- John Chambers, PhD
IoT, Contagion for Good
"The contagion of such a unanimous fear was inevitable."
The War of the Worlds
In H.G. Wells’ tale of mayhem and collective fear, the Martian invaders overwhelmed earth’s human population. There was no means to fight back until the planet’s microbes destroyed the attackers in fortuitous contagion. The classic story ended with the viral mushrooming as savior to the populous. We were the good guys in the story, generally. And the good guys won.
There are more good guys than bad in our world, yet we behave as though the predisposition of most neighbors, or most transnational, geographically-distant actors, are bent toward chaos and hurt, or narcissistic control. But this does not represent reality – neither for professionals nor everyday people and the companies we lead. It’s simple logic to consider that if most of the populous, or our business competitors, were truly evil then the species would have disappeared long ago, and about as suddenly as the conquering killers from the red planet.
Most people are decent.
The 'warped and angry' represent a minority across all sectors and regions of the blue planet.
As we become more connected, our optimism and trust become more important, and so does reliance on our own security teams.
In a recent conference I was briefly interviewed about the Internet of Things (IoT) and associated security futures. The evolving web of communications structured as binary electrons, comprising our lives’ exchanges, is more interdependent than ever.
This is the extension of the division of labor and the utility of creative sharing.
Whether integrated API’s into others’ functionality, or everyday objects that are plugged into our own value propositions, we link with each other because we leverage the success of each other. We use what they built and, in turn, they use what we’ve built.
We refine on top of each other’s success.
The history of creation is the legacy required for tomorrow’s intelligent technology and, hopefully, our enhanced standard of living.
In the case of Wells’ metaphor of conflict and his personal despair over our own barbarism, technology was the means to destroy and dominate. Our own technological contagion of a ubiquitous viral outage is possible (perhaps not probable) because of web-enabled interconnectivity in every facet of our day.
We are connected to the products of third parties, some of whom we may never have met. For example, if we are an analytics practice assessing homeowner behaviors for energy, we don’t build our own monitoring devices; we leverage the IoT.
Most third parties want to do the right thing; it’s up to you to ensure they know how to do the right thing. And know to what level of assurance have they guarded against the bad guys.
The short answer to skepticism in supplier confidence usually mandates due diligence; legal paper and signatures, research into their clients and their background histories, levels of controversy they’ve experienced, and whether we can trust them.
Our suppliers can be trusted with good intentions; they care about their own reputations as we care about ours. So if their “good intentions” were being tested, then most will pass with flying colors.
Thus, we test their skill level, not their humanity.
How sophisticated is their management insight, their operational performance, and their thoroughness in security?
Do they verbalize a reliance on a standard such as ISO 27000? If so, specifically how do they build and create according to the standard?
Engage your engineering team and engage theirs.
Corporate abilities to integrate standards are variable; there is no equality in secure operational performance. You need to ascertain their sophistication in technology. When you vet a third party, focus on their capabilities and engage conversations at depth. Ask how they have implemented detection capabilities. Have your engineers ask their engineers for explicit examples of their environmental protections.
Get into the weeds.
Not all software development or firmware is made to withstand the advanced hacking that has become a science replete with mad scientists.
So how deep do we go in our vetting?
Firstly, don't try to be too clever; not all due diligence techniques are impressive and I did not agree with one I've recently heard -- just show up unannounced at your suppliers' factory and ask to see their processes ad hoc. Firstly, your supplier may have an environment that should be secure and private. The time to badge everyone in, and vet your team’s intention, is time out of your suppliers’ day. They’re running a company, not an amusement park. A walkabout may show that floors are clean, employees have badges and turnstiles are locked, but it’s not going to show you the security detection firmware, a piece of code, or the allegedly impenetrable circuit board. If you want to vet your supplier than ensure your own firm has depth of engineering analysis and conduct extreme testing.
In discussions and engagements with suppliers, demand that you review their development process; test the expertise of their team; ask about their security lab.
Ask and ask.
To put this in context, consider most third party surveys. They will ask for the existence of DRP plans, or development methods or best practices. So what? Is that assurance? Ask their representatives what it means to be compliant in the technology stack of their product. Ask for their backgrounds and experience. Auditors will, so why can’t you? If you’re using appliances that have logic boards interfacing with your own environment, surveys and discussions won’t protect you as much as your security’s engineering team. Invest in research and testing, and hack away. If your firm is of modest size then engage other suppliers who will perform the rigorous analysis and testing of that Internet thing you’re leveraging. Or leverage other research that is available throughout the... Internet of Things!
Information is there if only you look.
Ultimately the IoT risk is a cloud risk, and the usage of other capabilities provokes a layered approach to security. Consider your corporate environment now. The layers are at the perimeter, the endpoints, the data stores, the awareness, the integrated security in app development, the DevOps testing, the monitoring. If one avenue fails there is presumably another that can help protect the keep. If your systems rely on inputs from outside your perimeter, somewhere around the world with infinite numbers of exchanges, your consumption of those IoT inputs should be known and expected.
Unit testing techniques never became obsolete. It’s the explosion in growth and interdependency that provoked us to become hasty. Classical approaches to testing linkages are still the root methodology. Back to basics still works, and speed in delivery demands the creed of security. Analyze early in your integration deliberations, not later.
I would have liked to have had a pithy play on the IoT acronym during my interview, but all I could think of was Inventory of Threats. That inventory is numbering in the billions when we count the interdependency and connections of all the inputs we use.
But as I consider the posture of us as human beings, interconnectedness should never be met with fear.
We can be guarded but not agoraphobic on the web. We advance our companies and our humanity because we behold confidence and courage in the face of risk.
There are more good guys than bad guys.
The IoT is a recognition that everything is linked to us.
Our partners can only be evaluated so far.
Start with your own shop and end with your shop; do we have scrutiny and traps throughout?
Do we have insights into all development practices and assets?
Ensuring your own castle's moat is filled with crocodiles and your own barbed wire is intact will be more effective than a third party survey. So vet your partners thoroughly, of course, but know that it’s still all about you, assuring that your own quarantining measures can prevent contagion.
In a twist of fate, Wells’ Martians were undone by viral strains; the good guys won because we were immune to the pathogens that the extraterrestrials could not survive. We were a product of the evolution of things.
Now our evolution among machines is the future. A future without fear.
Our connectedness represents our optimism and our immortality as a species – the IoT, Intrepidness over Technology.