Operationalizing Trust for IoT
“If digital transformation is the rocket ship, trust has to be the fuel for that rocket ship” Zulfikar Ramzan, CTO, RSA Security.
This year RSA was the busiest for us, packed with meetings, presentations and interactions. As expected, there is lot of focus on Enterprise and Cloud security with some coverage for IoT security. The conference is filled with prominent vendors demonstrating the product enhancements for network, endpoint, server, data, cloud and container security. Many of the new startups are showing security products for cloud, containers and automation. The application of AI is evident for optimizing detect, respond and remediate.
It was promising to see several vendors exhibiting improved products in Identity and Access Management (IAM) and data security, a segment that is the core foundation of security to protect the critical resources. While these vendors are adding more advanced features like adaptive authentication, integration with other products etc., they still lack innovation to prevent the security breaches. One thing that caught my attention this year at RSA is the concept of Zero Trust, a model that I have been tracking ever since Forrester introduced it in 2010. While there is lot of buzz, I feel it is misunderstood or misused by many, even the vendors that are showing the products for this concept.
Zero Trust is about “never trust, always verify”, another add-on afterthought IT security model that some claim offers “enterprise security by design”. The core of it is about granting access with more assurance, calls for additional investments to implement, not a true defense in depth to protect the actual resource. This model doesn’t offer much for IoT Security because of the device characteristics, scale, use cases and complexity. There are a few IoT Security vendors showing products using network centric models for IoT device discovery, classification, network access control etc. but completely lacks the data security features that are critical to IoT use cases.
Threatpost have published an interview at RSA which focuses on IoT security flaws.
At Device Authority we promote Device and Data Trust with a re-defined security model for IoT. The safety and economic requirements along with the government regulations are calling for new resource focused defense in depth security model aka Security by Design. It will complement Zero Trust that vendors mention at RSA, which provides the assurance to protect and prevent security breaches for IoT devices, data and applications.
We interacted with several security/trust vendors at RSA 2019, that are exhibiting Hardware Security Module (HSM), Data Security Platforms and Certificate Authority (CA) as we believe they are the foundation for the IoT Security model outlined below.
For more details on all four steps above, please download our Enterprise IoT Security Blueprint.
We showed the same at the recent Embedded World conference in Nuremberg, Germany, where we interacted with silicon, manufacturing, and technology vendors. It is clear that the concept of Security by Design is at last coming to reality, because of the IoT market drivers. As evident at Embedded World, there is progress for steps 1 and 2 that become pillars for delivering the Device and Data Trust in steps 3 and 4. As outlined above, operationalizing the Trust at scale is clearly a big step that not only helps the IoT adoption, redefines that Cybersecurity model to protect and prevent devices, applications, and data.
Please read last week's Chip to Cloud Security blog for steps 1 and 2 here.
Contact us today to discuss your requirements.