Earlier this month at the RSA Conference 2015 the Cloud Security Alliance released security guidance for the Internet of Things (IoT). The guidance came out of the CSA’s Mobile Working Group — IoT Initiative. Many security researchers I’ve interviewed in recent years have repeatedly cited frustrations around what they see as lax security design and implementations of IoT devices. There is rarely an adequate threat and risk assessment conducted on devices, there’s no secure software development lifecycle, and access controls and usual patch processes for deployed devices is often non-existent.

If their perceptions are accurate, a good way to think of IoT security maturing is to think of the way software and eCommerce sites were developed in 1999.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

This is why it’s important to help early adopters understand the security challenges associated with IoT, and share information on how these devices can be security designed, built, and deployed. With that in mind, along with the CSA’s recent IoT security announcement, we reached out to Jim Reavis, co-founder, CEO and driving force of the Cloud Security Alliance to get some of his thoughts about the issues. Reavis has been named as one of the Top 10 cloud computing leaders by SearchCloudComputing.com.

staging-devopsy.kinsta.cloud: Do you think it’s important to have the IoT security discussion now, and what do you see as the CSA’s role?

Reavis: We think IoT is an area that’s not a future security challenge, but a present one. Not only because there is so much that’s happening right now, but because the application of IoT is so broad as to range from personal devices to those in the critical infrastructure. We also felt that we have a place here because all of these devices are going to be cloud-provisioned, cloud-managed, and their data stored in the cloud.

We actually have 30 people on this guidance, and we tried to provide a lot of examples of different IoT implementations and we thing it is a good first cut of guidance directed at what we think the issues around IoT are, and what we need to be looking at. The guidance is also a call for action, because we are going to shortly publish about five additional, and more detailed, papers. We are hoping this generates a lot of interest, because now is the time to really start solving this problem.

staging-devopsy.kinsta.cloud: Where do you see the big challenges here? Is it with the device makers, or with the implementation? Or all or none of the above?

Reavis: It’s a very wide problem. We think some of the device makers know that security is important enough, and that there’s an economical incentive for them to get this right. However, other devices are going to be so cheap, 3D printed and such, that it’s not going to be possible to get to the manufacturers – and so security there is going to have to come from the network. This is an area where standards can help.

Security practices such as the secure development life cycle makes sense for certain aspects of securing the IoT. In other areas, security will come from cloud-delivered technologies like encryption and strong authentication. It is a broad ecosystem thing that we’re looking at and so there’s also governance challenges.

And, right now, it’s not apparent to me that there’s a huge advantage in going to one, or a handful, of stakeholders here.

staging-devopsy.kinsta.cloud: That’s fascinating, so do you see this as a bigger challenge than securing eCommerce was 15 years ago?

Reavis: Yes, we are looking at seven, eight billion Internet connected devices right now. Maybe it’s going to be a trillion in a few years. And if you go look industry by industry, and look at what companies are saying they’re going to do, that one trillion figure is not a crazy number to reach in about seven years.

With that kind of scale, the Internet model is going to break. The Internet has worked very well, and I think we felt that it can handle anything we throw at it. But we think we’re really going to have to change the model for the growth that is associated with IoT.

Part of that is the network needing to overlay a type of dark net on top of the open Internet, and that’s our software-defined perimeter. We’ve had the software-defined perimeter around for more than a year now. We’re creating the specification so that it separates the data channels and the control channels. It essentially knows the devices, knowing who’s authenticating on the devices, and then deciding what parts of networks are visible to them.

staging-devopsy.kinsta.cloud: What do we you in the future with IoT guidance coming from the CSA?

Reavis: We are going to align each facet of IoT security with the corresponding cloud security standard and best practices. And upcoming research will identify and document critical vulnerabilities found in IoT in enterprise environments. We will provide guidance on how to mitigate those risks as well as give developers secure development guidance.

The full report released can be found at New Security Guidance for Early Adopters of the IoT.