The sorry state of IoT security (part one)

Hadi Nahari is the Vice President of Security and CTO at Brocade Systems. He also has been actively appearing on the convention trail trying to get the industry to sit up and take notice of the latest security issues, and how the Internet of Things (IoT) is making things even worse.

We sat down with Hadi for a far-ranging interview on the state of security in technology today. This is the first part of a two-part series.

Hadi Nahari: I’ve been doing security for a quarter century and I tell you, like seven years ago, I had to justify to people why I exist, why I’m alive and what purpose do I serve in the world. It was just that in the security view of the world, you kind of started your profession by accepting that things are broken. And it’s difficult to describe to people why things are broken and there was always the same kind of tools that people had, project managers had, managers had to kind of diss you that everything is theoretical and at the moment was okay.

So theoretically it could be done, but really show me the loss that we had. So we would go and try to assess  data that didn’t exist or if it existed, it wasn’t accessible. Right now, and I hesitate to say things to the hackers, but in a way, it’s ironically thanks to the hackers that I don’t need to go ahead and sweat that much. The problem has shifted and so okay, what can you do about it. 

Hadi Nahari, VP, Security for Brocade

Hadi Nahari

Now all of a sudden the same people have realized all of those trends are materializing and it’s not to say that yeah, it’s time to go back and tell them I told you, but the problem has shifted right now as to everyone wants a solution like now. And that’s a difficult problem for things that require monumental change so that’s one of the trends that is currently in this decade.

ReadWrite: And then you multiply that with IOT in the connected world where security is not just dependent on you, it’s dependent on your partners as well.

HN: Let’s say it’s an anchor, and this link is dropping one by one into the ocean from this ship and we’re all sinking together, and the ones who are on the ship are really happy that they haven’t dropped. And then you show them, look at that chain, it’s connected to your ankle and you’re going to drop in the water too. It’s a very rude awakening  if you will.

RW: Well, it’s like you do everything in terms of data and security hygiene and then your kid brings home the Wi-Fi Barbie and just blows the whole thing to pieces.

HN: Yes, so one of the fun parts of being in security in a kind of ironic way, is that it is dynamic and things like those happen. But I really believe the fundamental nature of data and security are going to change in this world and no else has got their arms around that yet. And there’s a great deal of focus on the marketing and solutions and business part, which is fine, I mean it’s okay to make money and solve a real problem, I cannot be against that.

There’s a lot of focus on unfortunately snake oil security, things that are not really security but kind of take advantage of the security fear. There’s a lot of focus on encryption, and things like that and really, it’s very confusing if one doesn’t know how to wrap their head around it. It gets very confusing so that’s my motivation to want to work with folks like yourselves who are trying to invest in this need and be able to provide something in the midst of all this confusion, and provide something tangible and useable to people.

At this year's RSA Conference, Nahari discussed IoT and security

At this year’s RSA Conference, Nahari discussed IoT and security

 

IoT not registering with security professionals

RW: What do you think is the biggest thing that is not getting through successfully right now?

HN: It’s difficult to pick one thing but the real concern that I have is the general public, sometimes even the technologists, think it’s just passing through them and they don’t see the immensity of this scale and complexity, to the rate that is becoming very, very, difficult to even reason about. Meaning, we all on average know gosh, someone said I don’t know the source but on average we all may come across 300 people in our lifetime and we know roughly like a hundred of people in our lifetime. We come across a very limited number of people but those smaller numbers of people are actually able to affect our opinion and our decisions.

The point here is, the same thing applies to our perception of the technology and our perception of some of the things such as security or lack thereof around us. We all have a very limited kind of sample to make our conclusion on decisions when it comes to security, when it comes to complexity, when it comes to technology around us. What concerns me is when you try to provide reason, data, justification, logic to people to say look, this is really a serious issue. People based on their limited exposure, limited approach have found ways to kind of justify, numb themselves and that’s coming from technologists. That is concerning, some of those people see it as job security but I’m concerned.

When I tell them that the systems are already past the level that you could reason that about them, let alone secure them, they say oh that’s theoretical. Oh, that’s nothing, you’re just bloating it because it is your field and you’re paranoid. We’re going to figure it out they say, and I think the immensity of the problem and the scale of the problem is passing the stage where we could really do something about it. I think it’s concerning.

Facebook Comments