NETWORK SECURITY, REIMAGINED FPO

Transcription

1 FPO NETWORK SECURITY, REIMAGINED by Derek Korte AS TENS OF BILLIONS OF NEW DEVICES GET CONNECTED, BUSINESS AND SOCIETY MUST RETHINK SECURITY, PRIVACY, AND OPPORTUNITY Illustration JUSTIN GABBARD

2 Smart networked devices are seemingly everywhere as phones, bridges, jewelry, medical devices. Yet, by some estimates, only 1 percent of all potentially connectable devices are linked into a network. But they will be, very soon, and they ll change how we think about security and privacy. Padmasree Warrior is the chief technology and strategy officer at Cisco, and she believes that the emerging Internet of Everything offers both opportunity and pitfalls. Derek Korte recently spoke with her. Cisco estimates that there could be 50 billion connected devices by How do businesses secure all of the new data generated by those devices? Today s security models protect the endpoint, the data center, with firewalls and similar technologies. That model has to change to one that enables security across all of the devices and things that will be connected, from the browser to the boardroom. Security must also evolve from its current perimeter-based model. Companies used to buy a firewall and a content security solution, and then put the pieces together in the IT environment. We ll need to move beyond that to platforms that enable ambient security infrastructure and APIs to protect users and their data. We have to move away from point solutions to vendors that can provide end-to-end security solutions, or security as a platform. What are the privacy implications of these changes? Businesses must navigate the dilemma between privacy and personalization. The more information users give about themselves to the network and to the device, the more personalized that experience will be. This is the power of wearables and the Internet of Everything, but it intrudes on privacy. The only solution is to let users control the data. How will they do that? Today, opting in or opting out is a very rudimentary option. People don t know what they re opting in for or what they re opting out from.

3 For example, when I log in to an app that asks me for permission to access location data, I usually say, No. I don t know how I will benefit. Access to data must have more context to make it more useful and to guide users to make better choices. If the app said it wanted access to location data to guide someone to the nearest optometrist because the person s searching for glasses, then that s useful. Today, however, users often blindly opt in or blindly opt out. How much of all this data will be personally identifiable? That will be largely a personal decision. Consider a wearable that s microminiaturized and embedded in a user s body to collect information about health. It s personal information, but a user might want to share it with his doctor, as well. In business, we ll see data exchanges and value exchanges that will intermediate data so it can t be associated with a user or process. Data virtualization is already an emerging field, which virtualizes data without identifying the exact source. Are there special security implications in heavily regulated industries, such as health care or finance? In the future, we ll need to focus less on securing the device or data, and instead strengthen security with policies around identification, verification, and authentication. However, the implications are more about privacy than security. People will want to ensure that information from their heart monitors, for example, is only shared with their consent. THE ONLY SOLUTION IS TO LET USERS CONTROL THE DATA. What will technologists need to know to secure and understand the loads of new data generated by the Internet of Everything? Every company must become a technology company. What s more, every company must also become a security company and understand the security implications in their business. That s a big shift. Also, IT and OT [operations technology] must come together. Take automobile manufacturers as an example. They typically have people who understand robotics, sensors, and automation and who build automated systems. That s called operations technology. They also have IT departments, which provide the connectivity and telecommunications

4 solutions. In the Internet of Everything, these departments merge together. There will be more sensors on the manufacturing floor, so the people who design and build machines and automated systems must also understand the data that those systems and sensors create. In addition, DevOps has emerged as we move from a client-server model to a cloud model. In the old world, companies had developers and IT and they didn t really get along. That s changing now as IT blends with OT under the cloud model. Whose responsibility will it be to store, secure, and understand this data? From an architectural point of view, the shift will require extending computer storage and networking to the edge, so to speak, where these devices and sensors connect. Part of that responsibility will fall to companies to deploy architectures and platforms that enable network storage. These can t be big systems. They must go out in a gas field or a manufacturing plant and be able to analyze data in real time. That will be the technology companies responsibility. The user s responsibility will be to make informed decisions about what he or she opts in for or opts out from. New companies will likely emerge that will help make those decisions more intuitive and more intelligent. The challenges and the opportunities with the Internet of Everything will be dealing with data and turning it into action. That data must drive better business processes, which requires analysis. Businesses will also need to update their workforce s skill sets. We ll see new fields and new skill sets that will require an understanding of mechanical engineering, computer science, and data science. What infrastructure changes will the shift to the Internet of Everything require? From an infrastructure point of view, companies have to embrace two things: the cloud and connectivity platforms. There will be opportunities to create new kinds of applications, similar to when mobile became a platform. There will be a host of applications on IoE platforms that business will need to embrace, too. The Internet of Everything is not just about software or hardware; it s a coupling of the two.

5 Q&A with ANDREW ROSE, PRINCIPAL ANALYST AT FORRESTER RESEARCH The 25 billion devices expected to be connected on the Internet of Everything by 2020 will represent a juicy target for hackers. Andrew Rose, a principal analyst at Forrester Research, has studied the issue of security on the Internet of Everything extensively, and calls security the elephant in the room that no one is talking about yet. We talked to Rose about the future of hacking in an increasingly connected world and what can be done to build security into devices from the start. How will security in the Internet of Everything be different than what we see today? Security in the Internet of Things is a scary proposition. The fact that hacking will one day reach from the digital world into the physical world makes a big difference. Breaches will have the possibility of being much more dangerous. Think about a car that has anticollision technology. It s a great idea until someone hacks it and the car crashes and then someone is injured or killed. That s a very different proposition from just losing a credit card number through the sorts of hacks we see today. So a company like Target can survive a major data breach, but if a car manufacturer creates a car that kills somebody because of a security flaw, they re not going to get off quite so easily.

6 What are the privacy concerns on the Internet of Everything? The Internet of Things is basically a massive data-collection exercise. Once that data starts getting brought together, lots of what you would consider to be fairly trivial information can rapidly become very sensitive. If you think about your food shopping, your food might suggest that you re a certain religion, and then that can be tied to your location, which shows that you go to a certain area on Sundays or religious holidays. So sensitive, private information can be derived from pretty trivial pieces of data when it s all gathered together. But won t private information on the Internet of Everything be anonymized? Well, they talk about anonymization, but actually de-anonymizing data is not too difficult. A recent university study found that with just three pieces of key information zip code, gender and date of birth 85 percent of the information in a large database could be de-anonymized. So anonymizing all of this data is easier said then done. There s going to be a lot of tension between marketing people who want to squeeze as much value out of the data as they can and the security guys who want to manage the privacy of data. NAM RHONCUS VELIT LECTUS, VITAE PHAR ETRA LEO SO LLICITUDIN QUIS. What sorts of hacks might we see in the future? Well, there s already been an instance of a baby monitor being hacked. [In Texas, a hacker seized control of a wireless cameraenabled baby monitor and used the device to manipulate the camera and say sexually explicit things to the sleeping girl.] If someone has one of those cameras in their house connected to a website, someone else might hack into that to see if the house is unoccupied in order to break in and rob them. And then the scale of this stuff starts to get scary. A university in the UK invented a device that unlocked the electronic locks of cars and enabled them to be started without a key. So imagine once electronic home keys take off and everyone s controlling

7 their locks by iphone. If a flaw is found in that system, then it s not just one or two homes that are vulnerable, it s millions of homes. What s being done to secure the Internet of Everything? A lot of the time, the failure in risk management is just a failure of imagination. Security managers really need to sit down and think through every possible scenario for this technology. We re building a Black Swan world as all of these different platforms come together, and we can t predict how it will look. Things are getting more and more complicated, so if something goes wrong, it s very difficult to troubleshoot and even more difficult to protect. And what about the liability issues? If my self-driving car crashes into a wall and injures me, whom do I sue? Do I sue the car manufacturer? The software integration people? The company that made the detectors on the outside of the car? We have to start considering those aspects as well. Is the best solution to build safeguards into the design of connected technologies? I d be incredibly surprised if that happened right away. The Wright Brothers didn t delay their release because they didn t have navigational guidance or oxygen masks. They just said, Here s a plane, let s go! That s how the Internet of Things is coming together. The way forward seems to be manufacturers partnering with organizations that can provide security for them. We re seeing a number of security companies popping up now that actually provide a platform on which you can develop Internet of Things devices. So you can still use all of your innovation and development techniques, but these security companies give you a way to communicate with other devices in a secure, encrypted way. Will there be advantages to companies that get security right? I m not sure there will be at first. Think about Facebook. Facebook was all about functionality; safety comes later. People will buy functionality and they will trade safety, especially if it s at the right price. So I think security will be a second-tier benefit at first. It may take a big breach for people to sit back and really think about security. VOTE