Networking

07:00 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Pervasive Computing & Breaking The Security Barrier

The Internet of Things, BYOD, and DevOps aim to make computing seamless, but information security remains a cumbersome chokepoint.

Security researcher Ken Munro recently disclosed vulnerabilities with BMW's most recent models of "smart" cars that could enable thieves to bypass the car's security and unlock doors and windows. The disclosure actually paled in comparison to last year's televised controller area network (CAN) hack by Charlie Miller and Chris Valasek, in which the researchers took control of a Ford Escape's steering speedometer and engine.

It seems a new vulnerability is disclosed every other day in this brave new IP-centric world, with reports of refrigerators acting as spambots, insulin pumps susceptible to wireless hacks, and easily compromised smart meters. At the same time, there's the BYOD Bogeyman banging on enterprise IT's door, with users muddying networks with their personal devices.

The Internet of Things (IoT), BYOD, and the DevOps revolution: They're all descendants of the pervasive or ubiquitous computing movement -- compute as a platform, a tool, as raw material, ultimately fading into the background because it's everywhere. Compute becomes a creative tool to help people solve problems.

But security hasn't quite caught up to this evolution of seamless tech and appears to be the only barrier to what the father of ubiquitous computing, Mark Weiser, predicted as an age of "calm technology, when technology recedes into the background of our lives." Security researchers forget that the goal of ubiquitous or pervasive computing is invisibility, not heavy-handed controls.

Most companies aren't in the business of security. They are specialists in their own particular industry. So why are we surprised when it isn't their first priority? As compute becomes more transparent, information security continues to go in the opposite direction. It's still cumbersome, often focused on compliance checklists, vulnerability assessments pointing out shortcomings as opposed to delivering solutions developers can actually use, often with the same efficiency as the DMV. "No" remains the security mantra.

Instead of security professionals complaining and demonstrating how consistently insecure products are and coming up with reasons why users can't have the flexibility they need, maybe infosec needs to come up with new methods of achieving ubiquitous security. By creating approaches that aren't a choke point in the development cycle, security aligns with the business. 

The DevOps movement transformed IT organizations by demanding that all teams start to think like developers, emphasizing continuous change for speedy application delivery and support. Isn't the IoT just one more application?

Some argue that DevOps runs counter to good security, that the two aren't compatible and SecDevOps isn't possible because developers don't care about security.  But humans are quite adaptable and as biologist Peter Watts said, "Natural selection favors the paranoid." As the population increased and crime rates rose in urban areas, people learned to make physical security a habit. If we don't have to call the locksmith every time we want to lock our doors, why shouldn't we be able to integrate good security practices into the rest of the business?

Recently, technology journalist Quinn Norton wrote an apocalyptic article in which she lamented "how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire." The recent OpenSSL Heartbleed vulnerability seems to confirm the frailty of our interdependent systems -- how easily one bug can cause a ripple of destruction like a tsunami wave.

Focusing on a technology rather than the problems it solves -- as security pros are apt to do -- is like falling in love with a hammer. The hammer only matters when it's used to do something: build a house or fix a roof. The hammer by itself is meaningless. So what we do in IT and even security is completely pointless if we don't remember the end goal: furthering the business in its act of creating opportunity. Any idiot can blow up a cathedral, but it takes a genius to design one and an army of craftsmen to actually build one.

Nothing prevents us from changing the course of our pervasive computing future. Take the arch, a miracle of physics and engineering perfected over hundreds of years. When architects struggled with making them taller, they invented the first pointed arches, which produce less thrust at the base, allowing for those insanely large Gothic cathedrals.  

The potential for real solutions exist, but only if security professionals join the conversation. Security isn't weak because our users and developers are stupid -- it's because our solutions are.

Michele Chubirka, also known as Mrs. Y, is a recovering Unix engineer with a focus on network security. She likes long walks in hubsites, traveling to security conferences, and spending extended hours in the Bat Cave. She believes every problem can be solved with a "for" ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/29/2014 | 6:47:58 PM
Re: Isn't Information Security everyone's responsibility?
Valid point @AbeG. Security should be more seamless so that it doesn't create a barrier to collaboration. Employees who handle corpoarte data, though, should have a sense of responsiblity to keep it secure.
AbeG
50%
50%
AbeG,
User Rank: Black Belt
6/28/2014 | 6:34:59 PM
Re: Isn't Information Security everyone's responsibility?
I'll try to play devils advocate here and think of what those who are not in the IT profession might say in objection:

People in creative fields might argue that security has to do with controls and restrictions which are a counterproductive way of thinking for artists or those in the entertainment field.  For those whose job it is to collaborate and come up with fresh ideas on a regular basis, it can be mind-numbingly frustrating to jump through hoops in the corporate network went tring to collaborate with others.  Meanwhile, dropbox makes it easy to share their ideas.

A writer might wake up at 4am with an idea that needs to be written down immediately.  What are the odds that this writer cares about finding a secure computer, with a secure connection to a secure network before writing down their idea?  Not likely.  It is more important to get the idea written down somewhere, even if its on an unauthorized personal mobile device, which may or may not be secure.
AbeG
50%
50%
AbeG,
User Rank: Black Belt
6/28/2014 | 6:28:40 PM
Re: Isn't Information Security everyone's responsibility?
I think that we often forget that the rest of the workforce does not sit in front of a computer all day.  

Does a truckdriver have any time or interest to read up on the company's latest IT security bulletin?  Probably not.  However, this person might use some sort of digital scanner to scan invoices or package deliveries.  

Should this individual read up on tech bulletins at home?  What are the chances that the dispacher will pay regular overtime so that the driver can go to the office and read up on the latest info?  Not likely.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/20/2014 | 11:07:19 AM
Re: Isn't Information Security everyone's responsibility?
I agree that information security is a responsibility for everyone, but getting everyone to understand that is tough, no matter how much security training is conducted.
ReturnoftheMus
50%
50%
ReturnoftheMus,
User Rank: Moderator
6/19/2014 | 7:47:01 PM
Isn't Information Security everyone's responsibility?
Whilst interesting, didn't quite grasp why DevOps was considered a good insertion point for something that should come first and foremost, everyone in an organisation has a duty and InfoSec Pros should be enabling them to carry out that duty in a secure way.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Apprentice
6/18/2014 | 4:37:01 AM
Standardization can help
The recent anouncements by Apple, Google and other internet companies that they are creating standard frameworks to control appliances can help to minimize the security burden on manufacturers.

Also Bosh-Siemens recently disclosed their Home Connect app, for their own line of appliances and open to other brands to use the protocol.

While apliance manufacturers are not experts in internet security they are hiring people who are and collaborating to minimize the risk.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
6/17/2014 | 2:23:49 PM
Come on ...
... admit it, the idea that someone could hack into and steal a Beemer is schadenfruedish. 
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Strategist
6/17/2014 | 1:00:00 PM
Re: DevOps meets security
Right, as Michele says below, if the security folks are brought in earlier, they can build tools reasonable into the process so that it becomes a normal part of how things are done. Now everyone hates to ask the security team for feedback, because they know it's going to open a can of worms and cause huge delays. 
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
6/17/2014 | 11:45:25 AM
Re: DevOps meets security
Hopefully DevOps will provide that integration and help break down the silos. I know security pros can get frustrated when they're not brought into discussions early on when projects are developed.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Strategist
6/17/2014 | 11:41:50 AM
Re: Perfect Vs. Good
That sounds even better--assuming you've got the organizational maturity (and human maturity, i.e. 'I can't let them play with my toys!')
Page 1 / 2   >   >>
Hot Topics
13
Why Facebook Wedge Is Revolutionary
Tom Hollingsworth 7/16/2014
10
Open Source Vs. Open Enough
Bob Laliberte, ESG senior analyst,  7/18/2014
5
Do We Need 25 GbE & 50 GbE?
Jim O'Reilly, Consultant,  7/18/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed