A belated Happy New Year to everyone! I am not much for writing of the “Top 5” or “Top 10” Big Things that happened in 2015, so you didn't hear much from me about last year. While I am a big fan of those who learn from history to avoid mistakes and bad choices for the future, I believe that the Top This and That in security was well covered.
Instead, I would like to write about the future. Let me begin by stating one thing immediately. I hate the term “Internet of Things”.
I realise that many of you may be thinking “Oh no! Here goes Gartner again making up a new phrase for something that is perfectly fine!”. But let me explain. The IoT was always a marketing term. It has existed for some time now, and the acronym has become accepted worldwide. However, it is not particularly descriptive. First, not all IoT devices are connected to the Internet. Many of them are also on private networks, performing their mission quite well and exhibiting all of the characteristics we expect from IoT devices. Second, many of them aren't even continuously or occasionally connected at all– they require either local connection or direct physical connection, but it makes them no less an IoT device. Third, strictly speaking they aren't “things”– a better term might be “devices” if you wanted to narrow down a sensor from a tree. But that isn't the primary reason I hate the term.
I believe now that many of you have accepted and embraced the use of IoT devices in your respective organisations that other realisations have occurred. First, these devices are becoming pervasive. They are EVERYwhere, from beyond the solar system in the New Horizons spacecraft that swung by Pluto last year to inside our own bodies. They are saturating the physical world at a rate consistent with our desire to understand, measure and control that world, and have become a daily part of an increasing number of businesses and institutions. Second, almost every one of these devices are digital. Yes, there are examples of analog devices in industrial environments, but the bast majority of new IoT device implementations are digital devices, running some variant of software and performing some set of functions that measure or control themselves and/or affect the environments around them. They are continuously or occasionally connected to some network or Internet, and if they aren't they can be accessed locally and physically when needed. Third, they represent a presence in the physical world that did not previously exist, or if they existed they were there as part of an expensive, proprietary system delivering very specific functions for specific industries and businesses.
Therefore I would respectfully submit to you that we are leaving the early era of the Internet of Things and entering the era of the Pervasive Digital Presence (PDP). This isn't a new term (just as the Internet of Things isn't a new concept). But it takes on new meaning now when it describes the transformation of the world due to the pervasiveness of a digital presence to enable, extend and/or enhance the human experience. We have reached the point where the IoT has moved beyond targeted, proprietary and costly use in industries such as manufacturing and utilities (known as operational technology, or OT) to cheaper, standardised and ubiquitous use everywhere. For example, the age of the sensor has arrived, and the age of the actuator means that physical changes that once required special equipment or technology (such as devices to channel the flow of electricity or manage robots on assembly lines) are now provided to businesses and consumers in a routine and inexpensive way. Frankly, the age of Pervasive Digital Presence signals the era of cheap information acquisition and physical control of the environment and even the human.
I am a security analyst, so what do I say about securing Pervasive Digital Presence? In the same way that the IoT has never been about something new and unique, my answer won't be either. What I believe happens now is the following:
1- The time is up to adopt foundational security hygiene. Organisations can no longer ignore those basic techniques around prevention, detection and response that they may have put off due to costs because the expansion of digital presence in those organisations expands the access points for compromise opportunities. Many organisations have put off doing even the simplest security steps in the belief that threat actors won't find them attractive targets. But the targets of opportunity have become so rich that it will be too attractive for many to pass up;
2- The time is up to adopt secure development of applications as a standard practice. We continue to build applications with speed, convenience and user experience as primary drivers. In the world of Pervasive Digital Presence, most of the “users” (especially in business) will be other devices, not people. The role of machine-to-machine (M2M) communications will expand exponentially, and having foundational application development and testing become mandatory rather than optional. There is some good news here– many PDP devices will have limited function sets, so the “threat surface” of the application should and can be smaller. The not-so-good news is that the number of integration points between a device on the ‘edge' of the business and the applications or services that support them may be greater on average than those today between say tablets and cloud applications, so securing integration points will become more important. But we've run out of time to embrace this as standard operating practice like some major application development vendors have;
3- The time is up to complete any integration required between IT security and OT security. OT is in my view generation zero of the IoT, or the IoT before it was “cool” to call it that. We have been engaged in a convergence, alignment and integration of IT and OT security practice for years now, but cultural challenges have made it a slow and painful practice for some organisations. The time is up– Pervasive Digital Presence imperatives require us to be able to combine both our software and our engineering abilities to create a new way of securing the hybrid infrastructure and services that such integration has already created.
You may not like the idea of yet another term for the IoT, and I understand that. But I believe ultimately that it isn't expansive or expressive enough of the transition that is occurring in our technological society. The Pervasive Digital Presence is our next step, and we need to start preparing now.