How does the increasing ubiquity of IOT change security?

IOT security, and anything that's agent-less, begs the question, “how do we secure all that?” Right now we don't have a solution at all. In the old days (5 years ago) we would just take the security cameras, the HVAC system, etc., and we'd throw it on another network separate from the corporate network and say, "Okay, we're good." But I don't think that's the case anymore. We have to start thinking differently about how we're going to protect the stuff in the future.

18 views
5 comments
1 upvotes
Related Tags
Anonymous Author
IOT security, and anything that's agent-less, begs the question, “how do we secure all that?” Right now we don't have a solution at all. In the old days (5 years ago) we would just take the security cameras, the HVAC system, etc., and we'd throw it on another network separate from the corporate network and say, "Okay, we're good." But I don't think that's the case anymore. We have to start thinking differently about how we're going to protect the stuff in the future.
0 upvotes
Anonymous Author
We do have this problem of many IOT devices on our network. Both ones that are real for operating our business plus many things we're testing in our labs. I kind of consider all of the Juniper Network Labs to present the same problem, because it's less controlled than you'd like it to be.
0 upvotes
Anonymous Author
We talked about cameras briefly when I was in Abu Dhabi. We actually launched a program and told the general public, the 4,000 cameras we were installing in downtown Abu Dhabi had nothing to do with monitoring people. It was all to do with trying to track whether you had had an accident, so we could respond quick enough to you. But we like to put them every 100 feet on every single road, and put a couple of thousand servers in a basement, and four stories down under the sand, and had a bunch of NSA people come along and build the software for us, right? It's a cool thing. There's two aspects that you have with security. One is putting up such a brick wall that you can't stop anybody coming in. The problem with that approach is now they go under it and over it, and by the way, they were already behind you when you built the brick wall, oops, right? The edge is the edge, and unfortunately mobile and IOT is a de facto thing you've got to think about. It's there. I've been watching Reinvent this last couple of weeks. It's Amazon's big conference. Vogel was on yesterday, talking about infrastructure and how they're moving... He was talking about yesterday, their SIM, and it's 100 million users x 10 microservices running per user, active at any one day, creating 8 x 8 events per week per user. You're sitting there and going, that's a billion logs for every time they click on the microservice. And he's like, "How would you see something in that?" You look at single sign-on solutions and none of them are really the greatest, and best of all because they're single sign on, they are trying to deal with legacy. But when I was at Stanford, someone once said to me that if you think about the scenario where no matter what you do, somebody is going to get in, instead of thinking about the sad side of security, you need to focus on what you look after the most: your data. If I've got, how do I protect the data? How do I get a backup of the data? How do I know the data is secured somehow? So I can roll back. But based on that scenario,I haven’t found a solution that tells me, or can show me what changed. I've heard this from healthcare orgs, I've heard it from academia, I've heard it from the airline industry. People get in and they change things. I can do that on an OS level, I can't do that in that database, I can't sit there and go, "Okay, let me have a look at the old copy I've got, and let's see if that was a real change or not" How do I look at a network device? You can say, "Who had privileged access and changed the network? Who did X, Y, and Z, that changed the door access, whatever it is." . The end result is, I know people are getting in, what I've got to worry about is, they're not recording my Zoom sessions, or my team sessions, right? We've got to classify what's important. Say you have trillions of dollars, right? I've got to classify, do I even give the ability to get to that network? That's a hard thing. Everybody wants to go online.
0 upvotes
Anonymous Author
UCLA is quite the fascinating place, it's quite a huge place. IT on the campus is extremely distributed or federated. While the vision is that there's sort of one network for everybody, the reality is there's probably multiple networks, and that in its own right creates risk for the university. There is no one size fits all, or one single voice of IT for the campus. I'm at the Anderson School, which is the Graduate School of Management at Anderson. When I walked in the door about two years ago, at best I thought I was walking into technology circa 2009. I don't think the lack of ability to move the technology efforts forward was as much a criticism of IT as it is a criticism of us as a campus and culture. We're very risk averse. Unless somebody really has a vision and wants to drive it, we're happy with business as usual. "Oh, the system's down," it's not your fault, that's okay, we can wait till tomorrow. I'm very patient usually. So it's very anti-corporate. It's almost too collegial. It's a good news/bad news story because the reality is, we don't even have chat bots, we're nowhere near where we want to be with IOT. We know what we are aiming for... I was at a conference with Salesforce several years ago at USD where there were Alexa’s in the dorm rooms. That's all part of our vision, but it's not part of our current reality. There's less to secure and less to worry about on an IOT front today. But that doesn't mean that it's not tomorrow's problems or something that we need to think about. If I look comparatively at our school and the school I left at Columbia in terms of the central IT component, it's very similar in size with about 325 resources. Central IT security at Columbia was over 30 FTE while central security at UCLA is 15 FTE. IT Security is way understaffed, a bit overwhelmed, and involved in things that maybe they shouldn't be in. I think from that perspective, to get to where we ultimately want to be with IOT is probably 3-5 years away in the best case. I'm not sure how good or bad that is from an enlightening perspective. Our perspective with IOT is that it's logically the vision, because that's where we should be, but we don't necessarily have the problem because we haven't figured out how to solve it yet.
0 upvotes
Anonymous Author
more ports to monitor
0 upvotes