service for creating, publishing and securing APIs – Amazon API Gateway. Well, it’s already too late to make changes in our Leadership Compass, but the new service is still worth having a look, hence this blog post.

Typically for Amazon, the solution is fully managed and based on AWS cloud infrastructure, meaning that there is no need to set up any physical or virtual machines or configure resources. The solution is tightly integrated with many other AWS services and is built directly into the central AWS console, so you can start creating or publishing APIs in minutes. If you already have existing backend services running on AWS infrastructure, such as EC2 or RDS, you can expose them to the world as APIs literally with a few mouse clicks. Even more compelling is the possibility to use AWS Lambda service to create completely managed “serverless” APIs without any need to worry about resource allocation or scaling.

In fact, this seems to be the primary focus of the solution. Although it is possible to manage external API endpoints, this is only mentioned in passing in the announcement: the main reason for releasing the service seems to be providing a native API management solution for AWS customers, which until now had to manage their APIs themselves or rely on third-party solutions.

Again typically for Amazon, the solution they delivered is a lean and no-frills service without all the fancy features of an enterprise API gateway, but, since it is based on the existing AWS infrastructure and heavily integrates with other well-known services from Amazon, with guaranteed scalability and performance, extremely low learning curve and, of course, low prices.

For API traffic management, Amazon CloudFront is used, with a special API caching mechanism added for increased performance. This ensures high scalability and availability for the APIs, as well as reasonable level of network security such as SSL encryption or DDoS protection. API transformation capabilities, however, are pretty basic, only XML to JSON conversion is supported.

To authorize access to APIs, the service integrates with AWS Identity and Access Management, as well as with Amazon Cognito, providing the same IAM capabilities that are available to other AWS services. Again, the gateway provides basic support for OAuth and OpenID Connect, but lacks the broad support for authentication methods typical for enterprise-grade solutions.

Analytics capabilities are provided by Amazon CloudWatch service, meaning that all API statistics are available in the same console as all other AWS services.

There seems to be no developer portal functionality provided with the service at the moment. Although it is possible to create API keys for third-party developers, there is no self-service for that. In this regard, the service does not seem to be very suitable for public APIs.

To summarize it, Amazon API Gateway is definitely not a competitor for existing enterprise API gateways like products from CA Technologies, Axway or Forum Systems. However, as a native replacement for third-party managed services (3scale, for example), it has a lot of potential and, with Amazon’s aggressive pricing policies, it may very well threaten their market positions.

Currently, Amazon API Gateway is available in selected AWS regions, so it’s possible to start testing it today. According to the first reports from developers, there are still some kinks to iron out before the service becomes truly usable, but I’m pretty sure that it will quickly become popular among existing AWS customers and may even be a deciding factor for companies to finally move their backend services to the cloud (Amazon cloud, of course).


Google+


top
KuppingerCole Blog
By:
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Spotlight
Consumer Identities
When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance.
KuppingerCole Services
KuppingerCole offers clients a wide range of reports, consulting options and events enabling aimed at providing companies and organizations with a clear understanding of both technology and markets.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole