The Internet of Secure Things
By Rob Black, Axeda
Here at Axeda we just finished a very successful Connexion 2014 conference where global thought leaders in the Internet of Things (IoT) gathered in Boston for our multi-day event. One of the themes that I heard again and again from practitioners of IoT is that their security story needed improvement in order to assure customers that their IoT solution could be utilized safely. There is a lot of noise from the entertainment world and popular press about killer pacemakers and spam-sending-refrigerators that has crowded out the less sensational reality that -- IoT Security is not fundamentally different from network security, and there are a plethora of strong security practices that can be readily applied to IoT.
Many customers who are deploying IoT are frustrated by the resistance that some IT and security departments exert when an IoT solution can clearly help them solve business challenges for their deployed machines. Lack of connectivity is not the solution to a security problem, and that thinking should be turned on its head. If companies are concerned about security and compliance here are the questions that they should ask. These questions are based on real-world events that our customers have observed and not based on theoretical thinking.
- How can you be certain that machines are being used for their appropriate business purposes and not for gaming or other (worse) personal activities?
- How can you ensure that the appropriate policies have been applied to the machine? Are policies applied in a consistent manner or does it depend on the technician and date of machine provisioning/servicing?
- What is your update strategy should a software vulnerability be found on thousands of your machines? Does your plan involve running around with a USB stick to every machine?
- How do you connect to the machine for remote service support? Do you use web meeting tools? Does that mean that the remote user has an elevated level of access? Are the changes audited?
If your answers to the questions above are unfavorable perhaps you should consider using an IoT solution to help you solve your security and compliance problems. Connectivity and diligent management is the key to successfully managing devices in your enterprise. Axeda has helped many customers to examine and address the challenges listed above. For instance the ability to log every significant action at the device level can help organizations to ensure compliance with regulations and protect against rogue employees utilizing remote desktop applications to perform non-authorized activities on business critical machines.
Once you have decided to pursue an IoT solution, there are a number of steps required to ensure that it is secure. The first and most important step is to get senior management buy-in. While this might not be the most obvious path for technically minded folks, it is the one that can help you to solve a number of problems long term. Senior management needs to be sold on the business value of this project. If there is sufficient business value then they can help you get the appropriate resources to address security or other requirements that might be a part of the project. They can help to move obstacles that may be in the way of a successful project.
Before getting the buy-in, however, management may ask for an assessment of a particular IoT solution. Since an IoT solution is comprised of so many parts, we break it down into seven key segments to more easily perform analysis for security purposes:
- Inside the firewall software and communications
- Outside the firewall communications
- Cloud operations
- Cloud platform
- Cloud development
- Cloud applications
Over the next several blog posts we’ll dig into key security topics utilizing the above framework and provide you with an understanding of what you can and should expect from an IoT vendor, and which challenges are better addressed from within your own organization. If you can’t wait until the next post, check out our security white paper in the interim. Stay tuned!
Rob Black is Director of Platform Product Management at Axeda where he overseas the direction of the Axeda Machine Cloud Platform. In addition to his expertise in Internet of Things (IoT) and Machine-to-Machine (M2M), Rob has extensive experience in security, web services, and cloud solutions. Rob’s product management and product marketing background includes positions at RSA Security, 3Com, and Vertical Communications. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is the inventor of three security related patents and is also a Certified Information Systems Security Professional (CISSP).