• 06/17/2014
    7:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Pervasive Computing & Breaking The Security Barrier

The Internet of Things, BYOD, and DevOps aim to make computing seamless, but information security remains a cumbersome chokepoint.

Security researcher Ken Munro recently disclosed vulnerabilities with BMW's most recent models of "smart" cars that could enable thieves to bypass the car's security and unlock doors and windows. The disclosure actually paled in comparison to last year's televised controller area network (CAN) hack by Charlie Miller and Chris Valasek, in which the researchers took control of a Ford Escape's steering speedometer and engine.

It seems a new vulnerability is disclosed every other day in this brave new IP-centric world, with reports of refrigerators acting as spambots, insulin pumps susceptible to wireless hacks, and easily compromised smart meters. At the same time, there's the BYOD Bogeyman banging on enterprise IT's door, with users muddying networks with their personal devices.

The Internet of Things (IoT), BYOD, and the DevOps revolution: They're all descendants of the pervasive or ubiquitous computing movement -- compute as a platform, a tool, as raw material, ultimately fading into the background because it's everywhere. Compute becomes a creative tool to help people solve problems.

But security hasn't quite caught up to this evolution of seamless tech and appears to be the only barrier to what the father of ubiquitous computing, Mark Weiser, predicted as an age of "calm technology, when technology recedes into the background of our lives." Security researchers forget that the goal of ubiquitous or pervasive computing is invisibility, not heavy-handed controls.

Most companies aren't in the business of security. They are specialists in their own particular industry. So why are we surprised when it isn't their first priority? As compute becomes more transparent, information security continues to go in the opposite direction. It's still cumbersome, often focused on compliance checklists, vulnerability assessments pointing out shortcomings as opposed to delivering solutions developers can actually use, often with the same efficiency as the DMV. "No" remains the security mantra.

Instead of security professionals complaining and demonstrating how consistently insecure products are and coming up with reasons why users can't have the flexibility they need, maybe infosec needs to come up with new methods of achieving ubiquitous security. By creating approaches that aren't a choke point in the development cycle, security aligns with the business. 

The DevOps movement transformed IT organizations by demanding that all teams start to think like developers, emphasizing continuous change for speedy application delivery and support. Isn't the IoT just one more application?

Some argue that DevOps runs counter to good security, that the two aren't compatible and SecDevOps isn't possible because developers don't care about security.  But humans are quite adaptable and as biologist Peter Watts said, "Natural selection favors the paranoid." As the population increased and crime rates rose in urban areas, people learned to make physical security a habit. If we don't have to call the locksmith every time we want to lock our doors, why shouldn't we be able to integrate good security practices into the rest of the business?

Recently, technology journalist Quinn Norton wrote an apocalyptic article in which she lamented "how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire." The recent OpenSSL Heartbleed vulnerability seems to confirm the frailty of our interdependent systems -- how easily one bug can cause a ripple of destruction like a tsunami wave.

Focusing on a technology rather than the problems it solves -- as security pros are apt to do -- is like falling in love with a hammer. The hammer only matters when it's used to do something: build a house or fix a roof. The hammer by itself is meaningless. So what we do in IT and even security is completely pointless if we don't remember the end goal: furthering the business in its act of creating opportunity. Any idiot can blow up a cathedral, but it takes a genius to design one and an army of craftsmen to actually build one.

Nothing prevents us from changing the course of our pervasive computing future. Take the arch, a miracle of physics and engineering perfected over hundreds of years. When architects struggled with making them taller, they invented the first pointed arches, which produce less thrust at the base, allowing for those insanely large Gothic cathedrals.  

The potential for real solutions exist, but only if security professionals join the conversation. Security isn't weak because our users and developers are stupid -- it's because our solutions are.


DevOps meets security

I love Michele's suggestion here that devops can provide a seamless integration point for security. I can't imagine why more businesses, and frankly more users, aren't demanding that. Businesses may not be selling security, but I am shocked at the shortcuts they are willing to take to get products out the door, knowing the risks involved.

Re: DevOps meets security

Hopefully DevOps will provide that integration and help break down the silos. I know security pros can get frustrated when they're not brought into discussions early on when projects are developed.

Re: DevOps meets security

Right, as Michele says below, if the security folks are brought in earlier, they can build tools reasonable into the process so that it becomes a normal part of how things are done. Now everyone hates to ask the security team for feedback, because they know it's going to open a can of worms and cause huge delays. 

Perfect Vs. Good

I'm really worried that with IoT we're going to make the same kinds of mistakes we made with the early days of the Internet, but this time there will be lots of easily-exploitable code running things like cars, healthcare products and so on.

I wonder if one problem might be the idea that security has to be perfect. If security teams want more time to puzzle out every potential flaw and vulnerability, of course the business is going to get frustrated and not bother with the security team in the first place.

You wrote "maybe infosec needs to come up with new methods of achieving ubiquitous security. By creating approaches that aren't a choke point in the development cycle, security aligns with the business."

I think that's a great point. What if security gets a first pass at something, identifies the low-hanging fruit, and then hands it off? If security teams can ease off a bit, maybe they'll actually find they make more progress.




Re: Perfect Vs. Good

Or what if we so operationalize security, that the developers can address the low-hanging fruit themselves? I want to be their locksmith. I don't want them to call me when they want the door locked, only when they want it fixed or replaced.

Re: Perfect Vs. Good

That sounds even better--assuming you've got the organizational maturity (and human maturity, i.e. 'I can't let them play with my toys!')

Come on ...

... admit it, the idea that someone could hack into and steal a Beemer is schadenfruedish. 

Standardization can help

The recent anouncements by Apple, Google and other internet companies that they are creating standard frameworks to control appliances can help to minimize the security burden on manufacturers.

Also Bosh-Siemens recently disclosed their Home Connect app, for their own line of appliances and open to other brands to use the protocol.

While apliance manufacturers are not experts in internet security they are hiring people who are and collaborating to minimize the risk.

Isn't Information Security everyone's responsibility?

Whilst interesting, didn't quite grasp why DevOps was considered a good insertion point for something that should come first and foremost, everyone in an organisation has a duty and InfoSec Pros should be enabling them to carry out that duty in a secure way.

Re: Isn't Information Security everyone's responsibility?

I agree that information security is a responsibility for everyone, but getting everyone to understand that is tough, no matter how much security training is conducted.

Re: Isn't Information Security everyone's responsibility?

I think that we often forget that the rest of the workforce does not sit in front of a computer all day.  

Does a truckdriver have any time or interest to read up on the company's latest IT security bulletin?  Probably not.  However, this person might use some sort of digital scanner to scan invoices or package deliveries.  

Should this individual read up on tech bulletins at home?  What are the chances that the dispacher will pay regular overtime so that the driver can go to the office and read up on the latest info?  Not likely.

Re: Isn't Information Security everyone's responsibility?

I'll try to play devils advocate here and think of what those who are not in the IT profession might say in objection:

People in creative fields might argue that security has to do with controls and restrictions which are a counterproductive way of thinking for artists or those in the entertainment field.  For those whose job it is to collaborate and come up with fresh ideas on a regular basis, it can be mind-numbingly frustrating to jump through hoops in the corporate network went tring to collaborate with others.  Meanwhile, dropbox makes it easy to share their ideas.

A writer might wake up at 4am with an idea that needs to be written down immediately.  What are the odds that this writer cares about finding a secure computer, with a secure connection to a secure network before writing down their idea?  Not likely.  It is more important to get the idea written down somewhere, even if its on an unauthorized personal mobile device, which may or may not be secure.

Re: Isn't Information Security everyone's responsibility?

Valid point @AbeG. Security should be more seamless so that it doesn't create a barrier to collaboration. Employees who handle corpoarte data, though, should have a sense of responsiblity to keep it secure.