IoT: Get Security Right The First Time
Threaded  |  Newest First  |  Oldest First
User Rank: Author
6/17/2014 | 12:10:11 PM
I saw a term on Twitter today regarding IoT security that I loved: Thingfrastructure. Readers, do you feel like your IT organizations are doing adequate IoT prep?
User Rank: Author
6/17/2014 | 1:50:16 PM
Re: IoT
What I've been hearing more often is how the IT-centric view of information security won't cut it in the Internet of things world. Whether it's privacy policies or endpoint protection, we need people in operations, supply chains, legal, and IT rethinking security. One expert bluntly put it to me that the IT folks don't get the operational technology challenges.
Patrick Oliver Graf
Patrick Oliver Graf,
User Rank: Apprentice
6/19/2014 | 1:33:27 PM
Re: IoT
You make a good point, as all departments need to have a seat at the table to discuss security issues that affect their roles in running the business. Whether due to BYOD or necessitated by enterprise requirements, a wide range of new connected devices will be accessing networks in the coming years and numerous threat vectors will emerge to exploit them. These trends will affect everyone in an organization who uses or interacts with a device that connects to the corporate network.

IT departments will have to approach information security, and implementing policies and technologies, more collaboratively and flexibly. As IT professionals are already learning from the BYOD trend, flexibility and open dialogue are necessary to support the systems and devices departments and users need but still maintain security. To do that, given the limited resources they have, IT's priorities for information security must also shift to centrally managing and automating as many of their management tasks as possible and using network and security components that are interoperable. As we've seen from the Target breach, organizations' systems are more interconnected than many often think, but often not by design, and a truly holistic, defense in depth approach is required.
Lorna Garey
IW Pick
Lorna Garey,
User Rank: Author
6/17/2014 | 1:46:42 PM
Business opportunity
I have been hearing for literally a decade how key management is too hard, and that's why we can't encrypt universally. Either IT and security pros are flinging excuses, or VCs have missed the boat on a huge business opportunity.
User Rank: Ninja
6/17/2014 | 2:38:20 PM
Re: Business opportunity
I think a lot of it has to do withy the technology that comes with IoT.  Since many use RFID, the security controls simply aren't in place in how the technology operates.  Since the transmitter is essentially a dumb terminal in that it will respond to any request it receives, it would require an overall change to how these operate, meaning redesigning the receivers to understand encrypted data.  Other technologies require the same type of key component, which sadly often gets omitted during the technology design phase when it comes to how these are utilized (in cars etc).  Needless to say, it's a very real concern as IoT continues to be used in more everyday applications.
Jon Geater
Jon Geater,
User Rank: Apprentice
6/17/2014 | 5:22:54 PM
Re: Business opportunity
Encrypting universally is easy.  It wouldn't even take VC money to do it.

Decrypting on the other might find some issues with that.

One of the many issues here is that key management is a fourth-order problem.  You only need key management because you started encrypting (or signing, or authenticating) stuff.  And you only started encrypting (or signing, or authenticating) stuff because other bits of the network of systems that handle your data don't otherwise adequately secure it.

And what's adequate?  Well, that's up to you, and up to what your data is, and up to what the consequences are if your data is leaked, or copied, or corrupted.  There's your first-order problem.

In IoT you have large numbers of actors, many different types of data, and crucially your expectations about who or what is allowed to decrypt any given lump of information may well change depending on very complex factors that cannot be analysed by the thingfrastructure itself.

Specific key management for specific closed, controlled scenarios is well understood, and has been for more than the decade you mention (though I concede even in these situatiuons it's rarely done right).  Generalized key management to suit all possible definitions of 'adequate' for all possible combinations of dynamic actors, systems and data?  That's the toughie.

Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 14, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.