The great IoT security gold rush of 2016 started on October 19th, when the publicly available DYN DNS servers were subject to a DDOS attack, that may or may not have included malicious IoT devices. Since that attack I’ve seen several articles published talking about IoT security.
First off, we need to be careful. There are many fish to fry here, and picking the first one is hard. Security is critical, important and should be one of the top considerations. But it should only be one of the top considerations. It is important that we consider the reality of everything that has to happen. Security is neither the chocolate sauce nor the whipped cream of an Ice Cream Sundae. It is in fact, the bowl. Secure and protecting the Ice Cream from its inevitable decline (melting and providing the consumer with a delightful sticky awful mess). The bowl represents the security. The spoon is the user interface and finally the various toppings and actual ice cream are the reason people come to the ice cream shop.
The Ice Cream is best served in the bowl. As a parent, I can tell you the cone problem actually is much worse than people tell you. It is a mess. Cones, are replaceable security components however that fit well with the concept of mobility. So, the cone represents mobile security. I have for a long time heard many people talk about the concepts of MDM (mobile device management) but they always speak of containers, HTML 5 type or remote device control. The cone is our mobile security solution that we need to evolve.
Let’s consider the melting ice cream our security breach. The cone has two distinct weak points as far as holding ice cream. The first is the tip or base (sugar cone or waffle) that once soggy allows liquid to escape. The bowl (traditional network or cloud) actually catches the majority of the melted Ice Cream and therefore has reduced risk) We can overload the bowl, which will cause data leakage but for the most part the bowl is more secure than the cone.
As the world moves closer to the cone and away from the bowl we need to figure out how we can create removable cone and removable bowl security. By removable I mean that the security module of the solution can be updated quickly. I can, if needed replace my bowl or cone without worrying about the contents melting, being exposed to something (someone sneezing perhaps) or other risks that make it impossible to enjoy my ice cream.
To me the easy answer is two staged. Either the concept of a temporary security solution that encompasses the ice cream during the transfer or a new container that replaces the existing container without pause. The reason for this is cost over time. Mobile isn’t just a tablet or a phone. It is all of the IoT devices that are carried, moved or used on the go. Static IoT devices are more like the ice cream sundae, they don’t move. So, we have a clear delineation of security within the concept of IoT.
You can secure everything. You have to balance the reality of applying a bowl to a mobile device (it won’t work effectively) or trying to improve your cones so that they don’t leak (also something that may not be a good use of money). Or you could perfect non-melting ice cream, that only melts in the presence of a specific chemical (with say the makeup of human saliva).
Reality is the minute information leaves your ice cream bowl, it is at risk. The additional risk that organizations incur is the reality of security hardware. If I cannot replace the security stance of my IoT farm, I am at risk. If it isn’t easy to replace or upgrade security, organizations will lose sight of security updates. It’s called configuration drift. It happens frequently. Where devices are out of alignment with standards and don’t get upgraded. They end up on an exception list and a human being has to go from device to device updating them. Time becomes the enemy, and you end up with a lot more melted Ice Cream in your environment.
Modular IoT and Mobile phone security is a simple answer the industry can quickly embrace and extend. That and locking IMEI chips so that once a phone is stolen and it is reported, that IMEI can never connect to the cellular network again. Making the stolen device useless.
Carry baby wipes in case of Ice Cream melting!