Securing the Internet of Things requires new thinking on security
- 20 June, 2016 10:56
Adding connectivity to all manner of devices has created immense opportunities to build self-monitoring, self-managing networks that leverage ubiquitous computing to deliver services in entirely new ways. Yet with this opportunity also come new threats, as Internet of Things (IoT) visionaries recognise the need to embrace new forms of information security to prevent malicious exploitation of their expansive visions.
Those visions invariably include plans to exploit the wealth of sensor and other data that the IoT generates – in quantities so massive that businesses are having to reconsider their data-retention strategies.
It's happening faster than many people may appreciate: a recent report from Verizon, for one, concluded that the IoT had already reached the technology mainstream, with monetisation of IoT data fast becoming a key strategic effort. Some 50 percent of businesses expect to be using over 25 percent of their data in the next 2 to 3 years, the research found – driving data analytics from being “descriptive data collection to a more sophisticated model of predictive and prescriptive data analytics”.
Recognising the opportunity to shape this trend, operators of cloud-based IoT architectures are bulking out their offerings in response, adding proactive analytics tools designed to help sift through and archive IoT data without allowing it to flood the corporate network and overwhelm data-storage capabilities.
These protections complement existing security controls, such as protection against distributed denial of service (DDoS) attacks, that have grown in importance as businesses increasingly move mission-critical workloads – such as customer portals, Web-site front ends and a range of other public services – to the cloud.
“The ability of clouds to scale with demand, and the flexibility that provides, gives businesses major competitive advantages not only against competitors but in difficult situations where they face attacks,” says Ian Farquahar, distinguished sales engineer with security specialist Gigamon.
“Organisations just don't want their own data centres anymore; there are industries where opening your own data centre gives you a competitive advantage, but they are few and far between these days.”
The desire to offload non-core systems to the cloud is driving a change in the perception of the role of IT departments, which by many estimations are migrating from being technology curators to becoming brokers of cloud services within their organisations.
Along with this growing familiarity came a growing proportion of IT executives that saw public cloud as a priority (up from 17 percent in 2014 to 28 percent in 2015) and – despite earlier suggestions that many executives are anxious about the security of cloud services – a decreasing proportion of executives that saw the security of the cloud as a significant challenge (down from 47 percent in 2014, to 41 percent in 2015).
With cloud services becoming hosts for concentrations of business data, cloud operators are also tightening their security perimeters to minimise the risk from cybercriminals targeting those central repositories of data. Managing this risk – particularly in terms of maintaining compliance with statutory privacy obligations – requires businesses to find ways to maintain visibility of data and services that don't reside on their own premises.
This, says Farquahar, is is often easier said than done. “If you've got business critical workloads in the cloud you want them to provide as good a level of performance as you get on-premises, and you need to be aware of attacks on their infrastructure,” he explains.
“Although several cloud providers offer in-cloud firewalls and other protections, they are servicing a very wide range of needs and some of these advanced security use cases are still in development; you do not have the same visibility as you would if it was running in your data centre.”
With 16 percent of respondents to the recent 2016 CSO Security Priorities Survey revealing that they already run six or more separate security platforms, the last thing they need is another one dedicated to IoT.
To embrace the new technologies without making their security monitoring even more complex, many businesses are looking for additional security services that complement those provided by public-cloud providers. Gigamon, for its part, recently began trialling a capability for providing deep monitoring of workloads hosted in the Amazon Web Services (AWS) public cloud.
A growing number of IoT-related aggregation and analytics services are being constructed and delivered within AWS, largely for the same scalability and expandability that is driving enterprises towards the public cloud. This primes the emerging IoT market for improved visibility through probes such as Gigamon's, which runs on a virtual server to provide deep insight into process activity on that server's activities and interdependencies.
When combined with other operational information from on-premises systems and networks, enterprises can get a clear view of the security climate in the public-cloud environments they are building to support ubiquitous-computing models. And that, says Farquhar, will be crucial as businesses move past vague concerns about cloud and increasingly use security as a key criteria in determining whether a workload can be moved to the cloud or not.
“It totally derisks that decision to move to the cloud,” he explains. “Risk is a real cost to the business and we're removing a lot of that cost by allowing them to properly manage it. Unknown, unmanaged risk is a problem – and do manage it, you've got to have the capability to understand and control it.”
Some 75 percent of respondents to the 2016 CSO Security Priorities Survey said they were expecting more focus on risk management in the coming year, with 63 percent saying their executives were placing more value on risk management than they were a year ago. Fully 38 percent said they were re-evaluating their security capabilities, while a further 27 percent were re-evaluating their business requirements.
As those business requirements continue to expand and IoT evolves from being a peripheral concern into a key driver of new products and services, the need to deliver those services in a well-managed cloud environment, where privacy and security are maintained at the highest levels, will be of paramount concern.
“The cloud is not just a black box with data going into it and coming out,” says Farquhar. “Other things happen in there – there are security incidents, performance issues, and network issues – and they need visibility. This market is growing, and it's absolutely critical. You can't defend against what you can't see.”
“If you've got business critical workloads in the cloud you want them to provide as good a level of performance as you get on-premises, and you need to be aware of attacks on their infrastructure....cloud providers are servicing a very wide range of needs and some of these advanced security use cases are still in development; you do not have the same visibility as you would if it was running in your data centre.”
“The cloud is not just a black box with data going into it and coming out. Other things happen in there – there are security incidents, performance issues, and network issues – and they need visibility. This market is growing, and it's absolutely critical. You can't defend against what you can't see.”