The sorry state of IoT security (part two)

Hadi Nahari is the Vice President of Security and CTO at Brocade Systems. He also has been actively appearing on the convention trail trying to get the industry to sit up and take notice of the latest security issues, and how the Internet of Things (IoT) is making things even worse. This is the second part of a two-part series.

ReadWrite: We had a great interview couple of weeks ago that came out of the Structure Conference talking about the difference between data in motion and data at rest and that the complexity has two axes. It’s latency versus processing power, and where you drop that cognitive processing. Do you put it on the edge, do you put it on the device, do you break it down and all of that has security implications.

HN : Yeah, the common paradigm of networking is should we do things ahead of time and then go in and focus on data that they have in motion. I think that many of these, and I’m not implying that they’re bad or outdated or ineffective, many of these are old paradigms which were good constructs. They were good tools to think frameworks to reason about a problem in the old days. But because of  the scale of our systems and also because of the amount of data that is generated. We have to really shift our paradigm of thinking about the problem not just focusing on the solution.

Hadi Nahari, VP, Security for Brocade

Hadi Nahari

What I’m trying to get across is those are good tools for a constrained set of problems. This is the way we thought about security: you define the assets, you define the processing points, you define the flow and data, you identify what’s at risk, what’s in motion. And then you make an assumption as to the security the demands are based on, governed by whether something is at risk or in motion. You go ahead and provide tools and guidelines and you put in place a certification and validation scheme, and then you can reason if something is secure or something is breached or not.

What used to work doesn’t work anymore

Those worked for a long time, and ironically I’m more surprised that they worked for that long but the point is it’s less surprising that it is broke and more surprising that I’ve worked for such a long time. I think IoT is one use case where the cracking is showing a lot better, its sheer complexity that we have. Now, I’m going back to the actual data where it makes sense and which part is the processing point. Realistically, the boundaries were not really real, the boundaries of whether it makes better sense to process something in the endpoint or backend for security reasons or such. 

Things that used to be an endpoint or a backend are themselves also shifting. In addition to the amount of data, in addition to the  amount of storage, that’s in addition to the complexity of us being able to process this data and that’s in addition to what are the security ramifications of this.

For instance, being able to perform predictive additional analytics so that your system learns what  word you’re going to type in a text would have required your key punches going back to Google, and Google’s big machine learning brain processing to learn about it and then pushing to your Android phone in your hand. So it would require a lot of network interaction because the computing power required for doing things like that would be really huge. Right now, not all of it is happening on your phone, but on your phone in your hand, you already have a system that has the basics of doing these things in a very small scale or at least do part of it with computing power which is becoming every day more and more powerful, so its capabilities are more and more local.

We are kind of free falling in a world with multi-dimensional things changing and we’re trying to kind of simplify it by some of the rules that we know from the past that worked when we were just walking in a two-dimensional world but right now we’re in a 20 dimensional world and we just understand the two-dimensional world and no wonder we’re kind of confused a little, like chickens running with our hairs on fire. Whoever doesn’t realize just how dire our security situation is, is really not understanding how our security or the lack thereof is. 

At the RSA Conference this year, Nahari asked is IoT will overwhelm security

At the RSA Conference this year, Nahari asked is IoT will overwhelm security

 

RW: let me ask you this a different way, what are you looking forward to, what looks like really cool or promising in all this doom. What are you really excited about in this going forward?

HN: I do think right now we’re in such a shitty situation in the security field. There are some who are already hoping that they could just have a back door and apply their old little world techniques into prying into data and solve the security problem and solve a crime. And the only thing distracting them is encryption and if only if they could just open it and have a back door life would be good, everything would be solved and everything would be back to good old days.  I mean that just on its own really sad.

I think if we stick with our two-dimensional world approach to a hundred dimensional world of reality and problem, it’s already just doomed. I mean, we got much more security companies than you had five years ago, and at the same time, you have much more successful breaches and incidents and attacks and data losses than five years ago. What does that tell you?

Shit’s not working so we have to stop thinking the same way\ when the world has changed and to their credit hackers are much more advanced, much more adaptable and much more structured, which is an amazing thing on its own. It’s a not completely a 100% organized system but they behave as if they’re completely coordinated and organized. They are not but it’s a wonderful case of studying how processes work in the hacker world. It’s driven by hyper-parameters and the security community is not. They are very much organized and centralized than  the “disciplined” world of security, things are not as organized and as efficient as the hackers.

So do I think everything is broken if we stick with the currently accepted framework? But I really think that we have an opportunity here and I see some small corners of action that are showing people are trying to look at the problem differently. They are not just thinking about different solutions. They’re trying to kind of identify and  parametrize and measure and size and define the problem differently and that to me is exciting in terms of thinking that it is  in terms of technology,

So I think this is going to take a couple of years but that whole new mentality is coming up  and coming from entities that are not well known in the security world. The security world has got a lot of well-established companies that are the epitome of innovators dilemma, they are so slow and so solid in thinking the same way over and over and over because there’s a lot of money because they don’t see that they’re losing their technology battle because they’re not losing money. The new entrants are really showing progress, so I’m positive that this is going to turn the tides. Right now we’re not there but I’m starting to see the signs.

Facebook Comments