Siva Ganesan, Vice President and Global Head at TCS Assurance Services Unit, blogs about assurance practices for security, privacy and confidentiality in the connected world.
In today’s age, technology architectures that drive business throughput are disaggregated and heterogeneous. A highly disruptive and transformational innovation – the Internet of Things (IoT), promises business value and competitive differentiation in ways never imagined before. With IoT, a transaction can originate and conclude anywhere, anytime, and for good measure, everywhere, and all the time too. The gravity of space-time perhaps has crept into our globally distributed real-time online and offline lives, steadily, if not stealthily. IoT is an ecosystem representing the sheer dynamism of a vibrant and connected global economy where people, process, and device co-exist and subsist on torrents of data fragments, each reinforcing the need for interconnectedness. The TCS Global Trend Study 2015: Internet of Things: The Complete Reimaginative Force too finds that technologically inclined companies, dealing in various products and services, are experiencing a significant improvement in business profits through the IoT.
Assurance practices in the new connected world
The number of devices (things and everyday objects) connected to the internet is far more than the number of people. With the right technology in place, doctors can work remotely with their patients and manage diseases and treatment options, home appliances have become smarter, and industrial equipment more efficient. And this is just the tip of the iceberg.
With these connected objects sending and receiving personal, usage, preference, habit, location, and even mood and sentiment data in real-time, many-a-node on the IoT needs to be assured, at both the individual and inter-connected levels. This also poses potential peril. The ‘always on’ connected system is a potential target for cyber-attacks, and continuous inter-device communication is vulnerable to snooping and data crime. We need to address these privacy and security risks towards making the IoT a safe proposition for consumers.
The Federal Trade Commission (FTC), a body for protecting American consumers, has asked vendors to define, implement and tighten IoT security. The commission recommends a series of measures that include addressing security concerns at the outset, in early stages of the product lifecycle, adopting data minimisation to guard against privacy risks, limiting data collection and disposing consumer data when not required, seeking informed consent before collecting consumer data, and finally, proposing IoT specific, technology neutral legislation, and recommending self-regulation by companies.
Assurance: the greater responsibility
By melding the virtual and physical worlds, the IoT holds the potential to fundamentally change consumer interaction with technology, and drive consumer benefits in many ways. The assurance function’s role from the security and privacy perspective is of larger significance than the traditional responsibility of defect detection. With sensors, devices and wearables entering consumer homes, cars and even bodies to detect and share information about them, assurance has a greater responsibility on hand, to ensure consumer safety, and also privacy.
To begin with, assurance must collaborate with security and governance functions and take stock of risk equations. Next, intelligent controls, strong encryption and right protocols should be introduced for securing inter-device communication and connectivity.
The role of the tester
The role of the tester too needs to undergo a paradigm shift – because IoT testing is much different from traditional software testing. This is akin to a different form of integration testing, where we test functionality, and also device durability to withstand weather conditions, extreme temperature, and malfunctioning of other connected devices.
Data privacy, identity management, access controls, authentication, data validation, infrastructure and system testing are other areas where assurance can add value. There is also the regulatory compliance aspect that assurance addresses. But to do all this, assurance must be introduced at the outset, and not as an afterthought, late in the development lifecycle. There is a need to look beyond traditional roles, acquire new testing competencies, to be prepared to support the IoT movement. Only then can assurance truly help businesses scale and realise the benefits of these ‘things’.
An earlier version of this blog was published at #ThinkAssurance, the quality assurance (QA) and testing blog of Tata Consultancy Services.