IoT Cybersecurity: Why Simplicity Is Tantamount
Danny Allan may be the vice president of product strategy at the backup and data management firm Veeam Software, but he’s also a cybersecurity buff. He has worked for military intelligence doing penetration testing and e co-authored the IBM Secure Engineering Framework as the former director, security research at IBM.
“The one thing I’ve learned is that nothing is completely secure,” said Allan in a recent interview at HPE Discover. And that the causes of cybersecurity breaches don’t tend to change much. “With IoT, it’s the same causes. Yes, now we are seeing attacks on IoT and edge devices, but frankly it’s because you’re not validating your input, not encoding your output.”
The fundamental causes for most network breaches has remained unchanged, with various forms of human error and laziness causing the bulk of problems. People are still the weakest link in the cybersecurity chain.
Allan remembers seeing this in action in his early days working in cybersecurity. “Cybercriminals would call [an IT professional] up and say: ‘Hello, I have a job offer for you. I can pay more than $50,000 than what you are making now.’” The person on the other end of the line would have their ears perk up, and gladly answer questions about the kinds of technologies and policies they worked with. “Over the course of half an hour to an hour, they could extract every single possible piece of information they would possibly need to break into the network,” Allan said.
The following Q&A expounds on Allan’s views on IoT cybersecurity:
If you could only share a single piece of IoT cybersecurity advice, what would it be?
Allan: Integrate security into foundational processes. It should not be a bolt on. As soon as you bolt it on, your’re making it more complex than it was before. The best way to secure an IoT device, application or a network is to build security into the foundation. For example, when developers write code, you can write secure libraries for what they’re using. Basically, you’re baking security into the process, so they don't even think about it. They accidentally tripped over security in the practice. Doing this does far more to improve security than network firewall tools and assessment tools and so forth.
And complexity is the enemy of security, right?
Allan: Yes. Building security into IoT infrastructure simplifies the system. Now, I don’t want to pretend that the IoT environment is simple because it’s not. But building cybersecurity controls into the frameworks of communicating from the edge back to the cloud can make the system drastically more secure.
All security is based on the concept of either blacklisting what’s bad or specifying what’s good. Because of the networking components, and the fact that infrastructure is changing so rapidly, it’s better to design or specify what is good. Ultimately, if you look at long term, I believe machine learning will understand the context of what is the proper way to do things.
I talk about four broad categories for getting smarter protecting data. One is the network. That's pretty well-known. We’re just not using the data effectively, I would argue. Look at user behavior. Let’s say someone comes in and checks his email every day at 8 a.m. in the United States. And then, let’s say that account is accessed at 2 a.m. from Kazakhstan. That anomaly should trigger an alert. The third topic is around application performance. Applications, historically, do not have very good sensors or models in them to know when things are going poorly. The fourth is around the Internet of Things.
How do you see IoT in use for smart data protection?
Allan: For example, let’s say an enterprise company is using a data center in Florida. If storms are coming into Florida, people set up replication of their application from Florida to Arizona in case something goes wrong. They are paying for 200 percent capacity all the time in case this data center goes down. That’s a poor use of funds.
I would argue that you should use an Internet of Things device as simple as a weather sensor or even a non-IoT technology like a weather feed. As the storms come in, you can setup replication. After the storm passes, you tear that replication down. I have a customer actually in New Zealand right now, that is using earthquake sensors to set up automatic replication and failover from one location to another.
My belief is, longer term, the IoT will become more of an informer, and will drive the intelligence over what should happen within the environment, rather than being dependent on people. Now, that will take a cultural shift, and also a confidence in edge technology. You never want a mistake in the edge technology to cause some radical transformation.
What’s your take on the current state of AI?
Allan: There’s a huge amount of intelligence in the data we don’t yet know how to mine. That’s where the truly artificial intelligence comes in. It’s really scaling the human brain as opposed to machine learning, which is scaling automation.
IoT will gather a lot of this data that will help unlock the data that already exists. So it will be this serpent eating its tail, and the data will continue to explode into even greater quantities than it is now.
For IoT, the obvious value areas have already been identified. And so I think the challenge now, in crossing the chasm from where we are now, is that the remaining areas are not as obvious. We don’t know what we don't know. And until it becomes more obvious, we’ll continue to see this kind of linear adoption of IoT.