Despite the all the noise around the Internet of Things (IoT) today, the fact is that it’s not new. There has been an IoT for at least ten years, if not longer. Webcams, printers and other machines have been connected and communicating via the IP protocol for quite a while. There have always been things communicating with each other.
However, there are some new aspects to it that are affecting security. In the past, the IoT was for the most part, operated by professionals. At the very least, somebody consciously connected devices and had to take responsibility and ownership of them. The pervasive consumerisation of the IoT has changed that.
If you take the example of the infamous smart fridge, no one makes a conscious decision to connect the fridge to the Internet. Most of the decision making over whether something should be connected to the Internet is no longer a conscious decision, it just happens. This has all manner of consequences.
Ten years ago, the IoT (such as it was) was a big mess from a security point of view. Worms were spreading at immense speed as servers talked to each other without the involvement of administrators or users. Thankfully, we incorporated basic fundamental security features into the architecture and since then, there have been very few successful automated mass threats similar to those outbreaks in the early 2000s.
The good news is that today there still aren’t any major pandemic threats, even though there are hundreds of millions of smartphones permanently connected to the Internet. In theory, and in the laboratory environment, smartphones are easy to hack and vulnerable to targeted attacks. However, in reality, this hasn’t really happened. The sheer variety of smartphones, different user behaviour and the lack of massive standardisation, as there was with Windows in the PC market, means that the probability of a global breakdown is not as great as you might expect.
The bad news is that targeted attacks are incredibly easy. Most of the time, the majority of us aren’t a target. However, there are a few scenarios where targeted attacks become more attractive. Let’s face it; taking over somebody’s fridge is pretty useless. You can use or abuse it as a spambot but you can buy spambot nets for a ridiculously low price so there is no commercial gain in targeting fridges.
When it comes to cars, it might be a bit different. With the first field experiments of driverless cars in the UK set for 2015, cars will become a much more attractive target from a blackmail perspective. There is now a much stronger focus on having a secure environment, as there is huge potential damage in being the first manufacturer to have any major security flaws exposed. If you can pick on certain manufacturers and make them pay, that puts them in a very bad position.
The problem is you have two very different industrial paradigms coming together. Car manufacturers take five to ten years to develop a new car, spending half of their money on quality assurance, checking everything works and that the car won’t explode. The technology paradigm is very different and people might feel very uncomfortable about smartphone designers engineering the operating system of their car when their smartphone reboots three or four times a day after a year’s use.
While the implications for the smart home aren’t necessarily that profound, as it’s highly unlikely fridges and light bulbs will be misused, the ramifications for businesses could be very different. At present, there are many discussions about moving infrastructure to the cloud and it’s conceivable that eventually many businesses will have almost no infrastructure on-premise. However, there will be other devices communicating via the Internet, such as smartphones, printers, lightbulbs (yes and fridges), that will remain in situ.
Ironically, the infrastructure that IT has expended time and effort securing will be placed in an environment run by somebody else, while the business hosts more and more devices that it doesn’t manage or own. There is a real danger that businesses could totally lose control of the devices and end up with an Internet of Foreign Things where they are responsible for the infrastructure but don’t own basic elements of it. There will be more and more IP addresses in the infrastructure that the businesses will have to control even as the amount of nodes it owns will be drastically reduced. The security layer and tools will be transferred from devices to the network. IT will be charged with establishing a secure infrastructure where it doesn’t manage the devices or their communication.
As an analogy, think of how in the past, printer companies communicated with printers via a dial-in modem and the security around that was non-existent. Anyone who hacked into the printer/scanner/copier could access everything stored on the device’s hard disk, including contracts and documents. Imagine having thousands of scenarios like that. That’s what the future could be like where most of the devices on the IoT will have the same level of reliability and trust as those printers.
It is an ironic fact that the paradigm we developed in the second half of the 2000s, namely the self-defending networks with NAC/NAP frameworks, has now been turned upside down. Instead of creating a closed system by increasing device controls, we seem to be facing a world of utter anarchy in a system that we formerly called the internal corporate network.
These insights should teach us a few lessons. Most importantly, they show us that security is a mess and we must look at it as a project, a process and a part of other processes. The idea of distinguishing these three types of challenge is approximately 40 years old (R Ackhoff) and Michael Pidd’s book, Tools for Thinking, offers some important advice:
“One of the greatest mistakes that can be made when dealing with a mess is to carve off part of the mess, treat it as a problem and then solve it as a puzzle – ignoring its links with other aspects of the mess.”
A zero trust network takes this basic insight into consideration and looks at the problem of security in the context of the bigger picture. All aspects of network infrastructure are moving at a speed that is quicker than the speed at which the traditional security approach is able to react. Your attack surface changes every day and your exposure to threats of all kinds changes with it. Additionally, the threats themselves are also changing at high speed.
In a zero trust network, none of the people or parts involved are granted complete trust. This is achieved with segmentation and containment. Many different types of firewall can be used to make sure that threats are detected and have limited effects. The firewalls of the future will be very varied. These firewalls will be required to follow the data, applications and users wherever they go so they will develop to become virtual, mobile or cloud-based. Firewalls will continue to be there to protect and guide users, their data and those that need to communicate with them.
What can be done? Security is not a puzzle or a problem to be solved; it’s a mess. Messes can only be managed and mitigated. Without a zero trust environment, there is no secure foundation.