The Internet of Things technology is gradually edging into all aspects of business. How many objects can be connected and what are the related implications of these connections are some questions to consider when venturing into this space. In an exclusive interview, Philippe Roggeband, Business Development Manager, Cisco Security Architecture, outlines the security aspects to think about when it comes to IoT.
What are some of the biggest trends within security today?
It is mainly around securing the Internet of Everything (IoE). It is one of the hottest topics at the moment. We are seeing a large number of objects getting connected to the Internet. With 20 billion devices expected to be connected within the next few years, I don’t think the IoE will exist unless security is a part of it.
What are the challenges around IoT for an organisation?
According to us, there are three types of IoT. The first one constitutes the enterprise world, where the connected object will typically be the RP camera, printers and fax machines – everything we are already accustomed to handling. We can easily manage this because it is part of our policies. What we need to pay attention to is basically profiling those devices and ensuring they behave in an appropriate way.
The second category include the industrial networks. Here, we have programmable logic controllers and SCADA acquisition systems controlling industrial networks for quite a while. They were connected between isolated networks where the danger is not coming from, it is the fact that the OT networks are getting connected with IT networks. The OT networks were not designed to be interconnected with anything else. Therefore in many cases, security was not built in and introducing security in that space is complex because you are not allowed to put in any latency. The moment you place a firewall or an intrusion prevention system, you put latency in. This means you have to be able to integrate security into the fabric of those OT networks without disrupting them and that’s a challenge. We have been working on this and have developed solutions in this space.
The third type of IoT covers consumer technologies and consumer objects, i.e, the connected bracelets, connected cars and connected refrigerators. This is probably one of the biggest areas of concerns because when you are dealing in the enterprise world, you are going to have somebody who knows about security and will go about setting and applying policies. However, in the consumer world, the consumer has to be knowledgeable in order to protect himself. Similar to PCs’ segment, it is the end-user’s responsibility to install anti-virus or other security measures. With connected objects in the consumer world, we will see similar challenges. I believe this will be a huge concern.
How can organisations prepare to face the IoT wave?
It is really all about understanding what you are trying to connect to the network. That’s going to be based on the customer’s outcome. Therefore, there are a couple of aspects that needs to be considered. First, organisations need to outline what the business outcomes are. Then they need to identify the business initiatives that customers are trying to reach and based on that they can then devise the appropriate security policies and determine what products and solutions need to be deployed.
What is Cisco’s differentiator in this space?
One of the things we are beginning to see with IoT is an increase in the attack surface. We are going to see many more operating systems and not all of them will have in-built security designed. One of the key challenges is being able to go on multiple platforms to get connected. This is where I see a big differentiator for Cisco. It’s the fact that the common element is going to be the network. Because no matter what’s running on the end point or what’s running on the connected object, the mandatory point of passage for the traffic is going to be the network fabric. We are well-positioned in this area because we can leverage network traffic analysis as a way of identifying new threats coming from these new objects.
Most security vendors do only security but we do security, networking, collaboration, and data centre. For us, putting security as an adjective is a way of life. We wouldn’t consider selling an unsecure network, an unsecure data centre or an unsecure collaboration solution to the customer. This is because the network was designed with security in mind. We have the mechanism to authenticate whoever is behind the object, profile the object and see how it is behaving. And if corrective measures need to be taken when we think the object is misbehaving, it is something we can do in the network fabric simply by blocking the access.
What are some of the key elements that are changing the way security is perceived in the region?
As a part of the emerging countries, technology in the region is moving extremely fast because business is moving extremely fast. One of the interesting elements is that security is no longer being added on as an after-thought, customers are integrating it as part of their initial plans. And this is something I like to recommend to all our customers and partners – don’t leave security as a function to be handled after you have decided what IT infrastructure you are going to need. Make sure when you design what you want to do from the business perspective, you think about your security policies at the business level.