We seem to be hearing about the Internet of Things (IOT) and the security challenges related to it everywhere these days…
While there is no denying that IP-based connectivity continues to become more and more pervasive, this is not a fundamentally new thing. What is new is that the target audience is changing and connectivity is becoming much more personal. Connectivity is no longer limited to high end technology consumers (watches and drones), but rather it is showing up in nearly everything - from children’s toys to kitchen appliances (yes again) and media devices. The purchasers of these new technology-enabled products are far from security experts, or even security aware. Instead, their primary purchasing requirement is ease of use.
Technology personalization is not a new thing. It has been underway for decades now. For those of us that have been in this industry a long time, the first tangible occurrence of technology personalization was the appearance of the Personal Computer (PC) powered Local Area Network, going all the way back to the mid 80’s. This enabled more employees to gain access to corporate data faster and easier, and to make the use and presentation of that data their own (spreadsheets, word processors, etc.) This quickly included access to the holy grail of corporate data: the information stored in the mainframe computers that previously had very limited access.
As the first few generations LANs and Personal Computing emerged, there was very little if any thought put into security. It was really only when we started connecting these LANs to critical corporate assets (data on mainframes and Un*X systems), as well as to customers, whether via dedicated connections or through the fledgling Internet, that security began to be a concern. Unfortunately, by the time the range of access reached critical mass it was too late to integrate security directly into this technology. Instead, we began bolting things onto the side: connection gateways became rudimentary packet filters, we implemented additional identification methods, and incorporated ad hoc authorization levels. Eventually, these strategies became the disparate, highly varied, and specialized sets of security technologies that we all know and “love” today.
The one saving grace was that the scale of these solutions was relatively manageable. There were one, maybe two endpoint devices per employee. We also only had one or maybe two Operating Systems to deal with, each with relatively long upgrade and patch release cycles. Then along came wireless and the BYOD challenge, which we are still struggling as an industry to deal with effectively, and everything began to change. Gartner now predicts that by 2020 humans will each have 26 connected devices that gather, send, and sometimes even correlate some sort of data.
Unlike the previous stages of technology personalization, the advent of IoT brings additional challenges in spades. There are now thousands of vendors implementing thousands of unique combinations of software, and implementing dozens of technologies (WiFi, Bluetooth, NFC, zigbee, RFID), on literally billions of new devices. In the US alone we’re looking at nearly 8.7 billion IP-enabled devices by 2020. In other, more technology friendly countries, the numbers are even larger. And nearly all of these implementations rely on complimentary software components running on an ever-increasing variety of smart devices, and/or in some version of the cloud. And of course, the very price competitive nature of this market (the primary market being consumers and not corporations) means that developers will limit their investment of time and money in security.
For Enterprises, all of this means the security risks related to this new era of technology personalization are both significant and unplanned. The majority of these IoT devices will not be part of a corporate deployment; it wouldn’t really be personal otherwise, now would it? Employees will simply bring them from home, sync them to their Smart Devices, connect to the corporate WiFi network, and then connect to the cloud-based services deployed across the corporate network. Or depending on the actual IoT devices, even leave them at home, but still have the sync software installed on their Smart Devices.
Even more challenging, the traditional approach of bolting security onto inherently unsecure devices that we adopted way back in the 1980s - and which we still currently do with MDM clients on smartphones and tablets – isn’t an option for many of these devices. IoT devices, for example, are headless. They can’t be patched, and you can’t install a client on them. Instead, we need to develop and adopt a security strategy that looks very different from the approach we have been using.
The emergence of IoT, and its significant security implications, may finally be the technology evolution that lifts security from being a network afterthought and bolt-on technology to an integral, persistent, omnipresent part of the network. We need secured, trustworthy networking as opposed to networking plus security. We need to create even smaller security domains to limit the scope and exposure of an exploited device. And the response to complexity needs to be simplicity, not endlessly adding more single-purpose devices to our security racks. IoT, for example, needs economical security inspection services at the actual connection point for every device, as opposed to trying to funnel all traffic through a small number of typically over-burdened systems that are hard to maintain and upgrade given the continued expectation of always-on, always available connectivity.
So, what do we do next? Here are four things to consider when planning for the coming tsunami of data and devices hitting your networks.
1. Control network access. The vast majority of these new IoT devices are headless, which means that you can’t patch them, update them, or add security clients to them. So you need to weed out high-risk, compromised, or unauthorized devices and traffic before your let them enter your network.
2. Assume you will be breached. If you knew an attacker could get past your perimeter defenses, what would you do differently? Most organizations spend the majority of their security dollars on building a better front door. Those resources need to be shifted to actively monitoring your network and identifying anomalous behavior inside your perimeter.
3. Intelligently segment your network. The attacks that do the most damage are the ones that can move freely inside your environment once perimeter security has been bypassed. Secure internal segmentation ensures that a breach is limited to a small area of your network, and that attempts at unauthorized lateral movement can be detected. It also allows you to quickly identify infected devices for quarantine and remediation.
4. The answer to complexity is simplicity. Unless you have unlimited IT staff and budget, you can’t keep throwing one-off security devices onto your security rack to be managed and maintained. You need tools that scale dynamically, are provisioned easily, and that work together as a cooperative security fabric in order to share threat intelligence from across your distributed environment and coordinate a response to a threat.
We all need to understand that we are at a critical point in our transition to a digital economy, and failure to rethink what security looks like in this new world will have far-reaching consequences.
Ken McAlpine is VP, Network Security Solutions at Fortinet.
*Originally published by SecurityWeek on March 6, 2016.