Comments
IoT: Get Security Right The First Time
Oldest First  |  Newest First  |  Threaded View
Laurianne
50%
50%
Laurianne,
User Rank: Author
6/17/2014 | 12:10:11 PM
IoT
I saw a term on Twitter today regarding IoT security that I loved: Thingfrastructure. Readers, do you feel like your IT organizations are doing adequate IoT prep?
Lorna Garey
IW Pick
100%
0%
Lorna Garey,
User Rank: Author
6/17/2014 | 1:46:42 PM
Business opportunity
I have been hearing for literally a decade how key management is too hard, and that's why we can't encrypt universally. Either IT and security pros are flinging excuses, or VCs have missed the boat on a huge business opportunity.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
6/17/2014 | 1:50:16 PM
Re: IoT
What I've been hearing more often is how the IT-centric view of information security won't cut it in the Internet of things world. Whether it's privacy policies or endpoint protection, we need people in operations, supply chains, legal, and IT rethinking security. One expert bluntly put it to me that the IT folks don't get the operational technology challenges.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
6/17/2014 | 2:38:20 PM
Re: Business opportunity
I think a lot of it has to do withy the technology that comes with IoT.  Since many use RFID, the security controls simply aren't in place in how the technology operates.  Since the transmitter is essentially a dumb terminal in that it will respond to any request it receives, it would require an overall change to how these operate, meaning redesigning the receivers to understand encrypted data.  Other technologies require the same type of key component, which sadly often gets omitted during the technology design phase when it comes to how these are utilized (in cars etc).  Needless to say, it's a very real concern as IoT continues to be used in more everyday applications.
Jon Geater
50%
50%
Jon Geater,
User Rank: Apprentice
6/17/2014 | 5:22:54 PM
Re: Business opportunity
Encrypting universally is easy.  It wouldn't even take VC money to do it.

Decrypting on the other hand...you might find some issues with that.


One of the many issues here is that key management is a fourth-order problem.  You only need key management because you started encrypting (or signing, or authenticating) stuff.  And you only started encrypting (or signing, or authenticating) stuff because other bits of the network of systems that handle your data don't otherwise adequately secure it.


And what's adequate?  Well, that's up to you, and up to what your data is, and up to what the consequences are if your data is leaked, or copied, or corrupted.  There's your first-order problem.

In IoT you have large numbers of actors, many different types of data, and crucially your expectations about who or what is allowed to decrypt any given lump of information may well change depending on very complex factors that cannot be analysed by the thingfrastructure itself.


Specific key management for specific closed, controlled scenarios is well understood, and has been for more than the decade you mention (though I concede even in these situatiuons it's rarely done right).  Generalized key management to suit all possible definitions of 'adequate' for all possible combinations of dynamic actors, systems and data?  That's the toughie.
Patrick Oliver Graf
50%
50%
Patrick Oliver Graf,
User Rank: Apprentice
6/19/2014 | 1:33:27 PM
Re: IoT
You make a good point, as all departments need to have a seat at the table to discuss security issues that affect their roles in running the business. Whether due to BYOD or necessitated by enterprise requirements, a wide range of new connected devices will be accessing networks in the coming years and numerous threat vectors will emerge to exploit them. These trends will affect everyone in an organization who uses or interacts with a device that connects to the corporate network.

IT departments will have to approach information security, and implementing policies and technologies, more collaboratively and flexibly. As IT professionals are already learning from the BYOD trend, flexibility and open dialogue are necessary to support the systems and devices departments and users need but still maintain security. To do that, given the limited resources they have, IT's priorities for information security must also shift to centrally managing and automating as many of their management tasks as possible and using network and security components that are interoperable. As we've seen from the Target breach, organizations' systems are more interconnected than many often think, but often not by design, and a truly holistic, defense in depth approach is required.


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.