David Mount - A smarter, More Secure Internet of Things?

So next week I will turn back to operate it. OT discussions, internet of things. Please welcome David mound from net IQ. Good morning. Good morning. What's your role at net IQ? So I head up some solutions consulting across MEF for identity, access and Security. Okay. Very good. So here's the presenter.

Thank you, yours. Thank you very much. So good morning when I was growing up, my parents used to say to me, Dave, don't live your life by what ifs, but you know, what, if there were no more traffic jams, what if we didn't have to maintain things that weren't broken and the world? What if the world used energy in a, in a far more efficient way?

So, you know, welcome to the internet of things, right? A, a world of hyper connectivity where everything, and everyone is connected and we are surrounded by sensors that are collecting massive amounts of information and sharing that information with the sole goal of really kind of making our lives easier and making us as individuals more efficient. And so how, you know, how did we get to where we are today? How did we see this kind of quantum leap in terms of connectivity?

Well, there's, there's a number of reasons for that. It's the massive sort of reduction in cost of things like the sensors of the cost of bandwidth, of sharing the information, the cost of processing of that information. It's the ubiquity of smartphones. It's the ubiquity of fast connectivity, wifi, fourth generation networks, and so forth. And then IP version six, you know, we, we now have enough IP addresses to assign one to every atom on the earth for this earth and for many, many earths over and also big data.

We now have the technology and the capability to kind of process this massive volume and massive variety of data to help us kind of make sense of it. And with the internet of things, there are really two critical components. There are the things themselves, there are the sensors that are collecting that data and there are the people behind the things, and it's the people whose privacy that we need to protect. But doing that whilst we are still enabling the sharing of data between the individuals, the things and the systems that really kind of drives the efficiency that people are looking for.

So let's take a look at some examples, right? So Hamburg, right, turning themselves into a smart city. And when you talk about the internet of things, you're gonna get sick of hearing the word smart, right? Because smart, you know, it's the code word for, for internet of things, but, you know, Hamburg, they're turning themselves into a, a smart city.

They have, they have sensors in the roads around the ports, so they can enable kind of much more efficient movement of, of traffic around the ports. They are able to control the bridges to ma to sort of maximize the shipping traffic, but also the road traffic as well to avoid delays and things like parking. You know, the parking spots look for the people rather than the people looking for the parking spots.

And in terms of medicine, you know, we've got medical devices that are implantable, that are ingestible, that are kind of sharing this information around, enabling us to make better diagnosis, make better decisions around drug doses and things like this and sharing this information. And I've got a very good friend of our family. She was diagnosed with type one diabetes a few years ago, and she's 13 and she has this device. Now that's implanted in her that Bluetooths to a separate device and monitoring her blood sugar levels and giving her guidance around insulin and, and things like this.

So whilst we have all these benefits to the internet of things, there's, there's also a dark side to it, right. So, you know, how can I control the data that is being collected? Who's storing that data, who's storing that information and, and what are they doing with it?

So, you know, you would've seen fairly recently Samsung sort of announced that you've gotta be really careful about what you say in front of a Samsung smart TV, right? Because it's potentially collecting the information, sending that off to a third party, to, for voice recognition for commands and so forth that way.

So, you know, who's storing that information. How's that being used. You've got this guy here in, in the Nottingham, hackspace in the UK and he rigged up a vending machine that tweet shames people when they buy snacks. So what he's able to do is kind of marry the snack choice that is made with the identity of the individual that is purchasing it. So if he can do that, you know, what else can be done with that sort of identity information, right?

You, you may be familiar with the Fitbit, right? These fitness and activity tracking bands. So the Florida international university, they, they wrote a paper that they'd been able to, to reverse engineer the Fitbit and identify a number of vulnerabilities. And what they did was they created a suite of tools called fit bite. And what fit bite is able to do is, is able to read and modify data on the Fitbit tracking band within a radius of 15 feet.

Now, if you think about the data that's contained on that device. So things like my username, my location, my height, my weight, my fitness data.

Now, some people might consider that information or some of that information to be fairly benign, but people need to realize that having access to that sort of information opens you up to some very, very targeted social engineering that enables individuals to try and get at the data that they really want to get at. And, and whilst some of these ideas, you may sort of think, well, they're not necessarily too serious. You've now got the situations where kind of scatter control systems are being connected to the publicly addressable internet.

And we have this example of a German steel mill that was attacked, and the attack has prevented the furnace from being shut down in a, in a normal way. And so you have situations where the attacks, the impact of the attacks can be instant and can be devastating. So we need this, we need to have the, the control and Pricewater test Coopers they did in their state of the state of cyber crime survey. They sort of announced, you know, the internet of things is having this massive impact.

And we are seeing sort of a whole new world of threats that is being introduced and the EU, they did some further research, but they make a point that, well, actually the, the threats that exist are not new what's happened is the sheer scale of the internet of things just amplifies the vulnerabilities and the threats that we already know. And we already understand related to internet connected devices.

So, you know, how do we manage the risks, right? So we need to focus on the identity. The identity is the one thing that we have under our control. And it's the one thing that enables us to balance the needs of the user with the needs of the risk professional. And we know that a lot of the risks, a lot of the threats that exist around the internet of things, they're not new. So we know that we've already got too many users with too much access in our environment.

And when we bring that into the internet of things, well, we have too many devices with too much access, and we've just got this massive kind of explosion in the attack surface that has been created through the internet of things. And one thing we can't do is leave it to the manufacturers of the devices to plan, to address some of these problems. You know, they're very, very focused on making these devices very easy to use, easy to connect and easy to interchange data. And some might say they do that at the expense of security.

So, you know, we can't stop the attacks from occurring. And we have to accept that at some point we are gonna see attackers in our environments. So what we have to do is work to mitigate the damage. So how do we do that?

Well, from an identity and an access perspective, we need to focus on the basics. We need to minimize the rights of the individuals. We need to make sure that the access rights that an individual has, the device has the thing has, is appropriate. And then we need to enforce the access controls. And we need to monitor user activity. We need to make sure that the activity that it is occurring is appropriate for that particular device, that it's normal, but how do we understand if activity is appropriate?

And, you know, the answer is not more data. We already have too many tools that are generating too much data to enable us to, to make sense of it. And if you look at some of the recent breaches that would've been in the press over the last sort of 18 months or so things like target, for example, you know, the, the signs were there for those attacks. It was just very difficult to really understand and pinpoint what was happening within the sheer volume of, of data that existed.

So, you know, simply put, there is too much noise and not enough insight. And so security needs context. And if you take a look at sort of identity and security, these two things are no longer separate silos and separate domains within an organization, you know, identity needs security and security needs identity. So what we need is this context, we need to understand the identity. We need to understand the, who we need to understand, you know, is this individual who they say they are, you know, what access have they got? What are their entitlements and how are they using those entitlements?

And is that use normal for that individual, for that type of individual within our organization? Cause it's, that, that helps us really kind of understand, you know, is this normal user access, or is this an individual who's being compromised or is there an attack in, in progress?

So, you know, the key to delivering the context is identity. And as we, you know, as we build this kind of environment and build this new world of hyper connectivity, you know, we must adopt this kind of identity centric thinking if we want to have any control over this world that we are building. And so with this kind of internet of everything, we need to have a parallel kind of identity of everything.

If we want to have this manageability, and we need that identity of everything, because if what we need to be able to do is ascribe behavior to the things we need to be able to track that behavior. And we need to understand and identify when that behavior is normal or abnormal.

So, you know, the identity of everything, you know, allows us to kind of assign these attributes. So we can really start to understand who or what the connected item or person is.

You know, what permissions and entitlements do they have, what are they doing with those entitlements who granted the permissions in the first place? And we can then start to determine how other people and other devices can interact with us. And this is gonna become pretty complex, right? It's gonna be very hierarchical and it's gonna be very matrixed.

And, you know, a classic example, you know, the Google nest, right? It's the home automation hub there, it's collecting data from other appliances and sensors around the home and it's sharing some of that information, but there's a homeowner that sits behind it and there's a homeowner identity. And that homeowner identity is who Google wants to market to, right. And that owner and that identity has other relationships with other, in individuals and other things that, that they're using. So it's a very kind of complex and matrix kind of environment.

So in terms of net IQ, what are we doing is, is kind of working to build that environment across identity, access, and security, doing a lot of work with Cisco around the identity services engine and making sure that kind of these, these networks that are being built moving forward are very much sort of self defending and so forth because this is gonna be absolutely necessary. When you think about, we might have two or three devices today, it's not gonna be too long before we have 20 or 30 devices each that want to connect and one to start sharing data and start sharing information.

So in terms of actions for today, what do we need to do? Well, we need to understand the identity stores that we already have in place. And then we want to examine, well, how do we use identity information in our organizations today? We want to look for ways that we can identi we can integrate identity context in what we do so we can start to understand behavior, and we can start to understand the senses and the things and how they're going to interact moving forward.

And we need to start to build a framework that can handle much more sophisticated and aggregate identity information, and importantly, a framework that can scale, because we are talking about many, many millions of, of identities that are gonna impact organizations that are not necessarily expecting that sheer scale of identity information. And then we need to work towards that kind of extensible identity framework. That's gonna encompass the people, the products, the devices, and the services that work together around internet of things. So thank you very much. That's me.

And any questions we're, we're based outside, happy to discuss further. So thank you very much. Thank you so much, David. I'm not sure whether I'm totally following your idea of everything need to be identity centric. Let me give an example. Okay. And maybe you can reply and see sure. Give your views a car. So you have, I dunno, I think 2000 identities in the car, something like that in an S class, Mercedes, how would you address that?

So I think we have to kind of, you know, is, is building those relationships and understanding the, the identities themselves, the relationships they have and what control we need to have over those identities. And, you know, you're absolutely right.

It's, it's massively complex. And do we, we have a, a grasp on the challenge in total yet?

No, absolutely. And it's something that's evolving, but we've gotta set up the framework to allow us to kind of understand as those identities involve, how are we gonna want to manage those moving forward and control the relationships between them? Okay. Thank you very much. Thank you.

Thank you, David. Thank you. Thank you again.