Everyone who has a stake in the internet of things, from device manufacturers to network service providers to implementers to customers themselves, makes important contributions to the security or lack thereof in enterprise IoT, attendees at Security of Things World were told.
“The key to all [IoT devices] is that they are networked,” Jamison Utter, senior business development manager at Palo Alto Networks told a group at the conference. “It’s not just a single thing sitting on the counter like my toaster, it participates with the network because it provides value back to business.”
“I think the media focuses a lot on consumer, because people reading their articles and watching the news … think about it, but they’re not thinking about the impact of the factory that built that consumer device, that has 10,000 or 20,000 robots and sensors that are all IoT and made this happen.”
The fact that IoT has security issues is well-known – Utter likens it to the case of Windows 95, which suffered from infamous security problems in large part because it wasn’t designed from the ground up to be secure.
“What we have is simplistic operating systems, running on simplistic hardware, that were not designed for security – just like Windows 95,” he said.
Sharing responsibility for security
IoT security isn’t qualitatively different than securing any other broad category of computing device, said Utter – it’s just the scale of the device pool and their computing limitations that makes the task challenging.
“Would you accept the same level of security on a car as on a sensor that opens the door? It’s just not appropriate, right? The asset is not as valuable. So what we have to accept is that endpoints will have varying levels of security.”
At the device, network, data and in the cloud, a patchwork of security implementations will be at play. “That’s why we have to design our security as holistically as possible, rather than trying to pass it off and saying, ‘You guys take care of it.’”
The network, Utter said, is the key battleground for future IoT security, largely because of economics – some endpoints simply aren’t able to be secured sufficiently without an unreasonable investment of money. If shipping crates with highly secure IoT endpoints attached to them cost too much, for example, that throws off a company’s entire business model.
“We need to start framing IoT in a slightly different way,” he said. “Everyone focuses on the endpoint … but I believe the network can actually be an enforcement point for IoT, because some devices will never be appropriate to have high-level security, it’s just not right in the economic model.”
Sign up for Computerworld eNewsletters.