The Security of Business vs. Business of Security

The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.

It’s like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned.

We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score.

Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages.

Let’s Get Medieval On Security.

The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy).

Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).

However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle”. In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle.

There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why — Tradition? Lack of alternatives? It’s what they know? Or a combination of these.

Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch.

What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS.

Compute and technology has been democratized, however the way we secure is still medieval.

We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?

There are a few reasons:

First, it’s what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.

Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now.

Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers.

In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff.

Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. An arrangement that benefits the vendor and the professional – just not security.

This brings me to the third point: the security of business.

It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.

Now, let’s talk about the Cyber Hare vs. the Security Turtle.

Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault.

Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore!

Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?!

Aside from the security functions the product offers, nothing in the process above even comes close to security operations.

What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.

Cyber – The Longest War.

Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT).

If we have learned anything from the Afghani and Iraqi conflicts it’s that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict.

Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:

First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security.

Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.

Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases.

The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world.

IoT Security Use-case: Part 3 – Dependency Computing

Welcome to our IoT Security Use-Case series! Here’s how we’ve broken things down so far:

Part 1, The Challenge, highlights a use-case for a financial organization whose business strategy was based on replacing expensive bank branches with Automatic Teller Machines (ATM) and Interactive Teller Machines (ITM). They chose this as their growth strategy because branches are limited to specific locations, slow to roll out and expensive to outfit. On average, branches take months at time, sometimes close to a year to turn up. The IoT based ITMs can do 95% of what a customer needs including allowing them to interact with a human. All the while, the IoTs can be deployed in a matter of days or weeks.

Part 2, IoT Security Fundamentals, lays out the necessary functions required for securing purpose-built technologies. Especially when they need to operate on a number of distributed public or private networks. And purpose-built technologies don’t have the required resources to self-secure.

We’re now at Part 3, where we will outline why traditional security approaches just can’t secure an IoT platform of this type.

For Part 3, let’s start by breaking down the components of an IoT application Ecosystem before we get into IoT security. IoT Security is not limited to securing only the IoTs themselves. IoT platforms function in ecosystems that are made of not just IoTs, but one or more remote applications that are operated by one or more vendors.

For our ATM network scenario, the ecosystem includes a banking ledger application running in a colocation data center. A monitoring application running on Amazon AWS using a different set of instances in a dedicated VPC. A SaaS application providing 24×7 physical security surveillance service the bank has contracted. As well as an Authorization-as-a-Service provider the bank uses to process external transactions.

Then there are the Teller Machines. There are several types of Teller platforms that include traditional ATMs and two different Interactive Teller Machines (ITM) types. A unit with a smaller footprint and a larger unit with greater cash holding capacity. The ATM / ITM IoTs are distributed across many cities, placed in a variety of locations and location types from office buildings, stores, malls, courtyards and airports. The systems connect via a variety of Internet connection types that include LTE service, Internet WiFi service and Ethernet connections from the local facility.

In this scenario, using traditional security tools, each platform requires completely different types of security tools to perform the various security functions for the various platform types – cloud, SaaS and the different IoTs. This means that each cloud instance, each SaaS, and each IoT require a different type, batch and brand of security tools. And each different security infrastructure needs to provide access, application and content control, threat management, privacy and identity for each of applications banking and monitoring applications, another for each ATM and yet another for each ITM.

This could add up to over 24 different security tools – If the tools that provide the different functions defined above actually existed. In many cases, especially with IoTs, all of the necessary tools simply don’t exist or don’t exist consistently for the different platforms. Here is a breakdown of the security options actually available:

  • The ATMs did not have any onboard or commercial security options.
  • ITMs do have support for Access Control and Privacy but nothing else.
  • The Cloud Applications do support the full spectrum of security, but require multiple disparate technologies that have a very convoluted implementation and data flow.
  • The SaaS applications have no meaningful security options. In many instances organizations opt to use VPNs or use an encrypted connection but ultimately have to trust the SaaS provider for all other security functions.

This approach is considered perfectly reasonable today – and it is absolutely insane. The number of different technologies coupled with the complexity of acquiring, implementing, operating and refreshing each different tool is an expensive and resource intensive way of getting marginal security. All-the-while assuming and managing risk for some parts of the platform because the security functions required just don’t exist for all platforms. Furthermore, the ones that do exist are inconsistent in how they apply security.

This creates complexity. Significant complexity. And complexity is the enemy of security. The complexity of managing the many policies, technologies, products, vendor relationships and integrations between the various technologies creates insecurity and drives organizations to spend more time managing products than security. Hence spending more and more on security does not always render the desired results.

It’s fair to say that the more security tools that are implemented, the more complex the security will be. And it is complexity that creates gaps and makes you less secure.

However, there is another factor to consider as it relates to traditional security – even if an IoT or application is operating on a shared network that is protected by the latest and best security tools; and even if they are designed specifically for IoTs; the IoT platform will neuter them.

This is not a matter of better or different tools, the traditional security model is broken!

Dependency Computing: A New World of IoT Security Challenges

The security model is broken because how we compute has changed dramatically. IoTs use a compute model called dependency computing. With dependency computing, the IoT is dependent on the application and the application is dependent on the IoT.

Consider the impact of dependency computing on IoT security.

In a shared network, where multiple IoT brands exist (think smart thermostat, TVs, Fridge, smoke detector, etc.), each IoT brand has a dependency, and by virtue of that dependency, a connection to a different application that is 1) remote, 2) operates in the cloud, 3) is controlled and managed by a third-party, and 4) has privileged access to one or more IoTs that operate on your network.

IoT brand A is dependent on and connected to application A. IoT brand B is dependent on and connected to application B. IoT brand C is dependent on and connected to application C, and so on. It would not be unreasonable to foresee an organization using hundreds, if not thousands, of IoT brands in the next few years.

Each application that an IoT on one network is connected to is also connected to countless other IoTs on different networks. And that application has privileged access to all of these IoTs – often over the public Internet. To complicate matters further, many IoTs are also remotely managed, either directly or via their application via another set of devices.

This creates a platform triangle in which many distributed IoTs and the application or applications managed by remote devices are interconnected and dependent on each other. The risk and exposure of this model are numerous in the event of a compromised IoT, application or device. These include:

  • In a case of compromised applications, especially those accessible over the Internet.
  • The compromised application has privileged access to the IoTs and can use the existing privileged access to scan and capture communications on the network the IoT operates on.
  • The compromised application can also be used to fully compromise the IoTs on one or more customer networks, allowing the attacker further access and control.
  • With compromised IoTs on a network, the attackers can:
    • Denial-of-service other devices, systems, application or platforms;
    • Inject manipulated data that can be fed to various systems;
    • Compromise other systems on the network otherwise known as cross contamination.
  • Attackers can also gain access through compromised IoT management, especially mobile phones.

Denial-of-service, data manipulation or compromise of other systems – including other IoTs – could impact critical systems such as:

  • Medical devices such as infusors, ventilators, respirators, or monitors for various body functions.
  • Vehicle and transportation system functions such as the car mechanical sensors, engine and transmission functions, braking system, navigation, infotainment systems However, drones, aircraft and ships with many critical functions are also vulnerable.
  • Building systems such as HVAC, elevator controls, and life safety systems.
  • Financial systems like the credit card machines, ATMs and ITMs described here.
  • Critical infrastructure control systems such as electrical grid, dam controls, air traffic controls.
  • Supply chain and manufacturing platforms that incorporate aspects of the platform from raw resources to retail.

 

Social Apps Plugins and Integrations

Another dynamic in this equation is social media integration, including apps and plugins. Systems like Facebook, Spotify, Pandora, Google, LinkedIn, and Amazon should be recognized as spyware, albeit sanctioned spyware. IoT Social media integration, though it may apply to only a portion of IoTs used in organizations, can significantly convolute how they are secured.

As you may have already concluded, the IoT application platform ecosystem is a tangled web of interdependencies between distributed devices on many different networks, using remote applications that are operated and controlled by a third-party, both of which are managed by one or more users with a variety of further devices that can connect from anywhere.

The IoT dependency computing model has many, many parts owned and operated by multiple parties, each with no visibility or control over platform elements they don’t own. The network the IoT runs on may be owned and operated by one party, the IoT itself by another, the application(s) by yet another, all of which may be managed by a different third-party.

Any security implemented between the many interconnected parts of the IoT ecosystem ultimately has no teeth. The security of one party impacts the security of all other parties!

With today’s remote cloud and SaaS applications, along with the pandemic rate IoTs are infiltrating every use-case, the concept of fence and gate security for a bunch of devices on the same network is naive, soon to be negligent. It’s no longer about better tools, it’s about a better model!

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

IoT Security v. Enterprise Security Showdown

For the last 30 years, enterprise technologies have represented the pinnacle of capability, scale and complexity in the IT space. Anyone remotely connected to the enterprise space has heard the term “Enterprise-Grade”, and technology companies work hard to earn the elite product label, “Enterprise-Grade”. However, IT operating models have changed dramatically, and as they continue to evolve, many “enterprise” product offerings have just not adapted. IoT Security is one such area.

The first round of changes were driven by the transition to the cloud, where platforms, users and data operate in a distributed fashion and are remote to one-another. Today, it’s not uncommon for teams from across the planet to talk, collaborate or share data, just as easily as they would if they were in the same office.

The industry’s response has been to tweak existing options to make them cloud-ready. But these tweaks are like whittling away at square pegs to force-fit them into round holes. It’s not pretty, it’s not smooth, and at the end of the day – it’s still a mangled square peg.

This has never been more true than with Cyber-Security tools and technologies. Since the industry came to be in the late 1980s, there have been two security tool options: on-device or gateway.

On-device is marred by limited function and capabilities, while Gateway suffers from its lack of mobility. These options were acceptable with traditional enterprises, but they fell flat with highly distributed and diversified enterprises known as the New Enterprise.

Both on-device and gateway security approaches, when employed for the New Enterprise, make things very complex for two reasons:

  1. Many disparate security technologies have to be acquired, implemented, integrated, operationalized, managed, troubleshot and refreshed every 3-5 years.
  2. Different batches of disparate security technologies are needed for each compute silo, such as Clouds, SaaS, Offices, Data Centers, Remote Users, and Mobile Devices.

This has made security for the New Enterprise much more complex and expensive, with far less agility. Complexity is the enemy of security, resulting in less effective security. That is a lot of blood and treasure for marginal results — at best!

IoTs: Molding Enterprise Technologies in their Likeness

Enter the Internet-of-Things (IoT). IoTs will turn the current approach to security on its head. First, let’s take a look at the difference between IoTs and Enterprise technologies.

Unlike standard-based, high-powered enterprise technologies that use only a handful of operating systems, the majority of IoTs cannot function autonomously.  IoTs have even introduced a new application model called dependency computing.  Thanks to their highly distributed, purpose-built nature and limited resources, IoTs are dependent on a supporting application. That application is often remote and cloud-based. And just as the IoT is dependent on the application to perform its function, the application depends on the IoT’s contributions to to fulfill its purpose.

Another standout difference is that IoTs have an 8-20 year lifespan, a significantly expanded lifetime in comparison to their enterprise counterparts’ 3-5 years. Coupled with distributed or mobile implementations, it means that updates and upgrades can be expensive or prohibitive altogether. Any meaningful security needs to be future-proof, providing sustainability over a device’s 20 year life.

Yet another difference is the operating network. Enterprise technologies mainly operate on secured networks the organization owns and controls. IoTs need to operate on a much wider array of networks that often include multiple disparate public and private networks.

So, it is not uncommon for the location, network, IoT and its dependent applications to be owned and operated by completely different and disassociated parties.

Energy-Rich Enterprises Meet Low-Powered IoTs

One of the most impactful challenges for IoTs and IoT security is power consumption. Enterprise tech has unlimited access to power compared to IoTs, many of which are often limited to on-board power systems. Some of these units have embedded batteries intended to power the device for its full life-cycle, which can be as much as 20 years.

Juxtapose that with the power drain that resource-intensive security functions place on the battery. Ongoing and consistent attacks on devices can lead to premature mortality for devices, by way of battery drain. In fact, if enough IoTs are consistently attacked, the power drain could jeopardize application function or availability.

Then the organization has to decide whether to roll out replacements or operate without the out-of-commission IoTs. In some use-cases depending on the IoT replacement or break-fix costs, some may abandon the application altogether.

Death by 50 Billion IoTs

This drives the next point: IoTs have long-term ownership challenges. Touching an IoT for maintenance is an extremely expensive process, if even possible. And of all technology functions the IoTs may be asked to perform, Security requires the most touches in the form of updates and upgrades.

Considering that security tools need to be upgraded every 3 years or so to keep up with a very dynamic threat landscape, rolling out devices today means that they have security for ½ to ¼ the life of the useful life of the IoT. This is further exasperated by the inability to know that in 3 years an enhanced on-device security option will even be available, and the device is capable of being updated and upgraded.

Then there is scale. Slated to top 50 billion devices in the next 3-4 years, IoTs operate at a scale that the technology industry has never experienced. So not only does the solution need to support distributed, fragmented and under-powered tech, but it has to do it for an unprecedented number of devices. The scale issue alone means that many organizations have to re-think their whole technology strategy.

By virtue of the scale, pricing models have to be re-thought. No one can afford to build out disparate security stacks of many different products for each of the clouds, SaaS, Data Centers and Remote users, and another patchwork quilt of IoT security for all the IoTs in their environment. And no one is willing to pay enterprise prices for the massive volume of different IoTs that need to be supported.

Enterprise-Grade Cedes to IoT-Grade

As the industry has started to regain its balance from the invasion of the cloud, IoTs have appeared on the scene to completely disrupt technology standards and operating models all over again. IoT, especially IoT security has started to, and will continue to knock enterprise security down notch after notch, ultimately to replace the term “Enterprise-Grade” with “IoT-Grade”.

It’s fair to think of enterprise as the 800-pound gorilla, however, the collective IoT pool can best be represented by a massive swarm of bees. With the coming of age of the cloud and now the proliferation of IoTs, the old and tired enterprise security model will suffer a death by a thousand stings from IoT’s killer swarm.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.