Security Implications of the Accenture Technology Vision 2015

Digital Business Era: Stretch Your Boundaries

Security Implications of the Accenture Technology Vision 2015

The Accenture Technology Vision 2015

outlines how leading businesses are

stretching their boundaries in the digital

era—and beginning to create the fabric

connecting customers, services and

devices through the Internet of Things.

In the process, they are striving to

disrupt and reshape entire markets. Most

importantly, they are looking to

collaborate in the “We Economy” to

tackle global challenges that transcend

business and industry borders.

FOREWORD

#techv i s i on2015

2

Operating in this broad digital ecosystem promises

great opportunity for the leaders of tomorrow.

It also brings new security implications that

businesses need to address proactively in order to

succeed. This year, Accenture found that security

is a central tenet across all of the trends described

in the Vision 2015. Specifically, security is a top

priority to:

• Protect connected Internet of Things edge devices

that businesses use to deliver results in the

Outcome Economy, while assuring data integrity

to enable decision making at the edge.

• Ensure businesses can ingest, process and generate

insights from big, diverse data as they leverage

digital platforms and share data through the

Platform (R)evolution.

• Transform into Intelligent Enterprises that rely on

smart software (automation, machine learning

and cognitive computing), and a collaborative

model of humans and machines in a Workforce

Reimagined.

• Build customer trust as businesses deliver highly

personalized products and targeted services in the

Internet of Me era.

Since security is the foundation for these trends, we

are focusing this year’s Security Implications of the

Accenture Technology Vision on five themes that

will help prepare businesses to stretch their digital

boundaries:

• Enabling Autonomous Devices at the Edge

• Making Data-Driven Decisions at Internet of

Things Scale

• Securing the Three Vs (Volume, Variety and Velocity)

of Big Data

• Maximizing Protection across Digital Ecosystem

Platforms

• Building Customer Trust in a Digital Economy

I invite you to read the paper and contact

Accenture to discuss innovative ways to secure

the new digital ecosystem, expand the fabric of

our connectedness, and enable a rich and trusted

customer experience in our shared digital future.

Lisa O’Connor Managing Director, Security Research

and Development

Accenture Technology Labs 3

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

What is the security impact of

using IoT edge devices to enable

business decisions?

CHAPTER 1

Edge Autonomy: Enabling autonomous devices at the edge

#techv i s i on2015

4

The Accenture Technology Vision 2015 highlights

how the rapidly growing Internet of Things (IoT)

is introducing billions of embedded sensors,

smart machines, wearable devices and connected

industrial equipment. Businesses are beginning to

interconnect these “things” to enable the delivery

of intelligent products and services through

the digital ecosystem. In time, this connected

intelligence will be used to deliver what customers

really want: results, or what Accenture calls the

Outcome Economy.

From a security standpoint, however, the IoT

presents new risk as well as new opportunity—

an expanded attack surface with new vectors

of vulnerability across connected systems and

distributed devices. Most devices at the edge

currently exchange data and send the information

back to a centralized infrastructure or cloud for

further processing. But as businesses extend existing

cloud capabilities and develop new services, more

intelligence and autonomous decision making will

be pushed to the edge. This is already a reality in

several cities that have implemented smart parking

systems to make real-time pricing changes and

reduce traffic congestion. The benefits of moving

business decisions to edge devices must be balanced

with the security risks and potential limitations of

those devices and their environment.

5

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

In October 2014, the IoT World Forum Architecture

Committee published a seven-layer IoT reference

model, in which layer three is edge computing.1

This layer is responsible for facilitating connectivity

and analysis between physical devices, applications

and business processes. As more businesses embrace

this framework, securing the edge computing layer

will be critical in enabling trustworthy business

decisions. Fundamental processes like the ability

of edge devices to authenticate, authorize and

discover other devices and services will need to be

analyzed through the security lens.

Prioritize protecting edge devicesUnlike traditional computing devices, IoT edge

devices are typically embedded sensors and

controllers with fixed functions and the ability to

perform specific tasks. Smart meters, for example,

allow two-way information flow between the

electricity utility and customers. Traditionally,

these devices are deployed outside the security

perimeter and, in some cases, directly connected to

the Internet. Since many device developers are not

security specialists with a thorough understanding

of potential threats, physical protections are not

universal features of IoT edge devices. As a result,

there are numerous ways to physically tamper

with them.

For legacy devices, businesses may choose to retrofit

them with new capabilities to make them a part

of their connected infrastructure. For example,

manufacturing companies increasingly integrate

their industrial systems in the field to optimize

decision making and production. However, this may

make it more difficult to implement authentication,

authorization or encryption controls on these

modified devices. Fully protecting this range of

distributed devices will require businesses to

emphasize and extend their security footprint far

beyond existing borders.

Boost security for edge device infrastructureAs businesses delegate increased authority to

edge devices, they will need to pay even more

attention to fundamental security controls like

data protection, auditability, privilege management,

vulnerability management, device authentication

and network segmentation. The Shellshock

vulnerability affected not only Linux-based

servers and desktops, but also many IoT devices

that used some variants of Linux.2 Exacerbating

this issue was the lack of patching or anomalous

activity detection capabilities in these devices. To

avoid similar challenges, businesses must invest

in ecosystem hygiene—integrating techniques

to patch and securely update IoT devices and

their configurations to reduce the impact of

vulnerabilities spreading through the environment.

#techv i s i on2015

6

Establishing trust zones, wherein enterprise

resources with similar security requirements are

placed in the same network segment, has proven

to be an effective risk mitigation technique in

various enterprise systems. Businesses can extend

this practice to edge infrastructure where devices

need to be separated by their inherent capabilities

and security features. It will be important to allow

edge devices to communicate across different trust

zones as network topologies are modified. To enable

business decisions at the edge, businesses must

ensure that edge device interaction is governed by

appropriate authentication and algorithms that

can take autonomous actions, and that the actions

being performed are authorized.

Intel’s IoT Gateway is an example of a solution

to extend the capabilities of legacy devices and

connect them to a next-generation intelligent

infrastructure.3 This platform enables businesses

to setup secure connections between devices

in different trust zones, as well as build custom

applications to manage authentication and

authorization. The platform includes security

management capabilities for resource-constrained

devices, enabling cloud connectivity and more.

Yet another way for businesses to boost security

is to implement on edge devices foundational

security controls like immutable identification and

whitelisting of allowable agents and applications.

Include system context in security planning As more decisions are made at the edge rather

than at the core controller, context-awareness

capabilities will underpin real-time decision making.

Businesses should make sure intrusion detection

and mitigation techniques take into account device

behavior, its relationship with other devices and the

overall context of services being provided. Is the

device providing mission-critical data? Is it passively

collecting data, or also responding and actuating? Is

it part of a cohort of devices that depend on each

other for decision making?

Security planning needs to be holistic, taking

into account the entire context of the system.

Context dependence will drive physical and logical

security models. To that end, Cisco is developing

a distributed computing infrastructure to support

edge analytics, which it calls “fog computing.”4

Using Cisco’s IOx capability, businesses can develop,

manage and run applications that are closer to

where actionable data is generated, and then

delegate authority for pre-specified decision

making. They can also build security capabilities

using the IOx platform and develop use cases that

expand security planning to perimeter and edge

devices. Solutions like this will help businesses

understand the interactions of devices, profile their

activities and respond appropriately.

7

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Manage edge intelligence with new governance modelData governance, communication and privacy

models must keep pace with new frameworks and

architectures being introduced to build end-to-

end IoT systems. As edge devices communicate

and make decisions based off telemetry from

various sources, it will be critical for businesses to

maintain supervisory control. The nature of control

needed will drive ecosystem requirements—such

as determining whether cloud or private network

solutions are preferred. Businesses need to architect

a hierarchical supervisory controls model that

optimizes the right security controls for the right

business processes to achieve the full benefit of a

flexible infrastructure.

Unfortunately, security planning must also

anticipate the likelihood of a breach—no

organization seems immune from attack. During

a cyber-attack, the supervisory control model

must balance requirements for resiliency and

availability—minimizing downtime—for ongoing

device operations. Mocana, a company that

focuses on securing non-traditional endpoints, has

developed an IoT device framework for protecting

edge data and enterprise communications. This

framework consists of a range of capabilities—

including key management, secure wireless and

strong encryption—required for management

of a distributed IoT infrastructure. Mocana also

provides an API for rapid deployment of secure IoT

devices that conform to business requirements and

governance models.

Another option comes from FogHorn Systems,

which is developing an IoT application deployment

platform that supports delivery and management

of host applications embedded in edge devices.5

Businesses can use the platform to distribute

applications from platform-as-a-service (PaaS) to

onsite sensor networks. The FogHorn Edge Platform

delivers service level agreement (SLA)-sensitive

security applications to the edge, which can be

triggered based on specific conditions.

ConclusionEdge devices will have a profound impact on the

security infrastructure, as IoT becomes an integral

part of business in the digital ecosystem. Accenture

recommends that businesses work to understand

and proactively address the security implications of

decisions being made at the edge. Managing and

safeguarding edge devices, as well as the end-to-

end set of technologies that enable intelligent

decisions, will be essential to future operations.

#techv i s i on2015

8

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

9

How can businesses make

sure edge data is reliable for

analytics?

CHAPTER 2

Data Integrity: Making data-driven decisions at Internet of Things scale

#techv i s i on2015

10

As the IoT proliferates, businesses will use

data passed between interconnected devices,

applications and processes to determine customer

context, and then collaborate through platforms

to provide the intelligent products and services

that customers desire in the Outcome Economy.

A connected digital ecosystem, combined with

edge computing and smart machine-to-machine

communications, will also expand the possibilities

for using data collected from IoT devices to drive

significantly faster decisions.

However, as businesses collect, process and analyze

increasingly larger data sets from devices at the

edge, they must make sure they can rely on the

integrity of that data to make decisions. According

to a recent Gartner survey, the annual financial

impact of inaccurate and poor quality data on

businesses is, on average, $14.2 million. In the world

of IoT, this will only be magnified.6

In order to optimize decisions, businesses will

need assurance that their edge data is accurate,

authentic and complete. This is especially critical

as Intelligent Enterprises transition toward using

software intelligence, in which applications and

tools become smarter using technologies to

trigger automatic action and make more informed

business decisions. Even in today’s world, entire

supply chains can be disrupted if data sent by the

production floor, storage warehouses or distribution

channels is inaccurate because of anything from

malfunctioning sensors to intentional manipulation.

Compound this with the scale and speed of IoT, and

the ripple effect of bad decisions based on bad data

can spread quickly.

11

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Protect data on edge devicesSince many edge devices do not have effective

authentication, authorization or encryption

controls, businesses should evaluate the use of

IoT gateways/agents that specialize in providing

data assurance. FreeScale, an embedded-solution

vendor, has released products that provide strong

security controls, including data integrity checks,

to IoT devices. The company uses a combination

of cryptographic modules, trust and platform

assurance technologies, and signature detection

to support security requirements of a trusted IoT

architecture. Qualcomm is also developing smart

gateways to address IoT security requirements

by incorporating strong encryption and trusted

platform principles. Although the architecture and

use cases of these gateways differ, each supports

communication with a connected infrastructure

and enables new services.

Implement assurance that scalesThe ever-increasing flow of data and customer

information needed to fuel the digital business

brings with it ever-increasing security and privacy

challenges. Sensors and embedded devices enhance

the infrastructure’s ability to collect data, and with

it the ability to run more complex analytics. As a

rite of passage, businesses must demonstrate they

can maintain data integrity through every stage

of the data lifecycle. And if personal information

is being collected from consumers, then effective

data retention, usage and sharing policies must

be implemented. All along this flowing river of

information will be numerous opportunities for

third-parties to either accidently, or maliciously,

alter the data. The impact of the initial decisions

could cascade beyond the local system to an

enterprise network or cloud.

Businesses should use data-level security

approaches that enforce policies through the

entire lifecycle—from creation to disposal—as

potential solutions to data governance and

integrity challenges. Several data-centric security

technologies aim to provide data protection

enforcement policies across multiple platforms.

Voltage Security (recently acquired by HP),

Informatica and Protegrity are examples of

companies that have developed focused solutions

with data-centric capabilities like data classification

and discovery, data security policy management,

monitoring of user privileges and activity, auditing

and reporting, and data protection.7

Low quality and low assurance data adds noise to

the decision-making process, increasing the overall

cost of extracting insights. As businesses establish

infrastructure to collect and process data at speed

and scale, they should implement data assurance

and audit frameworks that scale to match.

Businesses must also consider adding data quality

tools designed for big data applications since

collecting, processing and maintaining IoT data is

a big data exercise. Gartner’s Magic Quadrant for

Data Quality Tools provides an insightful snapshot

of the current vendor landscape and their tools’

capabilities to handle data as an asset.8

#techv i s i on2015

12

Tie IoT protocols to business modelsBusinesses must also be aware of the data assurance

limitations of communication protocols. Higher-

level IoT communication protocols like MQTT, CoAP,

DDS, 6LoWPAN, ZigBee, ModBus and WirelessHart

offer different security capabilities based on

which underlying networking protocol is used. For

example, CoAP is built on user datagram protocol

(UDP) and, as a result, cannot provide protocol

security such as security socket layer (SSL) or

transport layer security (TLS). 6LoWPAN is built on

IPv6, which has its own set of vulnerabilities.

NIST’s Framework for Improving Critical

Infrastructure Cybersecurity provides a mechanism

for using business drivers to help guide security

activities, consider security risks and select an

appropriate communication protocol to manage

the business risk profile.9 While the framework

targets critical infrastructure operators, there are

best practices applicable to businesses considering

expanding their IoT footprint. As businesses deploy

new edge devices and management platforms,

they should also take into account data assurance

limitations of the communication protocols. In

order to select a protocol with the right set of

features while mitigating risk, it is important to

consider application deployment, infrastructure

management and security requirements.

ConclusionAs businesses look for new ways to gain insight

from data, developing and maintaining a data

assurance program should be at the center of their

IoT strategy. Businesses need a framework that

governs data assurance across edge infrastructure

and instills a higher level of confidence in data-

driven decisions. To maximize the potential benefits

of the IoT, Accenture recommends building a data

assurance program that directly ties to the business

model and enables more informed decisions based

on accurate data.

13

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

What security controls will scale

to protect big data?

CHAPTER 3

Big Data Security: Securing the three Vs

#techv i s i on2015

14

Businesses are experiencing exponential growth in

data as more devices get deployed at the edge and

business processes become increasingly digital—

causing their data repositories to reach capacity. For

Intelligent Enterprises to fully reap the benefits of

software intelligence and embrace a collaborative

workforce model of humans and machines (or

what Accenture deems Workforce Reimagined), it

will be critical to securely process and protect big

data. For instance, evaluating and optimizing the

performance of human and machine interactions as

they work side by side, and “teaching” machines to

evolve as the task changes, will all be based on big

data analytics.

While big data presents a multitude of business

opportunities to generate insights and guide

actions, it also presents substantive privacy

concerns. As part of a strategy to strengthen

cyber laws, the US President recently announced

a privacy plan for big data, which includes policy

recommendations and pending draft legislation

to protect consumers’ privacy.10 But despite new

compliance requirements, big data breaches are on

the rise. Businesses are finding it more difficult to

secure big data, especially as traditional database

management systems cannot scale enough to

handle the data volume, acquisition velocity or data

variety–what is often referred to as the three Vs.

15

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

The volume challenge

Few businesses have mastered the concepts and

techniques of effective data protection. To deal

with the volume, computations on big data are

processed in parallel often using MapReduce-

like frameworks, where distributed mappers

independently process local data during the Map

operation, before reducers process each group of

output data in parallel. Google originally created

Hadoop—the open source implementation of the

MapReduce programming model—to store and

process public website links; security and privacy

were an afterthought. Since security is not inherent,

it is difficult to retrofit mappers that perform

data analytics with security. In order to secure the

computations in these distributed frameworks,

businesses must also ensure that the data is secured

against potentially compromised mappers.

The variety challenge

Big data is composed of a variety of data elements,

which makes it subject to different regulatory and

compliance requirements. For example, an insurance

company that collects medical records and financial

information about its customers may have to build

different data stores for each type of data.11 Since

different stakeholders require access to various

subsets of data, businesses must use encryption

solutions that enable fine-grained access and

operations on the data. Today, many organizations

still deal with the big data challenge by creating

a data lake, a huge repository of raw data in its

native format. Such organizations probably need

to revisit their data storage practices, segregating

that data based on sensitivity level and compliance

requirements, and then applying proper security

controls.

The velocity challenge

Businesses do not always know in advance the

sensitivity levels of big data because it is being

collected in real-time (streaming data) or near

real-time. Some data items may not look sensitive

on their own, but could reveal private details when

combined with other pieces of information; in the

aggregate, the data might result in a comprehensive

picture that requires protection. To manage the

data velocity, businesses should perform data

sensitivity analysis more frequently, and apply the

right security policy and access controls while the

data is fresh.

Secure big data processing platformsAs organizations build big data repositories and

apply big data analytics, various types of data are

mixed together, such as business performance and

sensor information. When that data combines, it

becomes a target. To ensure that only the proper

people and algorithms have access, it is vital to

secure big data platforms and monitor access

through a combination of security controls.

More security features are fortunately moving into

big data platforms. Hadoop now offers Kerberos-

based authentication, which can also be integrated

with LDAP and Active Directory for security policy

enforcement. Zettaset’s sHadoop was designed

to mitigate Hadoop’s known architectural and

input validation issues, and improve user-role

#techv i s i on2015

16

audit tracking and user-level security for Hadoop.

sHadoop also gives administrators the ability to

establish and store a baseline security policy for

all users, who can be compared against current

security policy. Finally, sHadoop offers encryption

for data at rest and in motion as it gets transmitted

between Hadoop nodes.

Another option for big data protection is Gazzang

(purchased by Cloudera in 2014), which offers a

product for end-to-end encryption of data stored

and processed in Hadoop environments, data

coming from streaming engines such as Apache

Sqoop, metadata, and configuration information

about a Hadoop cluster. Cloudera is also partnering

with Intel on a chip-level encryption initiative

called Project Rhino.12

Embed security into dataMost businesses choose to build their big data

environment in the cloud, where all-or-nothing

retrieval policies of encrypted data may push them

to store data unencrypted. In these situations,

businesses should consider attribute-based

encryption to help protect sensitive data and enable

fine-grained access controls and encryption. With

this technique, the attributes of a secret key are

mathematically incorporated into the key itself.

When attempting to access an encrypted file, policy

checking within the decryption process checks that

the policy is satisfied—the cloud does not know the

individual file access policies.

Sqrrl Enterprise, another big data platform, takes a

data-centric security approach: data is embedded

with security information that determines access

and governance. Fine-grained access control is

enabled at the cell level by evaluating a set of

visibility labels that are embedded within the data

each time a user attempts an operation on that

data. Even search indexes, which may constitute a

source of data leakage, are secured through term-

level security, ensuring that indexing respects the

security policies of the underlying data elements.

The platform is built on top of Accumulo, a

distributed, hybrid column-oriented, key-value

data store originally developed by the National

Security Agency, and later submitted to the Apache

Foundation.

ConclusionHadoop and other big data platforms are helping

businesses analyze and derive insights in entirely

new ways. To tap into the full benefit, however,

businesses must amplify security measures to

protect their information assets and reduce risk.

Accenture recommends businesses apply the basic

principles of information security to big data

platforms, but progressively narrow the perimeter

around enterprise data. Taking a data-centric

security approach opens the door to processing big

data analytics and producing even bigger insights

for digital business strategies.

17

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

How can businesses leverage their

platforms to securely operate in a

broader digital ecosystem?

CHAPTER 4

Security Platforms—Maximizing protection across digital ecosystem platforms

#techv i s i on2015

18

With the evolution of the IoT and digital industry

ecosystems, platform-based businesses will capture

more of the digital economy’s opportunities for

growth and profitability. Machine-to-machine

communications and advanced analytics will

leverage digital platforms. Intelligent Enterprises

will benefit from the influx of shared, cross-

industry data. And advances in processing power,

data science and cognitive technology will help

businesses prepare for the growing wave of

complex cyber-attacks.

To take full advantage of these platform

capabilities, businesses must increase their focus

not only on security, but also on leveraging the

platform to augment existing security intelligence.

It is critical to understand the potential for misuse

of data and functionality on platforms, and to

realize they give an adversary more motivation for

mayhem. Having greater insight into how edge

and core IT devices are behaving can also help

businesses protect against increasingly complex and

subtle threats.

19

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Understand physical security risksLeveraging a digital platform to make decisions

and influence the function of a business’ products

and services introduces a high-value target for an

adversary. Since these platforms provide insights

into the functionality of numerous digital devices

and equipment across the business, as well as some

degree of command and control over them, the

possibility of cyber-physical attacks increases.

The consequences of these attacks can range from

inconvenient to life threatening. Take connected

car services as an example. Recently BMW’s

ConnectedDrive system experienced a vulnerability

that enabled 2.2 million cars to be unlocked

remotely—an open-door invitation to car thieves.13

As the functionality of connected car services

improves to include things like engine optimization

based on individual driving habits, the risk for abuse

of these capabilities increases with the potential for

severe physical outcomes.

To mitigate these types of intensified physical

security risks, businesses should regularly evaluate

all of their business platforms for vulnerabilities

and monitor them for irregular behavior, apply

threat modeling to understand what is possible

to accomplish within the platforms, and leverage

threat intelligence to understand when adversaries

are motivated to accomplish those possibilities. In

addition, as new cross-industry digital platforms

emerge, businesses can analyze behaviors across

these platforms to further mitigate risk or reduce

time to detect new threats.

Evolve data security intelligently Since businesses are beginning to aggregate

data from industrial, operations, management,

information technology and security systems into

one ecosystem, they must apply new security

capabilities to protect company assets. This is

especially important in the IoT era. As described

earlier, businesses must proactively work to identify

security threats within the data being collected

from devices. One solution comes from GE’s Predix

platform, which collates data from intelligent

industrial systems and identifies issues that may

necessitate maintenance. Businesses can further

leverage the platform’s analytics to identify

unusual changes in customer behavior and detect

performance changes that may be technology threats.

Plan security into the platformSecuring digital platforms begins before

development work even starts. Businesses can

reduce risk by collaborating with potential

ecosystem partners to brainstorm possible security

challenges across and beyond their industry.

Businesses should also identify what types of

security-related data the platform can gather,

as well as ways the platform can be leveraged to

monitor edge and core devices for abnormal activity.

#techv i s i on2015

20

Similarly, it is important to look at all available

enterprise data, not just what is stored in security

products. Determining the value of these data sets

could provide insight into where more complex

threat activity might originate. For example,

business process activity, which normally is

monitored outside the scope of security, may

be leveraged within data processes to identify

behaviors that adversaries could exploit in an

attack. Businesses should employ techniques

for more subtle evaluation of internal activity,

centralize the data into a common platform, and

utilize data visualization to understand specific

behaviors and quickly pinpoint outliers.

Finally, businesses looking to utilize technology and

data platforms to operate in the digital business era

must emphasize the importance of customer trust.

Platform breaches will erode customers’ trust in the

safety and reliability of a company’s products and

services; data breaches resulting in compromised

customer privacy have an equally negative impact.

Businesses should proactively embed security

and privacy controls into their platforms as a

core function, and not rely on best practices or

compliance regulation to set the bar.

Utilize existing platforms to augment security intelligenceThe US government has recognized the value of

cross-industry collaboration for cyber security

in its recent formation of the Cyber Threat

Intelligence Integration Center (CTIIC). According

to Lisa Monaco, Assistant to the President for

Homeland Security and Counterterrorism, prior

to the CTIIC there was no single government

entity responsible for assessing and sharing cyber-

security threat information, nor for supporting

policy makers with timely information. Monaco

said, “To truly safeguard Americans online and

enhance the security of what has become a vast

cyber ecosystem, we are going to have to work in

lock-step with the private sector. The private sector

cannot and should not rely on the government to

solve all of its cyber-security problems. At the same

time, I want to emphasize that the government

won’t leave the private sector to fend for itself.”14

Similar initiatives are forming in the UK and other

geographies that will have enterprises defining the

models that work for them.

As digital platforms continue to capture new data

and offer innovative ways to catalyze growth, they

can also be used to increase security effectiveness.

The digital platform can contain a wealth of

information—from normal machine-to-machine

behavior to standard operating conditions of

edge devices. Ideally, businesses should select

platforms that provide cyber-threat assessment

indicators and share timely information to prevent

systemic attacks.

21

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Security DevOpsAs businesses develop applications on top of these

platforms, they are rapidly shifting towards an

agile development model termed DevOps.15 Within

DevOps, where application development embraces

the agility of automation and short sprints to

implement new features and fix defects rapidly,

there is a disruption to the normal approaches that

security uses to identify and mitigate risk within

applications.

Traditional approaches typically involve a great deal

of planning and design, activities that are human-

intensive in execution and require final sign-off

prior to release of an application. Activities such

as code scanning will need to change to be more

iterative and automated, leveraging technologies

such as Cenzic and Qualys to assess vulnerabilities

and risks as the application is developed.

DevOps greatly speeds how quickly a digital

business can develop and deploy applications, as

well as incorporate new features into the services

they offer. Security should be baked in from the

start and embedded into how the DevOps process

functions. To accomplish this, security needs to be

low impact to the process, automated to a high

degree and intelligent enough to guide developers

in understanding risk as they make changes to

the application.

ConclusionPlatform security is a vital capability to operating in

the digital ecosystem. In order to thrive, businesses

must understand the potential cyber-physical risks

of delivering platform-based services and augment

existing security efforts with digital platform

intelligence. Accenture recommends combining

operational and security information across the

enterprise—and across platforms—to help businesses

respond effectively to the rapidly changing cyber

landscape.

#techv i s i on2015

22

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

23

What security and privacy

approaches reinforce

customer trust in the age

of hyperpersonalization?

CHAPTER 5

Customer Trust—Building customer trust in a digital economy

#techv i s i on2015

24

One of the key determinants of success for digital

businesses will be the ability to deliver products

and services that are highly personalized for each

business customer or end consumer based on their

specific habits and preferences. Gartner reports that

89 percent of businesses believe that a seamless

customer experience will be their primary basis

for competition.16 Accenture calls this trend the

Internet of Me.

Businesses currently collate personally identifiable

information (PII) from social media networks and

posts; however, digital technologies such as sensors

and connected devices deployed in customers’

homes, workplaces, cars and even on their bodies as

wearables are generating ever more personal data

and changing the game. New business models are

emerging and driving the personal information

economy. For example, some businesses see opportunity

in selling, aggregating or brokering personal data;

others are branching out into new markets, such as

retailers offering financial services to customers.

But with these next-generation business

opportunities comes increased responsibility to

protect customer information. In order to maximize

customer data and deliver personalization,

businesses must apply more stringent security

measures to protect privacy—and ultimately build

and maintain trust with customers. The first step

is understanding the building blocks of digital

trust, which includes how expectations vary

by demographics including generation, culture

and background. (For more information, see the

Accenture point of view “The Four Keys to Digital

Trust” as well as the Accenture Digital Trust report.)

The second step is building customized services and

guarantees that appeal to the various aspirations

of individual business customers or end consumers,

whether they expect enhanced services in exchange

for their data or more protection for it.

25

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Build trust by taking transparency seriouslyUnintentionally or purposely misleading customers

contributes to their distrust. Unfortunately, some

businesses seem to forget about this principle. One

company, for instance, launched an experiment to

study the effects of manipulating customer’s posts;

another company modified customer profiles and

ran analytics to determine which profile improved

their matching services. Not surprisingly, both

attempts backfired with customers, causing ethical

debates and negative press.

Businesses should be more transparent about what

data they collect about customers and how they use

it. Some companies are obscure with their practices,

including not informing customers how they share

data with third parties or how they collect it from

data brokers to sell. Other businesses may think

that the value of the data derives from keeping it

inaccessible to customers, just like credit scoring

data. However, this lack of transparency is raising

many consumer concerns, and the Federal Trade

Commission (FTC) published a report in May 2014

calling on data brokers for more transparency and

accountability.17

Follow basic data protection guidelinesAccording to the TRUSTe consumer confidence

index, 89 percent of Internet users in the US

would avoid doing business with companies that

do not protect their privacy.18 Data breaches

further complicate the matter—not only in terms

of litigation costs, but also reputation damage

and customer flight. In order to limit their liability,

businesses need to enforce encryption and

responsible data management practices that protect

customers’ personal data. According to a Ponemon

study conducted in October 2014, four out of five IT

practitioners acknowledged that their organizations

do not use a strict least-privilege data model, where

each user or program is allowed the minimal access

privilege just to the information and resources that

are necessary for a legitimate task.19

Take advantage of privacy-preserving analyticsManaging and protecting the increasingly large sets

of personal data while running useful analytics on

them is not a trivial task. However, businesses do

not have to lock up all the data in order to avoid

a privacy risk. For instance, TrustLayers offers a

platform that seeks to provide privacy intelligence

for big data and help businesses to efficiently use

personal data while monitoring whether their teams

are following privacy policies.20

#techv i s i on2015

26

The privacy risk is exacerbated by advances made

in data mining technologies. Therefore, companies

should consider privacy-preserving data mining

techniques, which seek to balance the utility of

data acquisition with privacy protection. The risk

of leaking sensitive data is limited by modifying

the data in such a way so as to perform analytics

effectively, while safeguarding sensitive information

from unauthorized disclosure and releasing only

aggregate data. Various techniques exist for all the

steps of the analytics process—from data collection,

to data mining, to sharing and delivery of the

insights extracted from data. Businesses should

explore techniques such as differential privacy and

distributed data mining in order to identify the

most suitable technique for the application that

they need.21, 22

Innovate to appeal to privacy-wary customers To build customers’ trust, businesses are beginning

to apply enhanced services that protect their

privacy and digital footprint beyond VPN access to

their services. Facebook, for example, launched a

Tor hidden service.23 The users of the social media

service can stay anonymous as their connections

go through three extra encrypted hops to random

computers around the world, making it difficult

for eavesdroppers to observe their traffic or trace

it back to their origin. Similarly, Apple decided

to relinquish access to customer data on iCloud.

Encryption keys created on the customer’s device

are used to encrypt the data on iCloud. Apple has

no access to these iCloud keychain encryption keys,

and therefore is not able to decrypt user data stored

on iCloud.24

Businesses should also consider innovative

approaches to convince customers to share more

data, including providing rewards in return for

data sharing, or even offering anonymous services

to appeal to more privacy conscious consumers.

Global identity validation services such as BeehiveID

or ID.me could be used instead of social media

logins to allow customers to have more control

over their data while ensuring businesses protect

their identity. Anonymous credentials represent a

powerful solution for preventing even colluding

credential issuers and verifiers from identifying and

tracking users. These technologies can alleviate trust

concerns regarding centralized credential providers

that can make a statement about identity on the

Internet, as these providers get more visibility into

users’ entire online activities.

Businesses can also explore emerging techniques

to offer anonymous credentials as a basis for

constructing untraceable electronic payment

systems, or “e-cash.” One example of these

techniques is a new protocol named “Zerocash,”

which adds cryptographically unlinkable electronic

payments to the Bitcoin currency.25

Empower customers with toolsConsumers in the UK and US now have access

to Internet company ratings based on their data

stewardship practices published by Fair Data and

the Electronic Frontier Foundation.26 With more

information about businesses’ privacy and data

protection practices, customers can make better

informed choices. They also have more tools at their

disposal to help them hide their data or decide

which businesses to share it with.

27

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

For instance, Ghostery is a privacy tool that helps

customers control which businesses can track their

web browsing behavior. Meeco is a life management

platform that enables people to collect their

personal data while being more anonymous. By

acknowledging and honoring customers’ desire for

greater control over their own privacy and how

they trade their data in the emerging Internet of

Me, businesses can increase their trust factor with

customers. This is just the beginning of a much

longer privacy journey the technology community

is embarking upon; until these protections become

federated and transparent to end users, they are

unlikely to be widely used. As such, this space

will see many shifts and innovations over the

coming years.

Conclusion

Accenture recommends that businesses be vigilant

with their security and privacy practices so

that they neither compromise their customers’

experiences nor lose their trust. Following truly

proactive and ethical data stewardship practices,

and offering enhanced services that are consistent

with customers’ expectations of privacy and

personalized seamless experiences, will strengthen

trust and participation in the digital economy.

#techv i s i on2015

28

29

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

13 BMW Update Kills Bug In 2.2 Million Cars That Left Doors Wide Open To Hackers, Forbes.com, February 2, 2015, http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/

14 http://www.whitehouse.gov/the-press-office/2015/02/11/remarks-prepared-delivery-assistant-president-homeland-security-and-coun; http://www.usnews.com/news/articles/2015/02/10/new-cybersecurity-agency-to-aid-in-battle-against-hackers

15 DevOps, Accenture, Login required, http://devops.accenture.com/

16 Gartner predicts a customer experience battlefield, http://gartnernews.com/gartner-predicts-a-customer-experience-battlefield/

17 FTC Report: Data Brokers—A Call for Transparency and Accountability (May 2014), http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf

18 2014 TRUSTe US Consumer Confidence Index, http://www.truste.com/us-consumer-confidence-index-2014/

19 Corporate Data: A Protected Asset or a Ticking Time Bomb? http://www.varonis.com/research/why-are-data-breaches-happening/

20 The first scalable data use protection platform, TrustLayers. http://trustlayers.com/

21 Differential Privacy: A Survey of Results, Cynthia Dwork, Microsoft Research, http://research.microsoft.com/pubs/74339/dwork_tamc.pdf

22 Distributed Data Mining: Algorithms, Systems, and Applications, Byung-Hoon Park and Hillol Kargupta, University of Maryland, http://www.csee.umbc.edu/~hillol/PUBS/review.pdf

23 Why Facebook Just Launched Its Own ‘Dark Web’ Site, Wired, October 31, 2014, http://www.wired.com/2014/10/facebook-tor-dark-site/

24 iCloud Security and Privacy Overview, http://support.apple.com/en-us/HT202303

25 Zerocash Project, http://zerocash-project.org/

26 Welcome to FairData, http://www.fairdata.org.uk/; Protecting Your Data From Government Requests, Electronic Frontier Foundation, 2014, https://www.eff.org/who-has-your-back-2014

1 Building the Internet of Things, October 2014, https://s3.amazonaws.com/cdn.iotwf.com/breakouts/2014/H-ARC-01_Cisco-Intel-IBM_FINAL.pdf

2 Shellshock Attacks Hit Major NAS Kit; IoT Next?, Infosecurity, October 2, 2014, http://www.infosecurity-magazine.com/news/shellshock-attacks-hit-major-nas/

3 Transform Business With Intelligent Gateways, Intel, http://www.intel.com/content/www/us/en/internet-of-things/gateway-solutions.html

4 Fog Computing, Ecosystem, Architecture and Applications, http://www.cisco.com/web/about/ac50/ac207/crc_new/university/RFP/rfp13078.html

5 The IoT Application Factory, http://www.foghorn-systems.co/

6 The State of Data Quality: Current Practices and Evolving Trends, Gartner, December 11, 2013, https://www.gartner.com/doc/2636315/state-data-quality-current-practices

7 Market Guide for Data-Centric Audit and Protection, Gartner, November 21, 2014, https://www.gartner.com/doc/2920220?ref=SiteSearch&sthkw=Market%20Guide%20for%20Data-Centric%20Audit%20and%20Protection&fnl=search&srcId=1-3478922254

8 Magic Quadrant for Data Quality Tools, Gartner, November 26, 2014, http://www.gartner.com/technology/reprints.do?id=1-259U63Q&ct=141126&st=sb

9 Framework for Improving Critical Infrastructure Cybersecurity, National Institute for Standards and Technology, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

10 Obama’s ‘Big Data’ Privavcy Plans Get Big Lift From Lawmakers, Reuters, February 5, 2015, http://www.reuters.com/article/2015/02/05/us-usa-privacy-exclusive-idUSKBN0L90D320150205; Fact Sheet: Big Data and Privacy Working Group Review, The White House, May 1, 2014, http://www.whitehouse.gov/the-press-office/2014/05/01/fact-sheet-big-data-and-privacy-working-group-review

11 Anthem Hacked—US Health Insurance Provider Leaks 70 Million Records, Darknet.org UK, February 5, 2015, http://www.darknet.org.uk/2015/02/anthem-hacked-us-health-insurance-provider-leaks-70-million-record

12 Cloudera acquires big data encryption specialist Gazzang, Gigaom, June 3, 2014, https://gigaom.com/2014/06/03/cloudera-acquires-big-data-encryption-specialist-gazzang/

REFERENCES

#techv i s i on2015

30

31

SECURITY IMPL ICAT IONS OF THE ACCENTURE TECHNOLOGY V IS ION 2015

Copyright © 2015 Accenture All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. 15-0911U/9-9418

For more information:Prith Banerjee Managing Director, Accenture Technology R&D [email protected]

Lisa O’Connor Managing Director, Accenture Technology Labs Security R&D [email protected]

Malek Ben Salem Research & Development Principal, Accenture Security [email protected]

accenture.com/technologyvision

About AccentureAccenture is a global management consulting, technology services and outsourcing company, with approximately 319,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$30.0 billion for the fiscal year ended Aug. 31, 2014. Its home page is www.accenture.com.

CONTACTS