6 months ago

Government Security News August Digital Edition

Convy on Net-Centric

Convy on Net-Centric Security Securing the Internet of Things By John Convy, Convy Associates, Washington, DC Most people in technology know that the Internet of Things (IoT) is the vast network of physical objects and devices, vehicles, and buildings that have been embedded with electronics, software sensors, and network connectivity. This enables them to collect, exchange, and share data with each other and with big, analytic tools. It’s the digital offspring of the Internet, and it is growing up quickly. Connectivity is a fundamental part of our world, making our stuff “smarter.” In fact, its growth has been exponential. According to Markets and Marketing, Investments made in the Internet of Things are expected to increase from $6.89 billion per year in 2015 to $28 billion in 2020. Things we use every day – lighting, cars, healthcare, parking meters, and even our home appliances have become smarter and more connected. At a recent Security Industry Association Conference, I asked three prominent thought leaders to address the emerging questions concerning the Internet of Things and its vulnerability to attack. Chris Cressy, who leads Federal IoT Solutions at Cisco, emphasized the expanding value of the IoT. “IoT is transforming businesses and business processes, in the public sector. Integration and interoperability are fundamental needs that IoT “Customers should seek out vendors that are designing network security into their products, and are based on well-recognized standards, such as the NIST certification.” 22 can address. Integration increases operational efficiency. Traditional approaches to system security are called air gap – keeping systems isolated – but that does not work with IoT. You have to connect systems to get value. When you connect them, you do introduce vulnerability, but you can do continuous real-time monitoring of those systems. Cressy also outlined some key components for IoT system architecture for security. “At the bottom layer is basic IT security, essentially network segmentation with firewalls, VPNs, and VLANs. The second element is encryption, and lastly, we implement more advanced capabilities, such as real-time monitoring and real-time threat detection. Just as IoT is a phased implementation, so is IoT security.” Jeff Hill, an Enterprise Solutions Specialist at Spectra Logic, provided insight on another consequence of so much connectivity – the need for secure data storage. “The IoT is driving massive video growth because of automation and monitoring, and that video requires secured storage. Storage is becoming a much larger piece of the overall infrastructure because of the tools that we are able to leverage with storage, such as analytics. We are expecting that by 2019, 3.4 Zeta Bytes of data will be transmitted over networks in an entire year, and security is one area where we are seeing tremendous growth,” he said. Hill believes that the best way to

store data is with hybrid clouds, which offer more flexibility in security and ownership in a concept he calls, “genetic diversity.” The other types of clouds are private clouds in which you own the hardware and control the security with a high-security protocol – and public clouds, which are extremely efficient for accessing information, but provide no benefits of ownership. “When considering best practices for IoT data, it’s important to plan infrastructure with a growth mindset. Genetic diversity represents scalable technology and tiered storage. A great example would be Facebook, because of the volume of their data – millions of videos and photos. They’ve found that it’s important not just to have it on local storage that can be accessed quickly, but they’ve diversified the tiers of storage and the kinds of storage they have, to ensure against all types of threats.” Hill also explained that enterpriseclass storage solutions are becoming increasingly more affordable, which makes securing data in the government sector much more cost-effective than not. Matt Bretoi, VP of Security Sales at Flir Systems, weighed in on how the convergence of cyber security, network security, and physical security are creating new challenges. “Security manufacturers have a dichotomous responsibility to protect the network from the security system and anything that migrates into it, and to protect the security system from the network,” he suggested. So what can manufacturers do to help customers protect their assets? “Customers should seek out vendors that are designing network security into their products, and are based on well-recognized standards, such as the NIST certification. This is a cyber security framework that ensures that any sensitive information such as user data is encrypted, and that users are able to identify third-party components. This reduces known vulnerabilities. All communications between the edge devices, such as cameras or access control card readers, should include proper encryption, such as Transport Layered Security. Minimally, SSL encryption should be used,” Bretoi said. Bretoi also explained that combining this strategy with robust authentication, such as two-factor authentication, creates a very powerful one-two punch. It is notable that NIST certification covers security audits for the equipment and penetration testing. He believes this is critical, and that collaboration and communication are essential when integrating physical and cyber 23 security. “Implementing these tools should be part of a system’s coding DNA, as a manufacturer’s first line of defense. The second front is deployment. It’s imperative that integration technicians – those people actually installing the system – understand cybersecurity, and employ best practices in implementation and maintenance,” Bretoi added. “End users should avail themselves of all training tools provided to them, so that vulnerabilities can be quickly identified and mitigated.” The opinions of these three experts were eye opening, and validated that the Internet of Things is fostering significant changes. It is not only transforming the way we live and work, but it is transforming the way we think about and implement strong security measures. John Convy and Convy Associates provide strategic alliance, A&E consultant, technology ecosystem, and lead generation programs to monetize relationships and accelerate demand for leading security industry manufacturers. John is the Founder and Managing Director of the Open Standards Security Alliance and the IP Security Academy, and a speaker at many global industry events. Email: