Security and the Internet of Everything – Are We Ready?
The demand for connected devices is growing exponentially, but the technology to secure these devices is lagging creating cyber security vulnerabilities at a massive scale.
The Current State of Cyber Security
Every day we hear about breaches, hacks, and cyber-attacks affecting banks, hospitals, transportation, and even entire cities. In some instances, the impact can mean life or death. Our most trusted institutions – like the US election process – are not the pillars of security they once were. And yet the demand for “connected everything” continues to grow in all sectors and across the globe.
It’s common knowledge that nation states, competitors, and bad actors of all sorts and sizes are persistently and systematically hacking away at the thin security layer that supposedly protects us. The vulnerabilities that are inherent in the devices we use every day create a significant attack surface for intruders.
A recent Gartner report estimates that, by 2021, there will be 25.1 billion internet-connected devices, growing at a rate of 32% per year.
World leaders, high profile companies, and legislators have been painfully slow in waking up to the complex reality that cyber security needs to be the number one priority, although data protection has been front and center. For example, the EU just recently enacted GDPR to help secure personal data privacy, but the US currently does not have any formal federal legislation for data protection. There are, however, laws like the US Privacy Act of 1974 and HIPAA that address some of these concerns. In the end, data privacy is just the tip of the mega security iceberg. The bigger picture reflects a national security crisis.
SB-327 – A First Step Solution to the Security Issue?
Recently, the state of California passed SB-327, a bill requiring companies that manufacture connected devices in the state to either have a unique password built into each device or a mechanism whereby the end user would be required to create a new password once they activate the device. One example of practical application is wireless routers. Typically, an internet router comes with a pre-assigned generic password. This code is often plainly visible on the side of the router itself. Also, this password information – via model number – is also available on websites that hackers use to find device information. It’s extremely easy for them to walk right in and access every device that is connected to a network whether it be a single home or an entire enterprise.
By prompting the consumer to immediately change the password when the device is activated, a main point of entry for an attacker is essentially blocked. There are other issues with securing routers that are too lengthy for this post, and there’s more to the bill, but the crux is that it puts the onus on the manufacturers to ensure that their devices are secure once they are put in the hands of the consumer. In theory, it’s a good plan but there have been numerous criticisms of the bill and some say it doesn’t go far enough in fixing the security vulnerability problem.
Encryption Key Management – A Solution to the Problem
Hopefully, the legislation will prompt manufacturers to make the password change process easy and appropriate for the device. Still, wouldn’t it more effective if the device came with a pre-built security feature that manages the passcodes automatically? Ideally this product would:
- Provide an automated process that updated the pass-key to a fully secure military grade password once the device was activated
- Continue to update/change the pass-key at appropriate intervals
- Plug right into existing technologies – didn’t require another purchase from the end user to secure the devices
- Operated under unified industry standards
The good news is that this technology already exists now! Encryption Key Managers offer a solid solution to this security-at-scale problem by managing the pass-keys on all kinds of devices, and in all kinds of environments, from cloud to on-premise, and enterprise-wide. Key managers are a simple but extremely effective way to help meet the SB-327 requirement and ensure scalable cyber defense to meet the demand of IoE. And, integration with existing technology can provide a robust, lock-tight solution to securing connected devices of all kinds. There are several key managers out there that provide a solution with varying levels of functionality. Most meet operating standards like KMIP and PKCS#11.
Technology Benefits and Risks – Everyone’s Responsibility
New technology always creates benefits and risks. Sometimes it’s better to take technology adoption slowly and allow the risks to work themselves out before making the commitment. But, we are experiencing exponential increase in technology adoption, too. This rapid adoption rate also accelerates the vulnerabilities. The sheer magnitude and complexity of connected devices requires multiple layers of protection at a minimum.
Companies that are implementing security features into their devices or products must consider the end user more than ever. Security failure is extremely costly on many levels, be it economic, social, or environmental. In the end, however, legislators can only do so much in requiring that device manufacturers do their part to ensure protection standards are implemented. It’s up to the end user, consumers, and organizations to consider the cost of technology adoption, implementing a security solution, and compare the risks associated with an attack or breach, and continue to evaluate and ask, “are we ready?”
Note: This entry has been edited to reflect the ‘Key Orchestration’ solution name becoming ‘VaultCore’