Toyota embraces open standards for security

The car manufacturer believes open standards and deperimeterisation are the right approach to security, but has rejected external security compliance

Toyota gave its backing to open standards on Thursday, saying they were a key part of its security strategy.

Security products based on publicly available specifications will enable greater interoperability and help companies to measure how secure they are, Toyota believes.

"Open standards are the right approach," Richard Cross, information security officer for Toyota Europe, told ZDNet UK. "Standards bring benefits by lowering risks, and making results more standardised. We would see the benefits of going to different vendors that have the same solution," Cross added.

However, if a proprietary vendor had consistently excelled in an area, Toyota would consider using them. "We're not locked into any one way of doing things. Most of the time open standards are the right approach, though" said Cross.

Deperimeterisation — where the security emphasis is moved from the edge of the network and onto individual devices, and ultimately to individually encrypted data packets — had become a "fact" for Toyota with increasing employee mobility.

"Deperimeterisation has already happened. It's a fact of life, so deal with it," said Cross. "You need technical and procedural security, and overlapping defences, but the furthest extent of the network perimeter is the head of your employee — it's your people," Cross added.

Several major companies are backing deperimeterisation, including BP which said earlier this week that it had taken thousands of its laptops off its local area network. They now connect straight to the Internet even when used in the office.

"Hackers and virus writers have been a problem for years. But today there are very well-organised gangs in Russia, China and Brazil, with large teams and large server farms, that are determined to get their hands on our internal data and our users' identities," said Ken Douglas, technology director of BP.

"Typically, companies use a firewall and assume that the local area network is secure. But we've come to the conclusion that the LAN has to go," Douglas added.

Toyota rejected the need for compliance with external standards such as BS7799, a security code of practice.

"We're not aiming for [BS]7799 certification," said Cross, "and fewer than 5 percent of companies are attempting are attempting to gain it. We don't want our standards to be fixed — we want to be more agile. Heavily defined standards bring a lack of options, because you're tracking to external controls," Cross added.

"There's a danger of putting highly focused policies in place, as costs can outweigh benefits. If you have security turned up to such a level that you can't react because nothing is getting through, then that's not the right level of security," Cross added.

He also warned businesses to be cautious about purchasing products promising Sarbanes-Oxley compliance.

"The problem with Sarbanes-Oxley is that it means 20 different things to 10 different people. There's a tremendous wealth of folklore that has been built up around it in the IT sector. A lot of people are trying to push us into spending money on Sarbanes-Oxley compliance, but I trust our auditors," said Cross.