Zuora VP and CSO Pritesh Parekh has been nominated for the prestigious ISE North America Executive Award this year. Other nominees include CSOs from Microsoft and YP. We caught up with Parekh for a tete-a-tete on the world of IT security:
1) Congratulations on being nominated for the ISE North America Executive Award! From a security perspective, what is your top priority at Zuora?
Thank you. I’m honored and glad that our work at Zuora is getting recognized. At Zuora, our customers trust is our #1 value, and we take the protection of our customers’ data very seriously. Our goal is to continue strengthening our security program while providing transparency and visibility to our customers. We will continue to invest into the Security of our services and exceed industry standard best practices.
2) What are the new threats in the security space and is the landscape changing?
We are living in the world of Internet of things (IoT), where more and more devices are being connected to the Internet. IoT threats are definitely changing the security landscape rapidly.
Users love the convenience of accessing everything from their refrigerators, thermostats, and garage door openers to their cars from their smart phones. In a rush to get their products to the market, IoT vendors have downplayed the digital security of their products.
With IoT, the threats are not just about personal data compromise, they are also about the physical security of consumers. Recent examples have shown that connected cars and medical devices are vulnerable to hacks. A compromise of any of these devices can have life threatening consequences for consumers. With new devices connecting to the Internet, the digital security of IoT devices has become paramount and it must be a high priority for IoT vendors.
3) What are some of top technical considerations that IoT vendors should take into account to secure their products?
Some of the top technical security considerations for IoT vendors are:
Secure by design – Every phase of the development process must take security into consideration. The Quality Assurance cycle must account for digital security in addition to functionality. For example, a digital security test to ensure safety air bags cannot be remotely disabled by an unauthorized users.
Strong authentication and authorization of IoT devices – Strong authentication using techniques like asymmetric encryption to protect each device by using their own unique key. Strong authorization allows the vendor to enforce role based access controls where applicable.
Encrypting data at rest and in transit< – Sensitive personal data stored on the device needs to be encrypted at rest. All communication to and from the device must be encrypted in transit.
Third party assessments to uncover digital security flaws – Third parties specializing in Security testing for IoTs should be engaged to perform security testing as a part of the product life cycle. Such testing would uncover security flaws and allow the vendor time to address the issues without impacting consumer security.
Privacy – IoT vendors must be transparent about the type of data that is collected, how it is used and provide an opt-out option. By default, IoT vendors should limit personal data collection that only that which is necessary.
Consumers security awareness – As Consumers are new to the IoT world, the vendors need to provide education on digital security of the device. Digital Security awareness guidelines must be provided with the product to educate consumers.
4) What are some of the challenges in implementing Security for IoTs?
There are few major challenges:
Scale: Gartner is predicting 25 billion IoTs by end of 2020. The security solutions that we have today will be challenged to scale out.
Authentication and Secure communication: Authentication and Secure communication remains a challenge for IoTs. How can a connected car securely authenticate to its mothership to download a patches? How can a medical device securely send data to the controller? I recommend Public Key Infrastructure (PKI) framework as one of the approaches to solve authentication and secure communication.
IoT Vendor Digital Security Program: Vendors need to build a strong digital security program to adhere to the principle of secure by design. This will require vendors to increase the cost or reduce their margins and invest in the digital security of their products.