Last month I attended a summit of subject matter experts on securing the Internet of Things (IoT). At first, I thought I had the wrong room, because it seemed that everybody other than me was an architect or engineer working for a device manufacturer, and as a result the conversation was dominated by placing security controls into the devices, themselves. In contrast, I tend to approach the issue from the perspective of protecting the core of the network. But just when I was beginning to think I had wasted an hour-long drive and was going to be bored out of my skull all day, a few of us started debating the issue and the conversation began to evolve. Before long, we had found common ground in the fact that security controls are all about trust relationships -- ‘I trust you, therefore I will allow you to do that’.
Now trust is a funny thing, because by its very nature it can neither be one-sided nor one-dimensional. Instead, it must be built into every aspect of the transaction; a sort of “digital handshake” to ensure all is well before doing business. In other words, each of our pre-conceived perspectives was correct, yet we were all being stubborn and short-sighted!
Though the concept of trust relationships has always been true with every type of network, the nature of IoT shines a bright hot spotlight on the issue. Security needs to be forefront on the minds of device manufacturers to ensure that it’s baked in from the beginning. But that doesn’t mean the onus falls exclusively on them, thereby enabling us to ignore our core network security. Remember, a security best practice is to take a layered approach! IoT doesn’t replace existing networks, it’s adjunct to them. So in addition to our existing network security, we also need device-level security and end-to-end data encryption.
A chain is only as strong as its weakest link, and with all of the additional links made by IoT, it’s more challenging than ever to secure everything, everywhere. Particularly since the IoT infrastructure spans across IT and operational (primarily non-technical) domains, it’s easier to lose sight of security and take leaps of faith that everything is secure. Take a recent Wired article as a case in point. In each of the cases mentioned in the article, previously unconnected devices are now fully connected IoT smart objects. But since security wasn’t included in their design, they can become new threat vectors, and can even provide ideal entry points right into the core of the network.
Again, IoT isn’t the problem. Rather, IoT just makes a longstanding issue more prominent than ever. Security professionals have long understood that there’s an inverse correlation between connectivity and security, so the fact that IoT consists of billions of connected devices all over the world -- in both secure and insecure locations -- requires that robust security be integrated throughout the IoT implementation.