The traditional security boundary in information technology consisted of a line of demarcation: on one side of the line everything was considered untrustworthy, while on the other side, the network and everything connected with it was considered trustworthy. A typical corporate firewall appliance separated the environments.
This thinking is under assault from an emerging disruptive technology called the Internet of Things (IoT), in which everyday objects possess network connectivity that allows them to send and receive data. Examples include lighting, household appliances, traffic control systems, agricultural sensors, and wearable devices. Some estimates forecast that someday we could see as many as 10o trillion connected devices.
How extensive is the Internet of Things, and how much data does it generate? Here are a few clues:
- A Boeing jet engine generates 20TB of operational data per hour.
- The number of connected device surpassed the number of humans on earth in 2008, and experts predict that as many as 200 billion devices will be connected by 2020.
- With the IPv6 protocol, there are about 100 possible Internet addresses for every atom on the surface of the earth (approximately 1036 addresses, compared to approximately 1034 atoms).
- Global IP Traffic has increased at over a 20% annual compound growth rate, yielding a 5x increase in global internet traffic between 2008 and 2013.
- The IoT market has been estimated to be worth nearly $9 trillion by 2020.
As the IoT continues to drive a rapidly increasing number of data sources, the complexity and overall attack surface is increasing exponentially—and along with that, the risk that any of the data points will be vulnerable and compromised. Compounding this issue is the fact that these sources are not contained within traditional, trusted network boundaries. Additionally, many of these sources will increasingly be public or shared devices to which physical access cannot be controlled, and which do not fall under the organization’s governance. Mobility, together with the cloud model that is supplanting traditional server-client architectures, only increases this challenge as services and data points from both inside and outside the organization and delivered to devices which may be primarily owned and governed by the users themselves.
Disruptive technology models such as the IoT are driving increased innovation and efficiency, and leveraging them intelligently will be critical to any IT organization’s long-term success. How can an organization invest in the promise of the emerging IoT capabilities while simultaneously mitigating the increased risk that they bring? How can an organization know what data, data sources, devices, and locations to trust when all of the traditional lines have been blurred?
Every CIO, CTO, and security analyst must operate under the assumption that there is no such thing as a trusted network, and everything should be considered inherently untrustworthy (the Zero Trust Model).
In the future, the full maturity of the IoT model will lead to software-based security products which are federated and able to apply analytical reasoning across a multitude of data sources. Bayesian probability can be applied to a group of data sources such that risk can be evaluated based on the collective state of the entire group as conditions change. Correlation of anomalies across data points can be evaluated to eliminate false positives, to mitigate the compromise of any single device, and to identify security incidents in progress. Unfortunately these capabilities are lagging behind the adoption of the technology itself leaving organizations increasingly vulnerable.
Today, an organization’s best strategy for defense would include:
- A secure network architecture with robust granular partitioning capabilities and overlapping security features
- A strong mobile device management (MDM) policy and enforcement solution
- Writing secure code
- Consistent scanning and monitoring of all devices and software connected to the network
- Implementing a data classification and governance policy
- Writing and enforcing strong security policies
- Implementing security best practices based on industry standards such as ISO
Sirius employs highly certified IT consultants who are experts in security not only in the data center, but throughout your entire organization, including mobile solutions. They can evaluate your security posture and vulnerabilities, and develop a strategy that will help you maximize the opportunities that come with the Internet of Things, while reducing the threats and challenges.
Learn more about the security challenges related to the Internet of Things:
>> Read The Vulnerability of Everything, an article published to CIO.com on June 24, 2014
>> Read The Internet of Things likely to drive an upheaval for security, an article published to ComputerWorld.com on May 2, 2014
>> Read The Half-Baked Security Of Our ‘Internet Of Things’, an article published to Forbes.com on May 27, 2014
>> Read Study: 7 in 10 concerned about security of Internet-of-Things, an article published to PCWorld.com on June 23, 2014
>> Read DARPA: Without better security, the internet of things will be messy, news from the Gigaom conference, including a video with Dan Kaufman, Director of the Information Innovation Office at Defense Advanced Research Projects Agency
>> Read Traffic lights, fridges and how they’ve all got it in for us, an article published to TheRegister.com on June 23, 2014