Smart devices connected to the cloud could number 50 billion by 2020, and that means the security problems associated with BYOD offer but a small window into the potential hacking onslaught ahead.
It's Not All Android's Fault
We're not just talking about the Android mobile operating system. Android gets a bad rap. It's not the system so much as some of the apps that are truly little gateways for malicious code that tampers with people's smartphones and tablets. Successful hacking attempts on the Android system are encouraging attacks on other device classes as well, Adrian Turner, CEO of IT security firm Mocana, said at the Amphion Forum last week.
Many of the security problems (real or perceived) companies are running into with BYOD will no doubt expand as more smart devices (not necessarily mobile) are networked all around us. This is the world of the so called Internet of Things, physical objects that send out data in a wide variety of uses and industries.
Besides the simple number of devices that will become cloud enabled over the next decade, the complexity involved in the types of use cases will be mind boggling. Think about how hard it is for IT teams to allow connections of just three or four main mobile OSes (iOS, Android, Windows Phone, etc) onto the company system. Now multiply that by about ten and add in various industries and segments like hospitals, factories, digital signs, and our homes and automobiles.
A graceful rendering of the expected rise of connected devices and embedded software.
Machines Talking to Machines? How Perverse!
In the world of connected devices, the physical Internet of Things is sometimes referred to as machine to machine communication. A much less sexy word, but this is IT we're talking about. In this context, it is less about an iPhone connecting to a company's private server than it is a networked heart monitor connected to a general practitioner's iPad.
Obviously, things like cloud connected traffic lights and medical devices have great potential. However, that potential could be blunted by hacking attempts known as man-in-the-middle or bucket brigade style attacks.
This is the kind of attack where a person puts themselves in between two connected devices and intercepts the signal. The hacker can steal the info or change it, so there are different scenarios possible with just this one kind of attack.
Security Not Evolving Fast Enough
One of the biggest problems with security software is the lack of regulation, several analysts said at the Amphion Forum. It's tough for customers to really evaluate security vendors because federal regulations are a decade old, and new recommendations are being stymied by vendors, Benjamin Jun of Cryptography Research told the audience at the Amphion Forum.
Specifically, Jun referred to manufacturers and software developers who spent flagrantly on lobbying congress to avoid passing new rules on how best to secure connected devices. The result is regulations that only serve the lowest common denominator, Mocana CEO Turner said, and security becomes just a check box on a manufacturer checklist.
This is killing security innovation, he said, and innovation is what is needed more than anything in this space. Consumer thinking is invading the IT space like never before, so perhaps people are simply not as concerned with security anymore. For those with more strategic thinking in mind, Jun offered a bit of advice.
"Understand who carries the risk," he said. "Once companies know who's problem a security issue is, it quickly leads to alignment of goals and putting measures in place."
A company called VDC Research also presented some suggestions at the Amphion Forum.
"Things are a mess, security wise," Chris Rommel, VP of embedded technology at VDC Research said.
Intel's buyout of McAfee back in 2010 has helped raise the profile of security issues, he said, but many companies are avoiding addressing their security issues because of increased costs. New personnel and training costs, buying software or switching OSes are contributing factors as well.
In order to build a secure system, device security is the starting point. In the connected world of The Internet of Things, this involves security at the OS and even component level. Intel's McAfee chips and the ARM TrustZone certification are places to start. On the mobile front, things like anti virus and real time operating systems are a good option.
The next level is system testing. Software isn't perfect, so testing for vulnerabilities is always part of a rigorous plan. Penetration testing and fuzzing are good examples here. Additionally, investments in unique device identification, OTA/config updates and data encryption are recommended Rommel said.
Finally, executives need to be involved in security decisions at a broader level, and roles need to be dedicated within departments. Expertise needs to be built up, but a budget should also be maintained for outside consulting.