SECURITY IMPLICATIONS
Accenture Technology Vision 2015
Digital Business Era: Stretch Your Boundaries
The Accenture Technology Vision 2015
outlines how leading businesses are
stretching their boundaries in the digital
era—and beginning to create the fabric
connecting customers, services and
devices through the Internet of Things.
In the process, they are striving to
disrupt and reshape entire markets. Most
importantly, they are looking to
collaborate in the “We Economy” to
tackle global challenges that transcend
business and industry borders.
FOREWORD
#techv i s i on2015
2
Operating in this broad digital ecosystem promises
great opportunity for the leaders of tomorrow.
It also brings new security implications that
businesses need to address proactively in order to
succeed. This year, Accenture found that security
is a central tenet across all of the trends described
in the Vision 2015. Specifically, security is a top
priority to:
• Protect connected Internet of Things edge devices
that businesses use to deliver results in the
Outcome Economy, while assuring data integrity
to enable decision making at the edge.
• Ensure businesses can ingest, process and generate
insights from big, diverse data as they leverage
digital platforms and share data through the
Platform (R)evolution.
• Transform into Intelligent Enterprises that rely on
smart software (automation, machine learning
and cognitive computing), and a collaborative
model of humans and machines in a Workforce
Reimagined.
• Build customer trust as businesses deliver highly
personalized products and targeted services in the
Internet of Me era.
Since security is the foundation for these trends, we
are focusing this year’s Security Implications of the
Accenture Technology Vision on five themes that
will help prepare businesses to stretch their digital
boundaries:
• Enabling Autonomous Devices at the Edge
• Making Data-Driven Decisions at Internet of
Things Scale
• Securing the Three Vs (Volume, Variety and Velocity)
of Big Data
• Maximizing Protection across Digital Ecosystem
Platforms
• Building Customer Trust in a Digital Economy
I invite you to read the paper and contact
Accenture to discuss innovative ways to secure
the new digital ecosystem, expand the fabric of
our connectedness, and enable a rich and trusted
customer experience in our shared digital future.
Lisa O’Connor Managing Director, Security Research
and Development
Accenture Technology Labs 3
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
What is the security impact of
using IoT edge devices to enable
business decisions?
CHAPTER 1
Edge Autonomy: Enabling autonomous devices at the edge
#techv i s i on2015
4
The Accenture Technology Vision 2015 highlights
how the rapidly growing Internet of Things (IoT)
is introducing billions of embedded sensors,
smart machines, wearable devices and connected
industrial equipment. Businesses are beginning to
interconnect these “things” to enable the delivery
of intelligent products and services through
the digital ecosystem. In time, this connected
intelligence will be used to deliver what customers
really want: results, or what Accenture calls the
Outcome Economy.
From a security standpoint, however, the IoT
presents new risk as well as new opportunity—
an expanded attack surface with new vectors
of vulnerability across connected systems and
distributed devices. Most devices at the edge
currently exchange data and send the information
back to a centralized infrastructure or cloud for
further processing. But as businesses extend existing
cloud capabilities and develop new services, more
intelligence and autonomous decision making will
be pushed to the edge. This is already a reality in
several cities that have implemented smart parking
systems to make real-time pricing changes and
reduce traffic congestion. The benefits of moving
business decisions to edge devices must be balanced
with the security risks and potential limitations of
those devices and their environment.
5
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
In October 2014, the IoT World Forum Architecture
Committee published a seven-layer IoT reference
model, in which layer three is edge computing.1
This layer is responsible for facilitating connectivity
and analysis between physical devices, applications
and business processes. As more businesses embrace
this framework, securing the edge computing layer
will be critical in enabling trustworthy business
decisions. Fundamental processes like the ability
of edge devices to authenticate, authorize and
discover other devices and services will need to be
analyzed through the security lens.
Prioritize protecting edge devicesUnlike traditional computing devices, IoT edge
devices are typically embedded sensors and
controllers with fixed functions and the ability to
perform specific tasks. Smart meters, for example,
allow two-way information flow between the
electricity utility and customers. Traditionally,
these devices are deployed outside the security
perimeter and, in some cases, directly connected to
the Internet. Since many device developers are not
security specialists with a thorough understanding
of potential threats, physical protections are not
universal features of IoT edge devices. As a result,
there are numerous ways to physically tamper
with them.
For legacy devices, businesses may choose to retrofit
them with new capabilities to make them a part
of their connected infrastructure. For example,
manufacturing companies increasingly integrate
their industrial systems in the field to optimize
decision making and production. However, this may
make it more difficult to implement authentication,
authorization or encryption controls on these
modified devices. Fully protecting this range of
distributed devices will require businesses to
emphasize and extend their security footprint far
beyond existing borders.
Boost security for edge device infrastructureAs businesses delegate increased authority to
edge devices, they will need to pay even more
attention to fundamental security controls like
data protection, auditability, privilege management,
vulnerability management, device authentication
and network segmentation. The Shellshock
vulnerability affected not only Linux-based
servers and desktops, but also many IoT devices
that used some variants of Linux.2 Exacerbating
this issue was the lack of patching or anomalous
activity detection capabilities in these devices. To
avoid similar challenges, businesses must invest
in ecosystem hygiene—integrating techniques
to patch and securely update IoT devices and
their configurations to reduce the impact of
vulnerabilities spreading through the environment.
#techv i s i on2015
6
Establishing trust zones, wherein enterprise
resources with similar security requirements are
placed in the same network segment, has proven
to be an effective risk mitigation technique in
various enterprise systems. Businesses can extend
this practice to edge infrastructure where devices
need to be separated by their inherent capabilities
and security features. It will be important to allow
edge devices to communicate across different trust
zones as network topologies are modified. To enable
business decisions at the edge, businesses must
ensure that edge device interaction is governed by
appropriate authentication and algorithms that
can take autonomous actions, and that the actions
being performed are authorized.
Intel’s IoT Gateway is an example of a solution
to extend the capabilities of legacy devices and
connect them to a next-generation intelligent
infrastructure.3 This platform enables businesses
to setup secure connections between devices
in different trust zones, as well as build custom
applications to manage authentication and
authorization. The platform includes security
management capabilities for resource-constrained
devices, enabling cloud connectivity and more.
Yet another way for businesses to boost security
is to implement on edge devices foundational
security controls like immutable identification and
whitelisting of allowable agents and applications.
Include system context in security planning As more decisions are made at the edge rather
than at the core controller, context-awareness
capabilities will underpin real-time decision making.
Businesses should make sure intrusion detection
and mitigation techniques take into account device
behavior, its relationship with other devices and the
overall context of services being provided. Is the
device providing mission-critical data? Is it passively
collecting data, or also responding and actuating? Is
it part of a cohort of devices that depend on each
other for decision making?
Security planning needs to be holistic, taking
into account the entire context of the system.
Context dependence will drive physical and logical
security models. To that end, Cisco is developing
a distributed computing infrastructure to support
edge analytics, which it calls “fog computing.”4
Using Cisco’s IOx capability, businesses can develop,
manage and run applications that are closer to
where actionable data is generated, and then
delegate authority for pre-specified decision
making. They can also build security capabilities
using the IOx platform and develop use cases that
expand security planning to perimeter and edge
devices. Solutions like this will help businesses
understand the interactions of devices, profile their
activities and respond appropriately.
7
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Manage edge intelligence with new governance modelData governance, communication and privacy
models must keep pace with new frameworks and
architectures being introduced to build end-to-
end IoT systems. As edge devices communicate
and make decisions based off telemetry from
various sources, it will be critical for businesses to
maintain supervisory control. The nature of control
needed will drive ecosystem requirements—such
as determining whether cloud or private network
solutions are preferred. Businesses need to architect
a hierarchical supervisory controls model that
optimizes the right security controls for the right
business processes to achieve the full benefit of a
flexible infrastructure.
Unfortunately, security planning must also
anticipate the likelihood of a breach—no
organization seems immune from attack. During
a cyber-attack, the supervisory control model
must balance requirements for resiliency and
availability—minimizing downtime—for ongoing
device operations. Mocana, a company that
focuses on securing non-traditional endpoints, has
developed an IoT device framework for protecting
edge data and enterprise communications. This
framework consists of a range of capabilities—
including key management, secure wireless and
strong encryption—required for management
of a distributed IoT infrastructure. Mocana also
provides an API for rapid deployment of secure IoT
devices that conform to business requirements and
governance models.
Another option comes from FogHorn Systems,
which is developing an IoT application deployment
platform that supports delivery and management
of host applications embedded in edge devices.5
Businesses can use the platform to distribute
applications from platform-as-a-service (PaaS) to
onsite sensor networks. The FogHorn Edge Platform
delivers service level agreement (SLA)-sensitive
security applications to the edge, which can be
triggered based on specific conditions.
ConclusionEdge devices will have a profound impact on the
security infrastructure, as IoT becomes an integral
part of business in the digital ecosystem. Accenture
recommends that businesses work to understand
and proactively address the security implications of
decisions being made at the edge. Managing and
safeguarding edge devices, as well as the end-to-
end set of technologies that enable intelligent
decisions, will be essential to future operations.
#techv i s i on2015
8
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
9
How can businesses make
sure edge data is reliable for
analytics?
CHAPTER 2
Data Integrity: Making data-driven decisions at Internet of Things scale
#techv i s i on2015
10
As the IoT proliferates, businesses will use
data passed between interconnected devices,
applications and processes to determine customer
context, and then collaborate through platforms
to provide the intelligent products and services
that customers desire in the Outcome Economy.
A connected digital ecosystem, combined with
edge computing and smart machine-to-machine
communications, will also expand the possibilities
for using data collected from IoT devices to drive
significantly faster decisions.
However, as businesses collect, process and analyze
increasingly larger data sets from devices at the
edge, they must make sure they can rely on the
integrity of that data to make decisions. According
to a recent Gartner survey, the annual financial
impact of inaccurate and poor quality data on
businesses is, on average, $14.2 million. In the world
of IoT, this will only be magnified.6
In order to optimize decisions, businesses will
need assurance that their edge data is accurate,
authentic and complete. This is especially critical
as Intelligent Enterprises transition toward using
software intelligence, in which applications and
tools become smarter using technologies to
trigger automatic action and make more informed
business decisions. Even in today’s world, entire
supply chains can be disrupted if data sent by the
production floor, storage warehouses or distribution
channels is inaccurate because of anything from
malfunctioning sensors to intentional manipulation.
Compound this with the scale and speed of IoT, and
the ripple effect of bad decisions based on bad data
can spread quickly.
11
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Protect data on edge devicesSince many edge devices do not have effective
authentication, authorization or encryption
controls, businesses should evaluate the use of
IoT gateways/agents that specialize in providing
data assurance. FreeScale, an embedded-solution
vendor, has released products that provide strong
security controls, including data integrity checks,
to IoT devices. The company uses a combination
of cryptographic modules, trust and platform
assurance technologies, and signature detection
to support security requirements of a trusted IoT
architecture. Qualcomm is also developing smart
gateways to address IoT security requirements
by incorporating strong encryption and trusted
platform principles. Although the architecture and
use cases of these gateways differ, each supports
communication with a connected infrastructure
and enables new services.
Implement assurance that scalesThe ever-increasing flow of data and customer
information needed to fuel the digital business
brings with it ever-increasing security and privacy
challenges. Sensors and embedded devices enhance
the infrastructure’s ability to collect data, and with
it the ability to run more complex analytics. As a
rite of passage, businesses must demonstrate they
can maintain data integrity through every stage
of the data lifecycle. And if personal information
is being collected from consumers, then effective
data retention, usage and sharing policies must
be implemented. All along this flowing river of
information will be numerous opportunities for
third-parties to either accidently, or maliciously,
alter the data. The impact of the initial decisions
could cascade beyond the local system to an
enterprise network or cloud.
Businesses should use data-level security
approaches that enforce policies through the
entire lifecycle—from creation to disposal—as
potential solutions to data governance and
integrity challenges. Several data-centric security
technologies aim to provide data protection
enforcement policies across multiple platforms.
Voltage Security (recently acquired by HP),
Informatica and Protegrity are examples of
companies that have developed focused solutions
with data-centric capabilities like data classification
and discovery, data security policy management,
monitoring of user privileges and activity, auditing
and reporting, and data protection.7
Low quality and low assurance data adds noise to
the decision-making process, increasing the overall
cost of extracting insights. As businesses establish
infrastructure to collect and process data at speed
and scale, they should implement data assurance
and audit frameworks that scale to match.
Businesses must also consider adding data quality
tools designed for big data applications since
collecting, processing and maintaining IoT data is
a big data exercise. Gartner’s Magic Quadrant for
Data Quality Tools provides an insightful snapshot
of the current vendor landscape and their tools’
capabilities to handle data as an asset.8
#techv i s i on2015
12
Tie IoT protocols to business modelsBusinesses must also be aware of the data assurance
limitations of communication protocols. Higher-
level IoT communication protocols like MQTT, CoAP,
DDS, 6LoWPAN, ZigBee, ModBus and WirelessHart
offer different security capabilities based on
which underlying networking protocol is used. For
example, CoAP is built on user datagram protocol
(UDP) and, as a result, cannot provide protocol
security such as security socket layer (SSL) or
transport layer security (TLS). 6LoWPAN is built on
IPv6, which has its own set of vulnerabilities.
NIST’s Framework for Improving Critical
Infrastructure Cybersecurity provides a mechanism
for using business drivers to help guide security
activities, consider security risks and select an
appropriate communication protocol to manage
the business risk profile.9 While the framework
targets critical infrastructure operators, there are
best practices applicable to businesses considering
expanding their IoT footprint. As businesses deploy
new edge devices and management platforms,
they should also take into account data assurance
limitations of the communication protocols. In
order to select a protocol with the right set of
features while mitigating risk, it is important to
consider application deployment, infrastructure
management and security requirements.
ConclusionAs businesses look for new ways to gain insight
from data, developing and maintaining a data
assurance program should be at the center of their
IoT strategy. Businesses need a framework that
governs data assurance across edge infrastructure
and instills a higher level of confidence in data-
driven decisions. To maximize the potential benefits
of the IoT, Accenture recommends building a data
assurance program that directly ties to the business
model and enables more informed decisions based
on accurate data.
13
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
What security controls will scale
to protect big data?
CHAPTER 3
Big Data Security: Securing the three Vs
#techv i s i on2015
14
Businesses are experiencing exponential growth in
data as more devices get deployed at the edge and
business processes become increasingly digital—
causing their data repositories to reach capacity. For
Intelligent Enterprises to fully reap the benefits of
software intelligence and embrace a collaborative
workforce model of humans and machines (or
what Accenture deems Workforce Reimagined), it
will be critical to securely process and protect big
data. For instance, evaluating and optimizing the
performance of human and machine interactions as
they work side by side, and “teaching” machines to
evolve as the task changes, will all be based on big
data analytics.
While big data presents a multitude of business
opportunities to generate insights and guide
actions, it also presents substantive privacy
concerns. As part of a strategy to strengthen
cyber laws, the US President recently announced
a privacy plan for big data, which includes policy
recommendations and pending draft legislation
to protect consumers’ privacy.10 But despite new
compliance requirements, big data breaches are on
the rise. Businesses are finding it more difficult to
secure big data, especially as traditional database
management systems cannot scale enough to
handle the data volume, acquisition velocity or data
variety–what is often referred to as the three Vs.
15
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
The volume challenge
Few businesses have mastered the concepts and
techniques of effective data protection. To deal
with the volume, computations on big data are
processed in parallel often using MapReduce-
like frameworks, where distributed mappers
independently process local data during the Map
operation, before reducers process each group of
output data in parallel. Google originally created
Hadoop—the open source implementation of the
MapReduce programming model—to store and
process public website links; security and privacy
were an afterthought. Since security is not inherent,
it is difficult to retrofit mappers that perform
data analytics with security. In order to secure the
computations in these distributed frameworks,
businesses must also ensure that the data is secured
against potentially compromised mappers.
The variety challenge
Big data is composed of a variety of data elements,
which makes it subject to different regulatory and
compliance requirements. For example, an insurance
company that collects medical records and financial
information about its customers may have to build
different data stores for each type of data.11 Since
different stakeholders require access to various
subsets of data, businesses must use encryption
solutions that enable fine-grained access and
operations on the data. Today, many organizations
still deal with the big data challenge by creating
a data lake, a huge repository of raw data in its
native format. Such organizations probably need
to revisit their data storage practices, segregating
that data based on sensitivity level and compliance
requirements, and then applying proper security
controls.
The velocity challenge
Businesses do not always know in advance the
sensitivity levels of big data because it is being
collected in real-time (streaming data) or near
real-time. Some data items may not look sensitive
on their own, but could reveal private details when
combined with other pieces of information; in the
aggregate, the data might result in a comprehensive
picture that requires protection. To manage the
data velocity, businesses should perform data
sensitivity analysis more frequently, and apply the
right security policy and access controls while the
data is fresh.
Secure big data processing platformsAs organizations build big data repositories and
apply big data analytics, various types of data are
mixed together, such as business performance and
sensor information. When that data combines, it
becomes a target. To ensure that only the proper
people and algorithms have access, it is vital to
secure big data platforms and monitor access
through a combination of security controls.
More security features are fortunately moving into
big data platforms. Hadoop now offers Kerberos-
based authentication, which can also be integrated
with LDAP and Active Directory for security policy
enforcement. Zettaset’s sHadoop was designed
to mitigate Hadoop’s known architectural and
input validation issues, and improve user-role
#techv i s i on2015
16
audit tracking and user-level security for Hadoop.
sHadoop also gives administrators the ability to
establish and store a baseline security policy for
all users, who can be compared against current
security policy. Finally, sHadoop offers encryption
for data at rest and in motion as it gets transmitted
between Hadoop nodes.
Another option for big data protection is Gazzang
(purchased by Cloudera in 2014), which offers a
product for end-to-end encryption of data stored
and processed in Hadoop environments, data
coming from streaming engines such as Apache
Sqoop, metadata, and configuration information
about a Hadoop cluster. Cloudera is also partnering
with Intel on a chip-level encryption initiative
called Project Rhino.12
Embed security into dataMost businesses choose to build their big data
environment in the cloud, where all-or-nothing
retrieval policies of encrypted data may push them
to store data unencrypted. In these situations,
businesses should consider attribute-based
encryption to help protect sensitive data and enable
fine-grained access controls and encryption. With
this technique, the attributes of a secret key are
mathematically incorporated into the key itself.
When attempting to access an encrypted file, policy
checking within the decryption process checks that
the policy is satisfied—the cloud does not know the
individual file access policies.
Sqrrl Enterprise, another big data platform, takes a
data-centric security approach: data is embedded
with security information that determines access
and governance. Fine-grained access control is
enabled at the cell level by evaluating a set of
visibility labels that are embedded within the data
each time a user attempts an operation on that
data. Even search indexes, which may constitute a
source of data leakage, are secured through term-
level security, ensuring that indexing respects the
security policies of the underlying data elements.
The platform is built on top of Accumulo, a
distributed, hybrid column-oriented, key-value
data store originally developed by the National
Security Agency, and later submitted to the Apache
Foundation.
ConclusionHadoop and other big data platforms are helping
businesses analyze and derive insights in entirely
new ways. To tap into the full benefit, however,
businesses must amplify security measures to
protect their information assets and reduce risk.
Accenture recommends businesses apply the basic
principles of information security to big data
platforms, but progressively narrow the perimeter
around enterprise data. Taking a data-centric
security approach opens the door to processing big
data analytics and producing even bigger insights
for digital business strategies.
17
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
How can businesses leverage their
platforms to securely operate in a
broader digital ecosystem?
CHAPTER 4
Security Platforms—Maximizing protection across digital ecosystem platforms
#techv i s i on2015
18
With the evolution of the IoT and digital industry
ecosystems, platform-based businesses will capture
more of the digital economy’s opportunities for
growth and profitability. Machine-to-machine
communications and advanced analytics will
leverage digital platforms. Intelligent Enterprises
will benefit from the influx of shared, cross-
industry data. And advances in processing power,
data science and cognitive technology will help
businesses prepare for the growing wave of
complex cyber-attacks.
To take full advantage of these platform
capabilities, businesses must increase their focus
not only on security, but also on leveraging the
platform to augment existing security intelligence.
It is critical to understand the potential for misuse
of data and functionality on platforms, and to
realize they give an adversary more motivation for
mayhem. Having greater insight into how edge
and core IT devices are behaving can also help
businesses protect against increasingly complex and
subtle threats.
19
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Understand physical security risksLeveraging a digital platform to make decisions
and influence the function of a business’ products
and services introduces a high-value target for an
adversary. Since these platforms provide insights
into the functionality of numerous digital devices
and equipment across the business, as well as some
degree of command and control over them, the
possibility of cyber-physical attacks increases.
The consequences of these attacks can range from
inconvenient to life threatening. Take connected
car services as an example. Recently BMW’s
ConnectedDrive system experienced a vulnerability
that enabled 2.2 million cars to be unlocked
remotely—an open-door invitation to car thieves.13
As the functionality of connected car services
improves to include things like engine optimization
based on individual driving habits, the risk for abuse
of these capabilities increases with the potential for
severe physical outcomes.
To mitigate these types of intensified physical
security risks, businesses should regularly evaluate
all of their business platforms for vulnerabilities
and monitor them for irregular behavior, apply
threat modeling to understand what is possible
to accomplish within the platforms, and leverage
threat intelligence to understand when adversaries
are motivated to accomplish those possibilities. In
addition, as new cross-industry digital platforms
emerge, businesses can analyze behaviors across
these platforms to further mitigate risk or reduce
time to detect new threats.
Evolve data security intelligently Since businesses are beginning to aggregate
data from industrial, operations, management,
information technology and security systems into
one ecosystem, they must apply new security
capabilities to protect company assets. This is
especially important in the IoT era. As described
earlier, businesses must proactively work to identify
security threats within the data being collected
from devices. One solution comes from GE’s Predix
platform, which collates data from intelligent
industrial systems and identifies issues that may
necessitate maintenance. Businesses can further
leverage the platform’s analytics to identify
unusual changes in customer behavior and detect
performance changes that may be technology threats.
Plan security into the platformSecuring digital platforms begins before
development work even starts. Businesses can
reduce risk by collaborating with potential
ecosystem partners to brainstorm possible security
challenges across and beyond their industry.
Businesses should also identify what types of
security-related data the platform can gather,
as well as ways the platform can be leveraged to
monitor edge and core devices for abnormal activity.
#techv i s i on2015
20
Similarly, it is important to look at all available
enterprise data, not just what is stored in security
products. Determining the value of these data sets
could provide insight into where more complex
threat activity might originate. For example,
business process activity, which normally is
monitored outside the scope of security, may
be leveraged within data processes to identify
behaviors that adversaries could exploit in an
attack. Businesses should employ techniques
for more subtle evaluation of internal activity,
centralize the data into a common platform, and
utilize data visualization to understand specific
behaviors and quickly pinpoint outliers.
Finally, businesses looking to utilize technology and
data platforms to operate in the digital business era
must emphasize the importance of customer trust.
Platform breaches will erode customers’ trust in the
safety and reliability of a company’s products and
services; data breaches resulting in compromised
customer privacy have an equally negative impact.
Businesses should proactively embed security
and privacy controls into their platforms as a
core function, and not rely on best practices or
compliance regulation to set the bar.
Utilize existing platforms to augment security intelligenceThe US government has recognized the value of
cross-industry collaboration for cyber security
in its recent formation of the Cyber Threat
Intelligence Integration Center (CTIIC). According
to Lisa Monaco, Assistant to the President for
Homeland Security and Counterterrorism, prior
to the CTIIC there was no single government
entity responsible for assessing and sharing cyber-
security threat information, nor for supporting
policy makers with timely information. Monaco
said, “To truly safeguard Americans online and
enhance the security of what has become a vast
cyber ecosystem, we are going to have to work in
lock-step with the private sector. The private sector
cannot and should not rely on the government to
solve all of its cyber-security problems. At the same
time, I want to emphasize that the government
won’t leave the private sector to fend for itself.”14
Similar initiatives are forming in the UK and other
geographies that will have enterprises defining the
models that work for them.
As digital platforms continue to capture new data
and offer innovative ways to catalyze growth, they
can also be used to increase security effectiveness.
The digital platform can contain a wealth of
information—from normal machine-to-machine
behavior to standard operating conditions of
edge devices. Ideally, businesses should select
platforms that provide cyber-threat assessment
indicators and share timely information to prevent
systemic attacks.
21
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Security DevOpsAs businesses develop applications on top of these
platforms, they are rapidly shifting towards an
agile development model termed DevOps.15 Within
DevOps, where application development embraces
the agility of automation and short sprints to
implement new features and fix defects rapidly,
there is a disruption to the normal approaches that
security uses to identify and mitigate risk within
applications.
Traditional approaches typically involve a great deal
of planning and design, activities that are human-
intensive in execution and require final sign-off
prior to release of an application. Activities such
as code scanning will need to change to be more
iterative and automated, leveraging technologies
such as Cenzic and Qualys to assess vulnerabilities
and risks as the application is developed.
DevOps greatly speeds how quickly a digital
business can develop and deploy applications, as
well as incorporate new features into the services
they offer. Security should be baked in from the
start and embedded into how the DevOps process
functions. To accomplish this, security needs to be
low impact to the process, automated to a high
degree and intelligent enough to guide developers
in understanding risk as they make changes to
the application.
ConclusionPlatform security is a vital capability to operating in
the digital ecosystem. In order to thrive, businesses
must understand the potential cyber-physical risks
of delivering platform-based services and augment
existing security efforts with digital platform
intelligence. Accenture recommends combining
operational and security information across the
enterprise—and across platforms—to help businesses
respond effectively to the rapidly changing cyber
landscape.
#techv i s i on2015
22
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
23
What security and privacy
approaches reinforce
customer trust in the age
of hyperpersonalization?
CHAPTER 5
Customer Trust—Building customer trust in a digital economy
#techv i s i on2015
24
One of the key determinants of success for digital
businesses will be the ability to deliver products
and services that are highly personalized for each
business customer or end consumer based on their
specific habits and preferences. Gartner reports that
89 percent of businesses believe that a seamless
customer experience will be their primary basis
for competition.16 Accenture calls this trend the
Internet of Me.
Businesses currently collate personally identifiable
information (PII) from social media networks and
posts; however, digital technologies such as sensors
and connected devices deployed in customers’
homes, workplaces, cars and even on their bodies as
wearables are generating ever more personal data
and changing the game. New business models are
emerging and driving the personal information
economy. For example, some businesses see opportunity
in selling, aggregating or brokering personal data;
others are branching out into new markets, such as
retailers offering financial services to customers.
But with these next-generation business
opportunities comes increased responsibility to
protect customer information. In order to maximize
customer data and deliver personalization,
businesses must apply more stringent security
measures to protect privacy—and ultimately build
and maintain trust with customers. The first step
is understanding the building blocks of digital
trust, which includes how expectations vary
by demographics including generation, culture
and background. (For more information, see the
Accenture point of view “The Four Keys to Digital
Trust” as well as the Accenture Digital Trust report.)
The second step is building customized services and
guarantees that appeal to the various aspirations
of individual business customers or end consumers,
whether they expect enhanced services in exchange
for their data or more protection for it.
25
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Build trust by taking transparency seriouslyUnintentionally or purposely misleading customers
contributes to their distrust. Unfortunately, some
businesses seem to forget about this principle. One
company, for instance, launched an experiment to
study the effects of manipulating customer’s posts;
another company modified customer profiles and
ran analytics to determine which profile improved
their matching services. Not surprisingly, both
attempts backfired with customers, causing ethical
debates and negative press.
Businesses should be more transparent about what
data they collect about customers and how they use
it. Some companies are obscure with their practices,
including not informing customers how they share
data with third parties or how they collect it from
data brokers to sell. Other businesses may think
that the value of the data derives from keeping it
inaccessible to customers, just like credit scoring
data. However, this lack of transparency is raising
many consumer concerns, and the Federal Trade
Commission (FTC) published a report in May 2014
calling on data brokers for more transparency and
accountability.17
Follow basic data protection guidelinesAccording to the TRUSTe consumer confidence
index, 89 percent of Internet users in the US
would avoid doing business with companies that
do not protect their privacy.18 Data breaches
further complicate the matter—not only in terms
of litigation costs, but also reputation damage
and customer flight. In order to limit their liability,
businesses need to enforce encryption and
responsible data management practices that protect
customers’ personal data. According to a Ponemon
study conducted in October 2014, four out of five IT
practitioners acknowledged that their organizations
do not use a strict least-privilege data model, where
each user or program is allowed the minimal access
privilege just to the information and resources that
are necessary for a legitimate task.19
Take advantage of privacy-preserving analyticsManaging and protecting the increasingly large sets
of personal data while running useful analytics on
them is not a trivial task. However, businesses do
not have to lock up all the data in order to avoid
a privacy risk. For instance, TrustLayers offers a
platform that seeks to provide privacy intelligence
for big data and help businesses to efficiently use
personal data while monitoring whether their teams
are following privacy policies.20
#techv i s i on2015
26
The privacy risk is exacerbated by advances made
in data mining technologies. Therefore, companies
should consider privacy-preserving data mining
techniques, which seek to balance the utility of
data acquisition with privacy protection. The risk
of leaking sensitive data is limited by modifying
the data in such a way so as to perform analytics
effectively, while safeguarding sensitive information
from unauthorized disclosure and releasing only
aggregate data. Various techniques exist for all the
steps of the analytics process—from data collection,
to data mining, to sharing and delivery of the
insights extracted from data. Businesses should
explore techniques such as differential privacy and
distributed data mining in order to identify the
most suitable technique for the application that
they need.21, 22
Innovate to appeal to privacy-wary customers To build customers’ trust, businesses are beginning
to apply enhanced services that protect their
privacy and digital footprint beyond VPN access to
their services. Facebook, for example, launched a
Tor hidden service.23 The users of the social media
service can stay anonymous as their connections
go through three extra encrypted hops to random
computers around the world, making it difficult
for eavesdroppers to observe their traffic or trace
it back to their origin. Similarly, Apple decided
to relinquish access to customer data on iCloud.
Encryption keys created on the customer’s device
are used to encrypt the data on iCloud. Apple has
no access to these iCloud keychain encryption keys,
and therefore is not able to decrypt user data stored
on iCloud.24
Businesses should also consider innovative
approaches to convince customers to share more
data, including providing rewards in return for
data sharing, or even offering anonymous services
to appeal to more privacy conscious consumers.
Global identity validation services such as BeehiveID
or ID.me could be used instead of social media
logins to allow customers to have more control
over their data while ensuring businesses protect
their identity. Anonymous credentials represent a
powerful solution for preventing even colluding
credential issuers and verifiers from identifying and
tracking users. These technologies can alleviate trust
concerns regarding centralized credential providers
that can make a statement about identity on the
Internet, as these providers get more visibility into
users’ entire online activities.
Businesses can also explore emerging techniques
to offer anonymous credentials as a basis for
constructing untraceable electronic payment
systems, or “e-cash.” One example of these
techniques is a new protocol named “Zerocash,”
which adds cryptographically unlinkable electronic
payments to the Bitcoin currency.25
Empower customers with toolsConsumers in the UK and US now have access
to Internet company ratings based on their data
stewardship practices published by Fair Data and
the Electronic Frontier Foundation.26 With more
information about businesses’ privacy and data
protection practices, customers can make better
informed choices. They also have more tools at their
disposal to help them hide their data or decide
which businesses to share it with.
27
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
For instance, Ghostery is a privacy tool that helps
customers control which businesses can track their
web browsing behavior. Meeco is a life management
platform that enables people to collect their
personal data while being more anonymous. By
acknowledging and honoring customers’ desire for
greater control over their own privacy and how
they trade their data in the emerging Internet of
Me, businesses can increase their trust factor with
customers. This is just the beginning of a much
longer privacy journey the technology community
is embarking upon; until these protections become
federated and transparent to end users, they are
unlikely to be widely used. As such, this space
will see many shifts and innovations over the
coming years.
Conclusion
Accenture recommends that businesses be vigilant
with their security and privacy practices so
that they neither compromise their customers’
experiences nor lose their trust. Following truly
proactive and ethical data stewardship practices,
and offering enhanced services that are consistent
with customers’ expectations of privacy and
personalized seamless experiences, will strengthen
trust and participation in the digital economy.
#techv i s i on2015
28
29
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
13 BMW Update Kills Bug In 2.2 Million Cars That Left Doors Wide Open To Hackers, Forbes.com, February 2, 2015, http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/
14 http://www.whitehouse.gov/the-press-office/2015/02/11/remarks-prepared-delivery-assistant-president-homeland-security-and-coun; http://www.usnews.com/news/articles/2015/02/10/new-cybersecurity-agency-to-aid-in-battle-against-hackers
15 DevOps, Accenture, Login required, http://devops.accenture.com/
16 Gartner predicts a customer experience battlefield, http://gartnernews.com/gartner-predicts-a-customer-experience-battlefield/
17 FTC Report: Data Brokers—A Call for Transparency and Accountability (May 2014), http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf
18 2014 TRUSTe US Consumer Confidence Index, http://www.truste.com/us-consumer-confidence-index-2014/
19 Corporate Data: A Protected Asset or a Ticking Time Bomb? http://www.varonis.com/research/why-are-data-breaches-happening/
20 The first scalable data use protection platform, TrustLayers. http://trustlayers.com/
21 Differential Privacy: A Survey of Results, Cynthia Dwork, Microsoft Research, http://research.microsoft.com/pubs/74339/dwork_tamc.pdf
22 Distributed Data Mining: Algorithms, Systems, and Applications, Byung-Hoon Park and Hillol Kargupta, University of Maryland, http://www.csee.umbc.edu/~hillol/PUBS/review.pdf
23 Why Facebook Just Launched Its Own ‘Dark Web’ Site, Wired, October 31, 2014, http://www.wired.com/2014/10/facebook-tor-dark-site/
24 iCloud Security and Privacy Overview, http://support.apple.com/en-us/HT202303
25 Zerocash Project, http://zerocash-project.org/
26 Welcome to FairData, http://www.fairdata.org.uk/; Protecting Your Data From Government Requests, Electronic Frontier Foundation, 2014, https://www.eff.org/who-has-your-back-2014
1 Building the Internet of Things, October 2014, https://s3.amazonaws.com/cdn.iotwf.com/breakouts/2014/H-ARC-01_Cisco-Intel-IBM_FINAL.pdf
2 Shellshock Attacks Hit Major NAS Kit; IoT Next?, Infosecurity, October 2, 2014, http://www.infosecurity-magazine.com/news/shellshock-attacks-hit-major-nas/
3 Transform Business With Intelligent Gateways, Intel, http://www.intel.com/content/www/us/en/internet-of-things/gateway-solutions.html
4 Fog Computing, Ecosystem, Architecture and Applications, http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp13078.html
5 The IoT Application Factory, http://www.foghorn-systems.co/
6 The State of Data Quality: Current Practices and Evolving Trends, Gartner, December 11, 2013, https://www.gartner.com/doc/2636315/state-data-quality-current-practices
7 Market Guide for Data-Centric Audit and Protection, Gartner, November 21, 2014, https://www.gartner.com/doc/2920220?ref=SiteSearch&sthkw=Market%20Guide%20for%20Data-Centric%20Audit%20and%20Protection&fnl=search&srcId=1-3478922254
8 Magic Quadrant for Data Quality Tools, Gartner, November 26, 2014, http://www.gartner.com/technology/reprints.do?id=1-259U63Q&ct=141126&st=sb
9 Framework for Improving Critical Infrastructure Cybersecurity, National Institute for Standards and Technology, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
10 Obama’s ‘Big Data’ Privavcy Plans Get Big Lift From Lawmakers, Reuters, February 5, 2015, http://www.reuters.com/article/2015/02/05/us-usa-privacy-exclusive-idUSKBN0L90D320150205; Fact Sheet: Big Data and Privacy Working Group Review, The White House, May 1, 2014, http://www.whitehouse.gov/the-press-office/2014/05/01/fact-sheet-big-data-and-privacy-working-group-review
11 Anthem Hacked—US Health Insurance Provider Leaks 70 Million Records, Darknet.org UK, February 5, 2015, http://www.darknet.org.uk/2015/02/anthem-hacked-us-health-insurance-provider-leaks-70-million-record
12 Cloudera acquires big data encryption specialist Gazzang, Gigaom, June 3, 2014, https://gigaom.com/2014/06/03/cloudera-acquires-big-data-encryption-specialist-gazzang/
REFERENCES
#techv i s i on2015
30
31
SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015
Copyright © 2015 Accenture All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture. 15-0911U
For more information:Prith Banerjee [email protected]
Lisa O’Connor [email protected]
Malek Ben Salem [email protected]
accenture.com/technologyvision
About AccentureAccenture is a global management consulting,
technology services and outsourcing company,
with approximately 319,000 people serving
clients in more than 120 countries. Combining
unparalleled experience, comprehensive
capabilities across all industries and business
functions, and extensive research on the world’s
most successful companies, Accenture collaborates
with clients to help them become high-performance
businesses and governments. The company
generated net revenues of US$30.0 billion for
the fiscal year ended Aug. 31, 2014. Its home
page is www.accenture.com.
CONTACTS