• Home

  • Documents

  • iot security model · the biggest is that the cost of ubiquity in the case of the Internet of...
8
COMPASSDATACENTERS.COM IoT and the New Security Model WHITE PAPER | OCT 25, 2019

iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M

IoT and the New Security Model

W H I T E P A P E R | O C T 2 5 , 2 0 1 9

Page 2: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 2

On October 21, a Distributed Denial of Service (DDoS) attack on Dyn’s internet directory servers prevented a number of end users, especially along the East coast, from doing a variety of internet related activities ranging from tweeting to binge watching Stranger Things on Netflix. As we all know by now, the attack was the result of a malicious botnet, Marai, doing its best Invasion of the Body Snatchers imitation, launching the assault from the multitudes of IP cameras it had infected. Although there are, probably a number of lessons to be drawn from the attack, perhaps the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability and that for many, security may be the governor on their IoT implementation plans. The purpose of this whitepaper is to explore the state of IoT security and present a structure for planning and implementing your own IoT solutions.

The DYN DDoS attack was launched when a malicious Botnet, Marai, took over a number of internet connected IP cameras

By any measure, IoT represents an evolutionary leap in the collection, processing and actionabililty of data. More sophisticated analysis and decision making based on data collected via sensor devises offer the promise of improved efficiencies in cost control and operations, new capabilities for the standard components of our daily lives, driverless cars for instance, and a reduction in human error across the entire spectrum of potential applications.

A recent study by Business Insider predicted a 41% CAGR for new IoT installed devises over the next four years. Gartner estimated that this rate of growth will culminate in 24 billion IoT connected devices by 2020. Cisco more than doubles this estimate within the same timeframe. These projections would seem to be supported by the results of a survey of 5,000 businesses worldwide included in a AT&T Cyber Security Insights Report. Over 85% of responding companies said that they were implementing or planning to implement IoT solutions. If we translate these predictions into dollars, the IoT market could be as large as $7 trillion by 2020 based on an estimate by Goldman Sachs.

IoT: Poised for Geometric Growth

Page 3: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 3

Cisco estimates that there will be 6 things on-line per person by 2020

As the attack on the Dyn servers indicates, the nature of IoT operations increases the potential points of network vulnerability. For many companies in the near future their enthusiasm for the benefits that IoT can provide may outstrip prudent planning. For example, the AT&T Cyber Security Report cited earlier found that although 85% of companies that it surveyed were moving “full steam ahead” on their IoT efforts, only 10% said they felt confident that they could secure their networks against hacking. In some circles, this is known as a “leap of faith”. The potential for hacker induced mayhem seems even more prevalent when this low level of security confidence is combined with the Disaster Recovery Preparedness Council finding that only 27% of companies receive a passing grade for their disaster readiness.

In many ways, the inverse relationship between IoT implementation and security is understandable when viewed from the prospective of the standard technology adoption curve below.

Implementing IoT: A Security Disjoint

Page 4: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 4

At the present time, it would appear that IoT is now moving from the “Innovators” tail end of the curve to encompass early adopters. Based on the growth forecasts that were discussed in the previous section, the technology should be in the midst of the “Early Majority” realm by 2020. What is difficult to project is whether the current gap between IoT and its associated security will close over this time or will this growth leave a number of businesses with a high degree of exposure putting their operations and data integrity at risk?

As you would expect, the security structures that protect today’s data center-based networks vary widely depending on the perceived needs of the organization. Firewalls and VPN may be more than sufficient for some, while others incorporate both internal and externally provided functionality to ward off potential intruders. In the majority of instances, the security structure used is a function of the sensitivity of information, the availability of resources, both financial and human, and the applications that are supported. Increasingly, the data processing demands of applications such as small packet, high volume IoT and large rich packet applications (video) are expanding network scope and pushing processing and access points ever closer to customers (and further away from more traditional centralized security implementations). Thus, the risks associated with performance and the proliferation of potential points of access malicious intruders increase accordingly. As a result, security requirements must become more sophisticated to address a much broader spectrum of unauthorized seekers of access and using an ever changing array of intrusion and/or interruptive methodologies. The dynamic nature of these potential network threats will increasingly demonstrate the difficulty of many existing IT departments to keep pace. The need for specialized tools, techniques, processing capacity, bandwidth/throughput, certifications, Increases exponentially and is completely dynamic in the latest trends and techniques in the black art of hacking. A more effective solution, and its implementation, will most likely be via a third party rather that attempting to build and internal team of security specialists. In essence, an outsourced security service delivered via the cloud/SaaS model.

The sensitivity of information often functions along a sliding scale. In other words, the first step in determining whether or not to outsource security is typically not a binary “Yes”/”No” decision but a process of placing risks values on the information/applications to determine just what would be given over to an outsourced partner.

The Current State of Security

Assessing the Risks

Page 5: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 5

IoT, for example, with its reliance on a continually proliferating number of sensor devices could be seen as having a higher level of security volatility than the decision to use a third party provided SaaS application, the unique requirements of each would impact the evaluative process accordingly. Among the considerations that need to be addressed are:

• What, if any, information is so sensitive that it needs to continue to be under your direct control?

• Do the providers under consideration make clear commitments regarding confidentiality, integrity and availability?

• Does outsourcing introduce a single point of failure? What would be the cost of that failure?

• What do they do when they get breached (you cannot stop a sophisticated criminal or rogue state)? How do they recover your environment?

As noted previously, there are any number of potential outsourced security partners to choose from. Among the issues to be decided in evaluating providers is determining exactly what you want/need them to be responsible for. For example:

• What type of provider do we need?

To a certain extent, the answer to this question is a function of the service(s) they need to provide. There are many cloud-based providers who, as the name implies, provide all functionality in a cloud environment. Selecting this option is determined by your level of comfort and confidence in all of their security services running in the cloud. Another alternative is to have the provider physically managing specified equipment that runs on you network, a choice that would be predicated on your comfort level of providing them with access to your internal network. Other potential scenarios may include hybrid arrangements that involve cloud and on-premise support. Each potential option must conform to your organizational requirements and operate within your accepted level of risk tolerance.

• Single source versus multiple specialists

The classic “one throat to choke” v. best of breed decision. Buy a drink or buy the whole bar?

• Clarifying what do you want to maintain internally?

This is determining what constitutes your company’s “crown jewels”. In any outsourcing situation, there are typically applications/information that are simply too important to stop supporting internally.

Evaluating Potential Options

Page 6: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 6

Service offerings vary from provider to provider. The most common outsourced services provided by providers of outsourcing options, include:

• Firewalls and VPN: These services are rapidly becoming commoditized and in the absence of rapidly changing rule sets is typically a standard component of outsourcing agreements.

• Content Filtering: Typically offered via shared proxy servers or managing a “safe” DNS service., users requesting blocked content are rerouted to a location that informs them they are violating corporate security policy.

• DDoS Protection: DDoS protection services filter traffic before it reaches important network borders by blocking requests that match attack patterns.

• Security Monitoring: These service offerings range from basic log aggregation to advanced analytic services including incident and event management capabilities.

• Vulnerability Scanning: Providers offer external scanning of internal devices placed on your network. Typically, the results are compiled and displayed on a central console for review and prioritization.

Whereas outsourcing of security has previously been characterized by a conglomeration of vendor provided services and equipment procured as part of one or more annualized contracts, this structure is unsustainable moving forward. The rapidity of both the availability of new applications and the methods used to exploit them make “nimbleness” the underlying foundation for the new outsourcing model. Delivered via cloud/Security as a Service methodologies offered by providers such as StackPath, customers will no longer “bolt on” security capabilities on an ad hoc basis to their networks, but rather, integrate the necessary components into their operations on an “at will” basis. Under this new structure, new capabilities are easily added, as they are developed by the provider, to enable users to inoculate themselves from new threats as they arise. End users will also gain a level of flexibility that is impossible under the current security paradigm as the lack of long term agreements will enable them to move between providers as necessary, in response to the movement of key provider personnel, for example.

Service Operations

The New Outsourcing Model

Page 7: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M 7

The speed and complexity of data center-based applications is a double-edged sword in that a wealth of new opportunities also presents a number of enticing targets for hacking and malicious service disrupting attacks. For many enterprises, the emergence of additional security risks outstrips the expertise of their personnel, and the number of trained professionals in these areas is currently dwarfed by demand. As a result of this disparity between supply and demand, enterprises will increasingly require firms to outsource all, or portions, of their security operations to fill this void. Cloud/Security as a Service offerings will offer them the nimbleness and flexibility required to operate in increasingly demanding environments where innovation will often be married to enhanced threat potential. Enterprises will have a growing number of alternatives to augment their efforts, but ensuring the security of their operations will continue to be predicated on detailed planning, an accurate understanding of the required areas for support, careful partner selection and active management of the relationship.

Summary

Page 8: iot security model · the biggest is that the cost of ubiquity in the case of the Internet of Things (IoT) is vulnerability ... be seen as having a higher level of security volatility

C O M P A S S D A T A C E N T E R S . C O M

1 4 5 5 5 N . D A L L A S P A R K W A Y , S U I T E 1 2 5

8 7 7 . 2 8 9 . 7 5 7 7

F R O M T H E C O R E T O T H E E D G E .


The security challenge in IoT - ETSI · 2018-10-22 · The security challenge in IoT Scott Cadzow, for STF547 Challenging IoT Security ... There are lots of security standards IoT

The security challenge in IoT - ETSI · 2018-10-22 · The security challenge in IoT Scott Cadzow, for STF547 Challenging IoT Security ... There are lots of security standards IoT

Documents
Proportional security in IoT

Proportional security in IoT

Documents
Scaling IoT Security

Scaling IoT Security

Technology
Andy thurai iot security

Andy thurai iot security

Technology
The IoT Hacker’s Toolkit - Security, CTFs, HackingGoals of IoT Security Researcher Understand IoT Devices Functions Security Properties Find Vulnerabilities Improve Security CVEs

The IoT Hacker’s Toolkit - Security, CTFs, HackingGoals of IoT Security Researcher Understand IoT Devices Functions Security Properties Find Vulnerabilities Improve Security CVEs

Documents
Some IoT Security Learnings

Some IoT Security Learnings

Internet
The Convergence of Ubiquity: The Future of Wireless Security

The Convergence of Ubiquity: The Future of Wireless Security

Documents
Security challenges for IoT

Security challenges for IoT

Technology
Challenges in IoT Security

Challenges in IoT Security

Documents
IoT - Big Data & Security · IoT - Big Data & Security MWC Smart Cities Seminar Telefónica Global IoT Group Feb 2017. IoT Big Data and IoT Security in Smart Cities IoT Security IoT

IoT - Big Data & Security · IoT - Big Data & Security MWC Smart Cities Seminar Telefónica Global IoT Group Feb 2017. IoT Big Data and IoT Security in Smart Cities IoT Security IoT

Documents
IOT SECURITY MARKET REPORT 2017-2022 · IOT SECURITY MARKET REPORT 2017-2022 IOT SECURITY MARKET REPORT ... 1 IoT Security Overview 7 ... 5.5.1 Security by design best practices and

IOT SECURITY MARKET REPORT 2017-2022 · IOT SECURITY MARKET REPORT 2017-2022 IOT SECURITY MARKET REPORT ... 1 IoT Security Overview 7 ... 5.5.1 Security by design best practices and

Documents
IoT Security - UC Berkeley Sutardja Centerscet.berkeley.edu/wp-content/uploads/IoT-Security-Overview-Final.pdf · Importance of Security to IoT Security is both a barrier to widespread

IoT Security - UC Berkeley Sutardja Centerscet.berkeley.edu/wp-content/uploads/IoT-Security-Overview-Final.pdf · Importance of Security to IoT Security is both a barrier to widespread

Documents
Exploring IoT Security

Exploring IoT Security

Documents
Floodgate IoT Security Toolkit - Nohaunohau.eu/wp-content/uploads/IconLabs.pdf · The Floodgate IoT Security Toolkit provides engineers developing IoT devices a comprehensive security

Floodgate IoT Security Toolkit - Nohaunohau.eu/wp-content/uploads/IconLabs.pdf · The Floodgate IoT Security Toolkit provides engineers developing IoT devices a comprehensive security

Documents
How to Future-Proof IoT Security · •Current Internet of Things (IoT) landscape •IoT threats •The IoT security problem •Building in device security •Future proofing •PKI

How to Future-Proof IoT Security · •Current Internet of Things (IoT) landscape •IoT threats •The IoT security problem •Building in device security •Future proofing •PKI

Documents
KSU ISA4810 IoT Security

KSU ISA4810 IoT Security

Documents
IoT security patterns

IoT security patterns

Software
Addressing IoT Challenges - Cisco › assets › sol › dc › day_two_close.pdf7 Thursday AM: Addressing IoT Challenges • Security, security, security: Appropriate levels of security

Addressing IoT Challenges - Cisco › assets › sol › dc › day_two_close.pdf7 Thursday AM: Addressing IoT Challenges • Security, security, security: Appropriate levels of security

Documents
SECURE ELEMENTS FOR IOT SECURITY NICHOLAS VONDRAK ...€¦ · IoT Security of Things Event / 19th October ... SECURE ELEMENTS FOR IOT SECURITY NICHOLAS VONDRAK, MARKETING MANAGER

SECURE ELEMENTS FOR IOT SECURITY NICHOLAS VONDRAK ...€¦ · IoT Security of Things Event / 19th October ... SECURE ELEMENTS FOR IOT SECURITY NICHOLAS VONDRAK, MARKETING MANAGER

Documents
IoT Security: F5 IoT Solution · IoT Security: F5 IoT Solution Author: Matt Mooseles Created Date: 10/1/2018 8:18:05 PM

IoT Security: F5 IoT Solution · IoT Security: F5 IoT Solution Author: Matt Mooseles Created Date: 10/1/2018 8:18:05 PM

Documents
Security in IoT

Security in IoT

Engineering
IoT Security Elements

IoT Security Elements

Business
Principals of IoT security

Principals of IoT security

Technology
Introduction to IoT Security

Introduction to IoT Security

Documents
IoT Security Faux Pas

IoT Security Faux Pas

Technology
IoT Cybersecurity - IoT Alliance Australia: Security Workstream

IoT Cybersecurity - IoT Alliance Australia: Security Workstream

Technology
IoT Security V3 - happiestminds.com

IoT Security V3 - happiestminds.com

Documents
Debunking IoT Security Myths

Debunking IoT Security Myths

Technology
of THINGS (IoT) - FlipsCloud · 2017-09-18 · Title: Internet of Things (IoT) security and privacy issues Author: Flipscloud Inc Subject: IoT security Keywords: IoT security,Internet

of THINGS (IoT) - FlipsCloud · 2017-09-18 · Title: Internet of Things (IoT) security and privacy issues Author: Flipscloud Inc Subject: IoT security Keywords: IoT security,Internet

Documents
IoT Security and Privacy

IoT Security and Privacy

Documents