The Four Dimensions of Security

Welcome to the four dimensions of cybersecurity emerging in the digital era: device, data, identity and online. This new paradigm of seeing cybersecurity in four dimensions was the topic of a breakfast forum in Singapore organised by Jicara Media and hosted by Lenovo and Intel, with senior IT executives from Lenovo, Intel, Singapore Cloud Security Alliance and a senior IT leader from a global bank speaking.

Kicking off the event, Lenovo’s general manager Eddie Ang noted how his organisation has evolved into more than just a ThinkPad maker over the past five years. Thinking out of the proverbial box, Lenovo has seen how the cyberthreat landscape has expanded into new territories such as identity theft and social engineering.

In response, Lenovo’s ThinkShield security paradigm operates in four distinct dimensions, securing their products right from the manufacturing and supply chain phase, through to self-healing laptop firmware in case of viral infiltration, down to a multitude of security features for identity management, authentication and data backup, security and recovery. ThinkShield even ensures that end-of-life laptops are destroyed with no data recoverable.  

Keynote speaker Anthony Lim, director of Singapore Cloud Security Alliance (CSA), touched on the emerging cybersecurity trends to take note of in 2020. In his view, come what may, “the old never went away. All the basic stuff such as network segmentation, constant patching, port locks and tight endpoint security need to be in place” and even the latest threats will be kept at bay. He did note that an emerging trend of hackers exploiting human errors. “They know we have firewalls and ThinkShield, so they attack the food delivery providers’ phones, or attack the supply chain or the operational technology (OT) instead.”

How do the four dimensions rank in importance?

George Chacko, Intel’s director of global accounts, considered wireless online connectivity as the most dangerous threat. That is why Intel is leading the way in promoting WiFi6 as the next standard in connectivity.

Lenovo’s Eddie Ang felt that many online vulnerabilities are rooted in human behaviour, and that is why intelligent automation has to be employed to remind, educate and intervene.

The IT leader from the global bank concurred: “People just want to share information without malicious intent, but as soon as some of that sensitive information leaves an environment, it goes out of our control”. User education and automated vigilance on their behalf can continue to secure the system without impeding worker productivity and innovation.

CSA’s Lim considered identity to have a high ranking in the four dimensions. He is wary of the convenience of single-sign-on features. Identity management is the most difficult to manage whether online or offline, and any failure can open the door to attacks on the other three dimensions.

Are security alliances effective?

Lim said that hackers are in effect a brotherhood, so the rest of the world definitely needs to form alliances too. “Today CIOs and CISOs get together to share security leads and best practices,” and collaborations are getting better across borders compared to how corporations were afraid of ‘losing face’ when opening up about their security experiences.

The rest of the panel agreed unanimously, citing the regulatory compliance component that puts leaders in this defensive mode. “But it is incumbent on all of us to go out and attend seminars and conferences such this event to share trends and ideas,” cited the banking IT leader. Agencies such as the CSA and event organisers can help in promoting this spirit, while public-private partnership events such as GovWare are a useful for establishing globalised cybersecurity standards instead of letting countries and organisations tackle it individually.

People Vs Technology: Which is weaker?

CSA’s Lim noted that more 70 per cent of breaches over the past decades originated from within the organisation. Today, automation technology is helping alleviate or prevent such human errors, thereby balancing the people-vs-technology equation so that people can do their best work without feeling that technology is impeding them. The rest of the team concurred, noting that human psychology is most resilient to change. “Making security processes more holistic, intuitive, collaborative and integrated” is how he would reduce the weakness in the human element and boost productivity instead.

Ang noted that organisations cannot enforce secure work practices as a military agency could, and it would be easier to use machine learning tools to circumvent human weaknesses. From Intel’s point of view, all the latest and greatest security features such as vPro are useless if they are not turned on.

Orchestrating new and legacy infrastructures

A recurring question was how CIOs should orchestrate the entire spectrum of legacy and new technologies in an organisation undergoing transformation, given the four dimensions that need to be tackled.

The bankaddressed it at the logistics level by suggesting an asset-register. Lenovo’s Ang asserted that it is possible to orchestrate the old and new infrastructure, but: “It’s not about whether we should protect the status-quo but how we should move on into the digital era.”

Rahul Joshi, Head of Content at Jicara Media, as the moderator, asked: “Even when all the security software is new, it may come from as many as 15 disparate vendors. How do we orchestrate them well and ‘keep the lights on without having everything fall apart?’”

Lenovo had had this question in mind when investing heavily in AI research with Intel, and Ang shared that the collaboration will look into solving factory-floor issues with IoT and AI. It was noted that no cybersecurity company has ever had a sustainable market cap of more than US$20b, as the panel pointed to how fragmented the cybersecurity solutions sector is.

According to Rahul, that is exactly the fragmentation that organised-crime syndicates have discovered and exploited through game-theory. “We, the good guys, should also apply game-theory, and see how we can change things for the better,” he noted.

The forum ended with a poser: can any system be totally secure if resources were unlimited? Most of the panel felt that 100 per cent security is not desirable even with the impossibility of unlimited resources, because it would mean severe restrictions in worker freedom and flexibility.

Offering a the most pragmatic perspective, Chacko said that, realistically, all we should strive for is “good enough security, at a good enough cost” while also striving to preempt and deter attacks.