The aim of Digital Security is to strike the right balance between the economic growth of IoT and security compliance. Founded in June 2015 with the support of Econocom Group, Digital Security set up the first European CERT dedicated to IoT security and provides audit and consulting services for corporations and startups alike.
So what does providing security for the IoT ecosystem entail? How to help companies develop more secure services and processes? We found out from Jean-Claude Tapia, Chairman of Digital Security.
Digital Security came about as a result of a meeting between Econocom Group and a group of experts and consultants who believe that the security models deployed in companies aren’t adapted to the specific characteristics of the digital world. The man behind this project: Cédric Messeguer, an entrepreneur who decided to join forces with Econocom and thus benefit from backing of a major digital services group, whilst maintaining a degree of independence, which is essential to remain agile and responsive.
>>> Also on our blog: Cedric Messeguer, Digital Security: without the support of a major group we couldn’t have got started <<<
Cédric Messeguer is still Managing Director of Digital Security, whilst Jean-Claude Tapia was appointed Chairman. When he joined Digital Security, the former Managing Director and VP of Orange Cyberdéfense was looking to regain the entrepreneurial spirit, agility and close relationship with his employees that he felt he’d lost. His role is to drive the company’s strategy and ensure it’s in line with Econocom Group’s development project.
Digital Security was founded in June 2015: what’s the situation now?
Jean-Claude Tapia: We currently employ about thirty people. 70% of them come from very technical backgrounds: IT, telecoms, radiofrequency and electronics experts. Because with connected devices, you need more than just IT expertise.
The other 30% of employees are consultants who give strategic and functional support for the digital transformation of companies, their processes, services and environment.
“We don’t talk so much of IoT as IoT ecosystems. A connected device, if it contains data that needs to be protected, is usually part of a complex value chain which requires an overview of the technological (multiple operating systems and communication protocols) and functional aspects of security, i.e. which focuses on uses, threats, behaviour, and monitoring and operational processes.”
IT’S NOT JUST DATA protection, BUT SAFETY
What are the implications of IoT security?
It’s been predicted there’ll be 80 billion connected devices by 2020, in all sectors. So the security implications are huge. What immediately springs to mind is confidentiality and theft of personal data, of course, but there’s much more to it than that: it’s about protecting the physical integrity of people and our environment.
“The thing about connected devices is that they bring the physical and virtual world together: there are more and more systems to monitor medical devices (insulin pumps), industrial devices (smart meters, measuring instruments), on-board systems in cars, trains, planes, etc.”
The Agence Nationale de la Sécurité des Systèmes d’Information, a division of the French defence and security ministry in charge of IT security, recently stressed the potentially fatal risks of rolling out IoT in the healthcare sector.
Due to the time-to-market, the first generation of connected devices has a high risk exposure. Industrial players didn’t implement the necessary security measures from the outset and are only just starting to do so now.
“It’s a major issue, because the security of connected devices and their ecosystems is essential for economic life – and for life itself!”
HOW security CAN BECOME AN opportunity FOR ORGANISATIONS
What exactly do you do?
Our core business is consulting and audit, which involves assisting organisations with their digital transformation. When a company is planning to develop a new service or change the way it operates by deploying digital, it’s our job to make sure that security is taken into account right from the outset.
During the preliminary audit phase, we decide what the security requirements and objectives are, but we also look for the opportunities that can arise from security.
“Security shouldn’t be seen as a constraint or something that has no added value: it can be a differentiating factor for a company and help it create a new service or create collaborative spaces, for example.”
From the very beginning, we look at the requirements and opportunities in conjunction with IT and the business lines. We then offer support at each phase of the project before applying an asset management rationale. So once the service or process is up and running, we monitor their level of exposure because technologies and threats are constantly evolving.
THE FIRST CERT dEDICATED TO IOT
Our other activity is much more operational: we’re developing the first dedicated IoT CERT™.
A CERT™ – Computer_Emergency_Response_Team – is an operational entity that provides preventive and reactive services. Preventive services can be, for example, monitoring a process or service to ensure the risk level doesn’t increase and that security objectives targets are achieved. To do that, we draw up a check list depending on the rules laid down, and then we determine whether security has been implemented as planned. As the environment changes, new vulnerabilities and threats can emerge. So one of the other things we do is monitor our clients’ digital environment and look out for such changes.
Reactive services, meanwhile, involve monitoring IoT ecosystems in order to detect, as early as possible, any attacks, threats or events deemed unusual or inappropriate. We then notify the company of these events, and, if there’s a known incident, we help them resolve it. Once the incident is resolved or contained, we conduct a sort of post-mortem to ascertain what happened and prevent it from happening again.
ALL INDUSTRY SECTORS ARE concernED
Any company can ask us to monitor a process, service or ecosystem. There are lots of applications covering all areas of activity: for example, smart monitoring or collection systems. We’ll either analyse these systems proactively and provide remedial solutions to reduce vulnerabilities, or limit the impact of a threat and monitor the system, which involves working with the company to draw up a recurring process to monitor the service regularly and make sure there are no unexpected events.
We’re also developing a test platform (testbed) that our industrial clients can use: they can ask us to test a product or service in accordance with pre-established protocols before they deploy it.
OFFERING NEW MODELS, FOR MAJOR CORPORATIONS AND INNOVATIVE startupS
The mass arrival of digital is leading us to devise new security models that focus more on uses, protecting the essential elements and cooperation between stakeholders.
“There can be no security unless all the stakeholders –clients or end-users, service providers, authorities, industrials, etc. – implement processes to set up alerts and organise a coordinated response in the event of attacks or threats.”
Our clients are key accounts: banks, industries and government bodies: we’ve worked with major groups such as Total, BNP, La Poste, Orange, etc., as well as innovative SMBs and startups who want us to assess the robustness, resilience and security of their products before they put them on the market.
“We’re part of a value chain: we work with both the business lines and the people who support the technologies.”
Typically, the business line is held responsible for the accepted risk levels and IT is seen as backup, whereas effective digital security has to be part of a holistic approach with a joint effort from IT and the business lines.