The oft used term “the Internet of Things” (IoT) has
expanded to encapsulate practically any device (or “thing”) with some modicum
of compute power that in turn can connect to another device that may or may not
be connected to the Internet. The range of products and technologies falling in
to the IoT bucket is immensely broad – ranging from household refrigerators that
can order and restock goods via Amazon, through to Smart City traffic flow
sensors that feed navigation systems to avoid jams, and even implanted heart
monitors that can send emergency updates via the patient’s smartphone to a cardiovascular
surgeon on vacation in the Maldives.
The information security community – in fact, the InfoSec
industry at large – has struggled and mostly failed to secure the “IoT”. This
does not bode well for the next evolutionary advancement of networked compute technology.
Today’s IoT security problems are caused and compounded by
some pretty hefty design limitations – ranging from power consumption, physical
size and shock resistance, environmental exposure, cost-per-unit, and the manufacturers
overall security knowledge and development capability.
The next evolutionary step is already underway – and exposes
a different kind of threat and attack surface to IoT.
As each device we use or the components we incorporate in to
our products or services become smart, there is a growing need for a “brain of
brains”. In most technology use cases, it makes no sense to have every smart device
independently connecting to the Internet and expecting a cloud-based system to
make sense of it all and to control.
It’s simply not practical for every device to use the cloud
the way smartphones do – sending everything to the cloud to be processed,
having their data stored in the cloud, and having the cloud return the processed
results back to the phone.
Consider the coming generation of automobiles. Every motor,
servo, switch, and meter within the vehicle will be independently smart –
monitoring the devices performance, configuration, optimal tuning, and fault
status. A self-driving car needs to instantaneously process this huge volume of
data from several hundred devices. Passing it to the cloud and back again just
isn’t viable. Instead the vehicle needs to handle its own processing and
storage capabilities – independent of the cloud – yet still be interconnected.
The concepts behind this shift in computing power and
intelligence are increasingly referred to as “Fog Computing”. In essence,
computing nodes closest to the collective of smart devices within a product
(e.g. a self-driving car) or environment (e.g. a product assembly line) must be
able to handle he high volumes of data and velocity of data generation, and
provide services that standardize, correlate, reduce, and control the data
elements that will be passed to the cloud. These smart(er) aggregation points
are in turn referred to as “Fog Nodes”.
 |
| Source: Cisco |
Evolutionary, this means that computing power is shifting to
the edges of the network. Centralization of computing resources and processing within
the Cloud revolutionized the Information Technology industry. “Edge Computing”
is the next advancement – and it’s already underway.
If the InfoSec industry has been so unsuccessful in securing
the IoT, what is the probability it will be more successful with Fog Computing
and eventually Edge Computing paradigms?
My expectation is that securing Fog and Edge computing
environments will actual be simpler, and many of the problems with IoT will
likely be overcome as the insecure devices themselves become subsumed in the
Fog.
A limitation of securing the IoT has been the processing
power of the embedded computing system within the device. As these devices
begin to report in and communicate through aggregation nodes, I anticipate those
nodes to have substantially more computing power and will be capable of
performing securing and validating the communications of all the dumb-smart devices.
As computing power shifts to the edge of the network, so too
will security.
Over the years corporate computing needs have shifted from
centralized mainframes, to distributed workstations, to centralized and public
cloud, and next into decentralized Edge Computing. Security technologies and
threat analytics have followed a parallel path. While the InfoSec industry has
failed to secure the millions upon millions of IoT devices already deployed,
the cure likely lies in the more powerful Fog Nodes and smart edges of the
network that do have the compute power necessary to analyze threats and mitigate
them.
That all said, Edge Computing also means that there will be
an entirely new class of device isolated and exposed to attack. These edge
devices will not only have to protect the less-smart devices they proxy control
for, but will have to be able to protect themselves too.
Nobody ever said the life of an InfoSec professional was
dull.
No comments:
Post a Comment