www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
The Edge is EverywhereSecurity and Risk Considerations of a Completely Connected World
Davitt J. PotterDirector, Engineering & Technical Services, Arrow Security
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance
What Edge?!
Security: Not just a buzzword anymore!
When everything is connected to everything else, for better or for worse, everything matters.Source: Bruce Mau, Massive Change
Any business that fails to invest heavily in the IoT in the next 10 years is unlikely to be able to remain competitive.Source: McKinsey
A network of physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment. The IoT comprises an ecosystem that includes things, communication, applications and data analysis.
Source: Gartner
…Mind the gap!
Meaning… what?
The Architecture of IoT
…Mind the gap!
Meaning… what?
…Mind the gap!
Meaning… what?
Gaps in visibility Gaps in knowledge of the devices Gaps in knowledge of activity
Who drives this bus, anyway?
We still don’t do simple things well.
“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.”
- Bruce Schneier, Information Security
Who drives this bus, anyway?
We still don’t do simple things well.
“There is no patch for human stupidity.” – Various
Security cannot be an afterthought!
In the mad rush to connect everything, proper security controls and designs must be considered.
SHOULD a device be able to be seen by other devices? What is ‘proper’ traffic? What does normal traffic look like? Should it be segregated? Should it be encrypted?
Slow down – just a second.
Security cannot be an afterthought!
Have you designed a security strategy? What policy or procedure does it fall under? Who controls it? Who does it talk to? When does it talk? What happens when you’re breached?
“This is what we call a target-rich environment…”
Look at all the edge devices to poke at! If your edge device is breached, how do you know? Can you
stop it at the gateway? Can you stop it at the device? Can you identify the data that was exfiltrated? Can you show me the ingress and egress paths?
Collector/aggregation points Devices Cloud-based systems
Or a security officer, or a network administrator, or…
I’m a Security Analyst!
Is security awareness part of your organization at each level of IT? Do you provide options for visibility into security data for other roles, where relevant?
More eyes can discover “ah ha” moments. Automation helps cull the anomalies, but the human brain (thus far) still can make that intuitive leap.
Questions?
Thank you!
Davitt J. [email protected] Twitter: @DavittJPotter
http://www.linkedin.com/in/davittjpotter