How can we avoid making the same mistakes with IoT that we made with BYOD, asked Greg Day, VP and chief security officer in the EMEA region for Palo Alto Networks, the cyber-security giant, speaking to a small crowd at today's RSA conference in Abu Dhabi.
In an acronym-laden talk entitled, “IoT, the Next BYOD – will we make the same mistakes?”, Day made his case for learning from the problems that ‘bring your own device' (BYOD) presented when it first came about, and applying them to the burgeoning reality of the internet of things (IoT).
Some companies have fought to segregate their systems, but this oppositional mindset is what we have to get around in IoT, says Day: “We have to stop thinking about the good and the bad and start thinking about shades of grey.”
At the point of conception, BYOD presented a problem. When companies issued laptops to their employees, they didn't worry because the company owned the asset and could prohibit certain kinds of use, while enabling others; they owned it, so they could control it. This is, quite plainly, no longer the case.
The advent of mobile technology and the mere desire to take your devices home changed all that, says Day. “It took businesses a while to deal with this mixed model,” he told SCMagazineUK.com, as home use became a commercial necessity.
Now, as IoT heaves into view, employers don't just have to worry about people doing company business on the family iPad but the FitBit they carry on their wrist and the data contained therein.
Dealing with so many moving parts presents a real challenge to companies seeking to provide good data security. But as with BYOD, so with IoT: "Let's take those lesson from BYOD,” said Day. “We've been through these pains before.”
Instead of dealing with those problems when they're right in our face, we'll have to pre-empt them. Part of this, said Day, is building “a much better ecosystem” for dealing with the kind of threat that IoT puts forward.
Day suggested a common platform for such a situation, with better fidelity of information. That means accounting for telemetry and third-party systems as well as wider industry collaboration.
There has been, at times, a hesitancy to share information with competitors, but Day feels that inclination doesn't help but hinders the industry: “The more we collaborate together, it doesn't mean we sell less.”
The Cyber-Threat Alliance, of which Palo Alto is a founding member and Day is a great champion of, brings together software companies to better fight threats that affect the wider industry. It recently released its first report, a thorough undressing of Cryptowall Ransomware, a notorious trojan that is supposed to have stolen around £214 million from its victims in its year-long lifespan.
It's certainly a new way of thinking about things. “There's a lot of legacy out there,” says Day. One of the problems with the security of the IoT is perhaps as a rush for functionality: people build software off of other people's code, code that may have already been compromised.
This means more patching problems and treating symptoms over diseases. Hospital drug pumps are just such an example – a scary one at that.
Going forward, Day sees Zero Trust as another solution to many of the problems the IoT presents. Zero Trust is exactly what it says: a model which does not assume that people, devices, packets and applications are to be trusted.
And that is the new world that Greg Day sees.