Article Written by Jeanne Morain, author & Digital Transformation strategist at iSpeak Cloud
Recently, one of the first Internet of Things botnets known as Mirai conducted a DDOS attack on well-known security blogger, Brian Krebs website. The writer of Mirai claims they can overtake up to 380 thousand bots based on internet of things devices. What this attack has taught us is although standards bodies such as the Online Trust Alliance have come along way in establishing standards the rapid growing Internet of Things market still remains nascent and riddled with security risks.
(C) iSpeak Cloud, 2016
"Security is defined as the State of Being Free from Danger
or Threat. Internet of Things adds a
layer of complexity and volume never seen before in the history of computers
and computer data or the Digital Age." -- Don
Cox, VP Security & Innovation DGS (Former CISO)
In my research for my latest book iSpeak Cloud: Embracing Digital Transformation, the number one concern of industry leaders, technology implementers, and executives from both the business and technology was security. This is understandable considering that 2015 marked one of the highest years for viruses created and cyber attacks. Many cited they were worried about the impact a cybersecurity attack could have on their brand and overall impact to the company from lost time, costs, and impact on resources. Internet of Things was raised as a concern for security because it is a nascent market with limited best practices on security and implementation considerations. This combined with the predicted 50 billion IOT Devices coming online by 2020 lends them to be a formidable target for hackers wishing to steal personal information and data for either profit or glory.
"Shadow IT adoption combined with Internet of Things Device proliferation exponentially increases risk of a security breach. It is no longer a matter of if you have a breach but when at this point." -- Alex Ryals, VP Security at Avnet
Top 5 Challenges for Security & IOT
The top 5 Challenges for Security around Internet of Things centers around the emerging market/standards, having executive/board support for funding new initiatives, limited skill sets, available technology, and shadow IT.
1. Creation and adoption of new security standards throughout the value chain. Defining the security posture and recommended best practices is the first step in a long journey. Companies now have to not only adopt those postures but have the staff and skill set to implement them or outsource to a qualified third party.
2. Executive and board level support. Digital Transformation is top of mind across many companies today. Companies are having to make tough choices to either move forward with Digital Transformation or perish. This drives the board and executives out of necessity to cut budgets, corners, and refocus efforts on Digital Transformation. The refocus with digital transformation often leaves security as being underfunded and misunderstood in terms of priority to the company overall. Even if the security personnel knows exactly what to do they may not have the funding and therefore ability to address those items.
3. Limited standards around Cloud Adoption by Enterprise. Many Enterprise companies are cloud by happenstance. Only 14% surveyed by CIO Insight reported having a cohesive strategy for cloud adoption. In contrast over 60% of Companies IT assets will be in datacenters and colocations off premise by 2018 according to IDC in their Worldwide Datacenter predictions of 2016. Many companies are struggling to get control of their Shadow IT processes let alone have a security policy for Internet of Things that will leverage it. The proliferation of Cloud based technologies leaves a level of unknown's about where the protected data is actually located.
4. Limited technology available. Traditional tools for scanning and discovery can not scale to fit the needs of the plethora of devices, virtual machines, and traditional systems across a hybrid environment. The current technology takes time, bandwidth and consumes resources to complete an assessment. In cases of larger enterprises a full scan can take days or even weeks to complete depending on the number of devices. Time between scans can create a window of opportunity for hackers to penetrate and infiltrate devices throughout the disparate cloud system.
5. Limited Skill Set /Staff. Although the security team may be well versed in what to do to prevent an attack many of the employees of the company do not. Limited staff for training and prevention makes it harder to enforce policies that prevent bad behavior. In addition, the proliferation of moving service workloads to the cloud equates to having staff that are not employed by the company. As a result these individuals may or may not have knowledge of the required security postures for the company when they are lifting and shifting workloads to optimize performance.
"Internet of Things entering an environment unchecked and unmanaged increases the attack surface well beyond the value the devices bring. Current security platforms also have difficulty understanding and evaluating the risks associated to smart devices enabling leadership to make informed decisions." -- Chris Armstrong, Teknow Consulting Solutions
What can YOU do today to start addressing the challenges?
1. Bring Security Front & Center to the Cloud Conversation - In iSpeak Cloud: Embracing Digital Transformation (add link to book) Phase 1 is all about having the right people have a seat at the table. In lieu of working around Security and Audit it is imperative for your company's future success that they have an equal voice in the Digital Transformation discussion from Client to Cloud.
2. Break it Down to Dollars and Sense for Executive Sponsorship - Often I hear the objection that the executives do not spend enough on security. Part of ensuring that security is funded is to have the Security and Cloud experts working with the business leadership to build the Digital Transformation budget. If your leadership is not listening perhaps it is because they need to hear the message in a language they understand - impact on the bottom line and ultimately the stock price. Build a message with examples of breaches and costs beyond the insurance for a breach in restitution and damage to the overall company brand.
3. Participate in Standards Bodies around Cloud, Internet of Things, and Security. There are several proposed and new standards coming around security and interoperability postures. It is important to weigh in on changes that you believe may create a greater risk for your company. Cross pollination of security requirements and best practice standards is essential for creating policies and procedures that enable both security and compliance. Key organizations to watch out for are Distributed Management Task Force proposal on Software Defined Datacenter or Redfish (add links) and ongoing workgroups on Cloud. Others include the National Institute of Standards and Technology, Cloud Security Alliance, and the Online Trust Alliance. Remember if you are not part of the solution then you are part of the problem.
4. Architect for Compliance to Security, Regulatory, and Business directives. One effective measurement has been creating a culture that builds in a "compliance by design" approach to adoption. Compliance by Design advocates training key architecture and designers on compliance requirements for the company and holding them accountable for architecting solutions that not only fulfill the user's requirements but also maintain the required posture for security, privacy, and other regulatory elements. New regulations such as Privacy Shield are starting to require a Privacy by Design approach. Adding other compliance elements is only a step further.
5. Automate, Educate and hold all employees accountable for security. Yes there is a shortage of skilled resources in this area. Top performers take a bifurcated approach. First, they automate as much as possible by creating micro-services that control and check onboarding cloud solutions before they are allowed to enter the network. Second they focus their best security experts on educating and enforcing security with all employees. Too often users are taught about security during the onboarding or annual required credits class but are not held accountable to enforce or use it in their every day tasks. In order to bring the discussion home, it is imperative that employees are held accountable when they work around the process, fail to read the fine print, or encourage others to do so.
If you would like additional information regarding iSpeak Cloud you can:
Download Complimentary Copy of ISpeak Cloud: Embracing Digital Transformation from HPE while it is available
- Buy iSpeak Cloud: Crossing the Cloud Chasm or Jeanne Morain's books on Amazon.com
- View iSpeak Webcasts on BrightTalk.com
- Or Visit www.ispeakcloud.com for engagements and workshops in a city near you
I would like to express sincere appreciation to Don Cox, Alex Ryals and Chris Armstrong for their continued support and insight for this article, the iSpeak Cloud books and channel.
About the Author
Jeanne Morain is an author & Digital Transformation strategist at iSpeak Cloud.
She has held various executive roles in strategy and product management with the Apollo Group, Flexera Software, VMware (Thinstall) and BMC Software (Marimba). Jeanne currently advises startups and large enterprises on implementing new products and strategies to enable excellence in the digital economy. Jeanne has two decades of experience in systems management, virtualization and cloud computing and has participated in the implementation of solutions for millions of users across Fortune 2000 companies. She has won numerous awards for her work, including the prestigious International Association of IT Asset Manager's Fellow Recipient in 2016 for her work in business service management, Lifetime Member Award in the areas of business service management, universal clients (also known as virtual desktop infrastructure), dynamic data center and virtualization. She is an author and coauthor of books on BSM, virtualization and cloud computing.
Jeanne is best known for her customer-/partner-centric approach. She is a noted speaker at VMworld, Interop, CloudSlam, IAITAM, CXO events and other user conferences. Jeanne holds a Master's degree from Southern Illinois University and certification in ITIL. www.ispeakcloud.com, twitter @JeanneMorain