How does the increasing ubiquity of IOT change security?

739 views1 Upvote12 Comments

CISO in Software, 51 - 200 employees
IOT security, and anything that's agent-less, begs the question, “how do we secure all that?” Right now we don't have a solution at all. In the old days (5 years ago) we would just take the security cameras, the HVAC system, etc., and we'd throw it on another network separate from the corporate network and say, "Okay, we're good." But I don't think that's the case anymore. We have to start thinking differently about how we're going to protect the stuff in the future.
CIO, 5,001 - 10,000 employees
We do have this problem of many IOT devices on our network. Both ones that are real for operating our business plus many things we're testing in our labs. I kind of consider all of the Juniper Network Labs to present the same problem, because it's less controlled than you'd like it to be.
CTO in Healthcare and Biotech, 11 - 50 employees
We talked about cameras briefly when I was in Abu Dhabi. We actually launched a program and told the general public, the 4,000 cameras we were installing in downtown Abu Dhabi had nothing to do with monitoring people. It was all to do with trying to track whether you had had an accident, so we could respond quick enough to you. But we like to put them every 100 feet on every single road, and put a couple of thousand servers in a basement, and four stories down under the sand, and had a bunch of NSA people come along and build the software for us, right? It's a cool thing. There's two aspects that you have with security. One is putting up such a brick wall that you can't stop anybody coming in. The problem with that approach is now they go under it and over it, and by the way, they were already behind you when you built the brick wall, oops, right? The edge is the edge, and unfortunately mobile and IOT is a de facto thing you've got to think about. It's there. I've been watching Reinvent this last couple of weeks. It's Amazon's big conference. Vogel was on yesterday, talking about infrastructure and how they're moving... He was talking about yesterday, their SIM, and it's 100 million users x 10 microservices running per user, active at any one day, creating 8 x 8 events per week per user. You're sitting there and going, that's a billion logs for every time they click on the microservice. And he's like, "How would you see something in that?" You look at single sign-on solutions and none of them are really the greatest, and best of all because they're single sign on, they are trying to deal with legacy. But when I was at Stanford, someone once said to me that if you think about the scenario where no matter what you do, somebody is going to get in, instead of thinking about the sad side of security, you need to focus on what you look after the most: your data. If I've got, how do I protect the data? How do I get a backup of the data? How do I know the data is secured somehow? So I can roll back. But based on that scenario,I haven’t found a solution that tells me, or can show me what changed. I've heard this from healthcare orgs, I've heard it from academia, I've heard it from the airline industry. People get in and they change things. I can do that on an OS level, I can't do that in that database, I can't sit there and go, "Okay, let me have a look at the old copy I've got, and let's see if that was a real change or not" How do I look at a network device? You can say, "Who had privileged access and changed the network? Who did X, Y, and Z, that changed the door access, whatever it is." . The end result is, I know people are getting in, what I've got to worry about is, they're not recording my Zoom sessions, or my team sessions, right? We've got to classify what's important. Say you have trillions of dollars, right? I've got to classify, do I even give the ability to get to that network? That's a hard thing. Everybody wants to go online.
1 4 Replies
CIO in Education, 1,001 - 5,000 employees

I think that has to be off network, right? I think it gets back to the point of, what are your crown jewels? And how do you protect them, and where do you protect them? And can you vault them in a place where they just can't get to them. And then from a backup perspective, let's say you use a code 42, because you're convinced that they're the best solution for your ransomware. It's still a cloud provider, what guarantee do you have that they're going to be any better than what you're going to do, or that the backup is going to restore. All you know is you can get back to a point in time, is that the right point in time? And is that the right point in time that's going to keep your business moving the way it needs to move, or is that just a point in time and that everything that happened in between is now just a sum cost.

MD - Digital, Data and Analytics in Healthcare and Biotech, 10,001+ employees

I don't know, you want to keep your data quantum secure. Lattice-based cryptography, code-based cryptography.

CTO in Healthcare and Biotech, 11 - 50 employees

And to the power of 64.

CIO in Education, 1,001 - 5,000 employees
UCLA is quite the fascinating place, it's quite a huge place. IT on the campus is extremely distributed or federated. While the vision is that there's sort of one network for everybody, the reality is there's probably multiple networks, and that in its own right creates risk for the university. There is no one size fits all, or one single voice of IT for the campus. I'm at the Anderson School, which is the Graduate School of Management at Anderson. When I walked in the door about two years ago, at best I thought I was walking into technology circa 2009. I don't think the lack of ability to move the technology efforts forward was as much a criticism of IT as it is a criticism of us as a campus and culture. We're very risk averse. Unless somebody really has a vision and wants to drive it, we're happy with business as usual. "Oh, the system's down," it's not your fault, that's okay, we can wait till tomorrow. I'm very patient usually. So it's very anti-corporate. It's almost too collegial. It's a good news/bad news story because the reality is, we don't even have chat bots, we're nowhere near where we want to be with IOT. We know what we are aiming for... I was at a conference with Salesforce several years ago at USD where there were Alexa’s in the dorm rooms. That's all part of our vision, but it's not part of our current reality. There's less to secure and less to worry about on an IOT front today. But that doesn't mean that it's not tomorrow's problems or something that we need to think about. If I look comparatively at our school and the school I left at Columbia in terms of the central IT component, it's very similar in size with about 325 resources. Central IT security at Columbia was over 30 FTE while central security at UCLA is 15 FTE. IT Security is way understaffed, a bit overwhelmed, and involved in things that maybe they shouldn't be in. I think from that perspective, to get to where we ultimately want to be with IOT is probably 3-5 years away in the best case. I'm not sure how good or bad that is from an enlightening perspective. Our perspective with IOT is that it's logically the vision, because that's where we should be, but we don't necessarily have the problem because we haven't figured out how to solve it yet.
3 Replies
CISO in Software, 51 - 200 employees

Right. I mean, IOT is just going to happen anyway, because everything is connected now.

CIO, 5,001 - 10,000 employees

It's already happened

CTO in Healthcare and Biotech, 11 - 50 employees

It's a fundamental problem with, like you were saying, culture. It's a cultural issue.

Director of IT in Transportation, 5,001 - 10,000 employees
more ports to monitor

Content you might like

Continuous Monitoring51%

Staff Well Being57%

ESG & Sustainability45%

Service Provider Location Risk14%

Other (share below)2%


2.4k views1 Upvote4 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.9k views133 Upvotes324 Comments