The Women’s High-Tech Coalition recently held a panel in Washington D.C to address how to approach IoT security from a legislative perspective. Titled “IoT from Startups to Titans: Building a Healthy Ecosystem”, the panel had representatives from companies of all sizes and from different parts of the industry discussing the constantly changing IoT landscape, specifically from the information security perspective. The audience consisted of a bipartisan group of policymakers and congressional staff who wanted to learn more about IoT security and how best to approach it.
I was excited to represent VMware on this panel along with other participants from Symantec, Twilio and Microsoft. It turned out to be a very engaging and stimulating discussion where the conversation ranged from the benefits of a connected world to the dangers of smart trashcans! Here are some of the topics that were discussed and VMware’s point of view.
WHICH APPROACH IS BEST-MANAGED OR NON-MANAGED?
Policy makers struggle with how to define or structure the IoT security discussion-should it be along consumer/enterprise lines or a managed/unmanaged approach? The IoT industry in general and VMware are big proponents of the adoption of the three-tier gateway model as a step in the right direction to managing the Internet of Things. At VMware we believe that the “managed” approach leveraging edge systems and gateways is the way to go since gateways significantly lower compute and power demands of things, greatly reduce the attack surface area and create an intermediate layer that allows for more control.
WHY IS IT SO HARD TO SECURE IOT?
A recent example of how the lack of basic security can bring down a system is the Mirai IoT botnet that perpetrated a major DDos attack last fall and brought down sites including Twitter, Netflix, CNN and many others in Europe and the US. Typically, lack of device interoperability, poor quality, unprepared networks and legacy architecture are some of the reasons why IoT security is so much harder to implement in real life.
So far, whenever we talk about security in technology, the conversation usually centers around loss of privacy. With IoT, it not just privacy but also safety that can be compromised. For example, if someone hacks a pacemaker or home it could lead to actual loss of life and property. So how do we deal with this? Unfortunately, there is no silver bullet for IoT security and the only way to get your hands around it is it add security measures at every level- inside the chip, in the thing itself, and of course at the network and the user access level.
HOW CAN VMWARE HELP?
VMware is the leader in datacenter and IT infrastructure management. As enterprises embrace IoT, and more and more “things” become a part of IT infrastructure -be it smart light or an oil rig- it is a natural extension of our capabilities to go out to the edge and help manage the Internet of Things too.
Whenever the topic of the Internet of Things surfaces, there is usually a lot of focus on how much data these things produce and how useful this data is when you analyze it. This is a great problem to solve and there are a lot of good companies out there working on it. At VMware we refer to this as the “Content Plane” (in reference to the information emitted by a thing)
However let’s take a step back here and think about the thing itself- who set it up, how was it on boarded, who is managing it, who is monitoring it, and most importantly who is securing it on an ongoing basis? There is a whole “Control Plane” in IoT which doesn’t get much thought or attention.
This is where VMware comes in. We offer an enterprise-grade, secure, end-to-end IoT infrastructure management solution that gives organizations complete control of their IoT use case from the edge to the cloud.
WHAT IS THE WAY FORWARD FROM A POLICY PERSPECTIVE?
When it comes to making policies, since IoT is still developing, it is best to let ‘industry lead and government publish’. There is a need for a forum with representatives from the entire IoT ecosystem- manufacturers, platform vendors, academia, tech community as well as participants from the public who can help create best practices and standards which can then help direct policy in the future.
IoT is very physical in nature, so removing any infrastructure barriers will also be key for innovation however, care should be taken to not center too many regulation/policies around the things themselves as it can be an inhibitor to innovation.
To summarize, one thing is clear, applying legislation at the IoT thing level may negatively impact innovation but if we promote the usage of gateways and center policy around these, we get the double advantage of enjoying the benefits of a connected world as well as the peace of mind of a controlled world.
Finally, I’d like to leave you with an excellent report created for Congress by the United States Government Accountability Office that talks about the status and implications of an increasingly connected world.