Guest post by Babak Pasdar
IoT security is still being viewed through the prism of enterprise security, which is built on medieval logic. First, build a big moat around your castle – offices and data centers. Second, if you need mobility, painstakingly build and outfit operators with armor to go out into a dangerous and cruel world. Hopefully, these “outside operators” won’t bring back disease. If they do, then burn everything! Back then, the whole thing was as expensive and messy as it is in relation to enterprise security today.
First, let’s define the Internet of Things as it relates to this article. Although we are frequently focused on $5 sensors, IoT is really the Internet of “Everything”. IoT is not just the Internet of gadgets; autonomous vehicles and $20-million mining machines are IoT devices as well.
Also, IoTs don’t function in a vacuum – they belong to ecosystems. The IoT Ecosystem consists of one or more endpoints, applications, data sets, and management platforms. Endpoints function as sensors, or perform electronic or mechanical functions, and depend on the applications as much as the applications depend of them. Frequently, IoT Ecosystems are wildly distributed and mobile.
IoT Ecosystems are dramatically different than anything in the enterprise today. Traditional enterprise security, built over time in response to specific threat types, is based on piecemealing disparate security silos with disparate elements. This approach, though not optimal, seemed manageable for a traditional enterprise largely made of:
- Standards-based hardware with plenty of horsepower
- Standards-based software
- Sporting a 3-5 year lifespan
- Operating within a few highly accessible networks
- Accessing unlimited electrical supplies technologies
- Physically touchable by people who manage them
Contrast this environment with what we find in IoT:
- Purpose-built devices with no hardware guidelines
- Software that is non-standard
- Designed for an 8-20 year lifespan
- Platform that is highly distributed and mobile
- Sipping limited and controlled power resources
- Minimal access to human touch or altogether inaccessible
Traditional enterprise security environments and the realities of IoT could not be more different.
IoT Ecosystems are typically highly distributed beyond the location(s) of the endpoints. The applications, data sets and management for IoT endpoints all operate from disparate platforms and locations. And because more and more operational tools are showing up with IP addresses, IT will not control the how, when and where of IoT network participation. Traditional management processes simply will not scale, or be agile enough for these environments.
Placing many devices with external dependencies and control on a shared network neuters perimeter security. In addition, having many IoTs on a common shared network significantly increases cross-contamination risk. This risk increases exponentially with the addition of each new device and IoT brand.
Faced with these challenges, many organizations will continue applying their historical “silo” security approach to IoT because it is what they know. However, they will quickly be overwhelmed managing multiple point technologies that do not scale with the demands of IoT.
Where do we go from here?
We must recognize that new IoT security models will consume enterprise security – it is inevitable. IoT is not the tail – it is the dog! We need to move away from the “death by a thousand cuts” silo approach and move to a security model that is simple, agile, adaptive, and sustainable. And, the new model must work across an organization’s entire technology expanse.
In addition, IoT security choices must take into account the extended 8-20 year lifespan of an IoT device. No longer can we think in terms of a three-year refresh cycle, with constant upgrades to the compute and memory needed to run the latest on-board security application.
IoT has already shifted how we work and will continue to do so at a more and more rapid pace until it reaches blistering proportions. There are viable security options, but they require that we shed our security conservatism. Managing security individually on hundreds of thousands or millions of assets, all of which are different, is impossible. Data center grade security delivered from-the-cloud “for” entire IoT Ecosystems rather than “on” each individual device is not just viable, but the new necessity. This will become the new standard over time.
Babak Pasdar is an Iranian-American innovator, cyber security expert, author and entrepreneur best known for his contributions in the areas of cloud-based security innovations and blowing the whistle on government warrant less wiretapping. Pasdar has been credited for being one of the leading innovators of Cloud Delivered Security via two technology startups he founded–IGX Global in 1997 and Bat Blue Networks (Now OPAQ Networks) in 2007. He served as CEO and CTO of both companies. Pasdar exited Bat Blue Networks in 2016 with the sale of his company to OPAQ Networks. Pasdar was selected as one of New York’s Top Ten Startup Founders in 2017.