There’s no doubt that the IoT improves our lives in countless ways, whether that be through the use of connected cars, smart cities, consumer electronics or medical devices, for example. These technologies can change our lives. Just take the last of these, medical: we’ve seen prototypes of a new contact lens that can read a diabetic person’s blood glucose levels and let them know visually if anything is wrong, in addition to countless devices that better connect doctors and patients.
The rush to embrace such technology speaks for itself, with the semi-conductor industry alone producing 20 billion microcontrollers a year. Yet wherever new technologies take hold and start to proliferate, the hackers and attackers are never far behind. And the same is true of the IoT – which means protecting all of those connected devices has never been so necessary or urgent.
For many organizations, getting this right means a fundamental shift in mindset. In the era of the PC/datacenter, security has been most easily delivered either by disk or by download. With IoT/Cloud, security must be integrated by design to be truly effective. That calls for an entirely new approach. That’s especially true given how device makers in IoT often try to tightly control all software, including security software, on their devices, and especially given how the hardware and software architectures of these devices are so heavily fragmented by vertical.
The list of contrasts goes on, but you get the picture: that this is a very different world in which organizations operate, and one to which they are more and more drawn by its enormous potential – as are those who would seek to exploit any weaknesses in their armory.
Unfortunately, no single silver bullet ever delivers truly effective security. Effective security has to be composed from a short list of crucial ingredients. For simplicity, we frame those ingredients as four cornerstones. What then are the key cornerstones of IoT security? If you design your systems to effectively protect communications, protect devices individually, manage large numbers of devices over time, and have a security analytics capability to detect threats beating the first three cornerstones, then you’ll have a strong fighting chance even against the most sophisticated adversaries.
To effectively protect and manage devices, security must be built in to the end device; especially since, for such tightly integrated devices, it often can’t be bolted on later. The good news is that suppliers are proving increasingly willing to build in proper security, particularly where customers specify the level and types of security they require. Where customers struggle to effectively specify their security requirements to the equipment vendors from whom they buy, those customers can work with a leading security partner to get those requirements right. That way, all of the necessary ingredients for authentication, encryption, runtime security, and long-term update capabilities can be properly built into such equipment, and that’s where real progress begins.
With so much good security technology on the market from so many vendors, the real challenge is making security easy enough to embed into all of the radically different types of systems out there; really tailoring it for each vertical, so it sits well in each vertical, such as Symantec’s new automotive anomaly detection solution where we took world-leading security technology and made it simpler for automakers to deploy in cars and trucks. By making top-level security easier to deploy, we’re making it easier for top brands to protect themselves both in things they build and things they buy.
Meet me at Gartner Security and Risk Management Summit in a couple of weeks where I will be presenting on how the CISO and CIO can ensure corporate IoT has security built-in and how they can manage risk from employee owned IoT. You can also visit our booth #303. See you there!