Standards are nonexistent, complexity is high, consumer-class devices represent significant risk and fights between open and proprietary approaches are ongoing. What’s a solutions provider to do?
Channel Partners sat down with Guccione to get answers to that question and more.
**Editor’s Note: This interview was edited for length and clarity.**
Channel Partners: What are your thoughts on the security challenges around the Internet of Things?
Darren Guccione: The biggest problem is that the Internet of Things is a very disaggregated market. You have thousands of manufacturers creating millions of devices that all connect to the Internet, and there’s no ubiquitous and unified security protocol that companies need to abide by. There’s no standard that a manufacturer has to follow — an “Internet of Things device” is anything that connects to the Internet.
Also think about volume and complexity. In the next five years, you’re talking about upwards of 50 billion IoT devices in circulation – 50 billion potential endpoints that represent a threat for companies because of potential remote breaches. Think about that — there could be tens of thousands at a customer company. And that’s an issue, because everything is networked with separate IP addresses. How do you manage all of that? It’s a nightmare.
Then there’s the consumer angle. All of us work for companies. We all go home, and we use personal devices for work when we’re at home. Our home networks may have one or more associated IoT devices or connected objects. If one of those devices is weak, it represents a potential access point for a hacker. And that’s a dangerous thing. So outside of work, you always want to make sure that you’re utilizing strong VPNs to protect the corporate infrastructure and architecture.
And this is a problem that doesn’t discriminate. You’re talking about consumer applications, business applications, the private sector, the public sector. We hear about municipalities, like governments or cities, but what about health care? That is a gigantic market that is under attack. They’ve had more breaches in terms of patient data being stolen than any other sector so far this year. North of 100 million files have been taken from various health-care organizations. That’s scary. You’re talking first name, last name, date of birth, Social Security number. Talk about a pervasive and epidemic attack in terms of identity theft and monetization of stolen records. This is big-league stuff now.
CP: Are any vendors addressing this? Could a partner build a solution?
DG: Cisco is using [its] expertise in servers and networking and IT infrastructure to basically converge those devices into …
… a single portal through the Internet, through the OpenDNS acquisition, that they can manage, monitor, and control. Bringing order to chaos through a convergence platform. If you try to do that on your own, it’s just not time- or cost-effective.
CP: Do you know of other companies offering anything similar?
DG: No, I don’t. Former Cisco CTO Padmasree Warrior spoke of the Internet of Things as being the next biggest thing, and she’s absolutely right. And I think prior to her leaving, a big push inside Cisco was around securing IoT, managing IoT and really getting out in front of it. This will be one of the biggest and best things they’ve done in a very long time. It’s not important — it’s essential. That’s how critical this is. I’m sure there will be competitors, but Cisco is the market leader in terms of what we’re discussing today.
CP: The IoT concept is not new. There’s been machine-to-machine communications for a long time. Why do you think there isn’t been any security standard?
DG: Unfortunately, this is not like the auto industry where you have a Department of Transportation that mandates safety provisioning across automobiles. You have a much more disaggregated and prolific environment. Look at the number of devices that proliferate every single week into the ecosystem, into the market — you’re talking about tens of thousands of different SKUs. How do you put your arms around that? And should an appliance have the same level of security that maybe a router has? How do you mandate those things?
It’s a massive undertaking, but I think that there should be a standard. Absolutely there should be a standard.
CP: What’s your near-term recommendation?
DG: You have to be proactive in your mindset. It all starts with password management – how do you handle passwords, how do you manage passwords, how do you set passwords – because 75 percent of all breaches start with weak or poor password management.
Then, of course, you have to deal with architecture. If a hacker were to obtain someone’s password and there’s a breach, and there’s some type of errant activity at an endpoint at a company, whether it’s a cash register at Target or a server or one of the workstations at a remote site, you need to have …
… endpoint software that tells you within seconds. That’s where things are going, so it’s not just about being reactive. You want to find out if someone’s trying to ping your system through a node or endpoint the second that it’s happening so that you can address it immediately.
And that’s where all of this architecture that you’re seeing with IoT becomes far more critical. There’s just no way to manage all of it. It’s just too big. There are too many endpoints, too many points of potential entry for a hacker to breach the walls of an organization. And that’s why products like Cisco’s, in terms of what they’re doing, are so important.
CP: Someone might counter that Cisco has a tendency toward proprietary, not the standards you were discussing.
DG: Yeah, I’m big on proprietary. We have patents, and we sue people that infringe on us if it’s meaningful enough. We protect our IP; you have to in technology. If you don’t have strong IP and you don’t insulate what you’re doing, you’re doomed. I mean, look at what happened with Motorola. How do you go from being a market leader to essentially gone? That’s frightening. There [are] several prongs to why that happens, but I will tell you that you have to protect the boundaries that you’ve created based on your innovation. You have to do it. If you don’t do it, you die.
CP: The alternate example would be open source, where you get security by many people contributing and looking at code.
DG: I think open source works on certain things, but when it comes to cybersecurity, it does not work. It absolutely will not work. The bottom line is, I think that Cisco’s spot on. I think that they have a channel that they have to protect, and there’s proprietary information that doesn’t survive in an open source environment. And there’s something about the danger of complete and total transparency. Hackers today are brilliant, well financed and far more intelligent than a lot of the CIOs and CISOs and CTOs out there. I think you’re going to see less open source, not more. I think about boundaries and privacy, not just in terms of protecting corporate IP or industry IP, but in terms of product development [and] distribution.
Look at what Apple’s done. [It’s] the largest company in terms of market cap, next to Exxon, in the world. They are not open source. They offer an end-to-end solution that’s elegant and secure in its own right. And so that’s what the Cisco unified infrastructure brings for the IoT ecosystem.
The California Public Utilities Commission's statutory deadline is July 12. dlvr.it/RNsbY7
January 27 2020 @ 23:00:02 UTC