The Internet of Things – A Security Game Changer

Imagine being able to turn the oven on 20 minutes before you get home so it’s ready to start cooking… or taking a quick remote peek into your fridge/cupboards/bread bin to see if you need anything at the supermarket … or re-programming your air conditioning / heating while you’re on Holiday.

All of the above is simple, and already possible, just go here for a bunch of others; http://postscapes.com/internet-of-things-examples/. Some are incredibly far reaching, not to mention awe inspiring.

Along with the exponential increase in convenience, efficiency, and entertainment, is an equal increase in the cost to your privacy, security, and in some cases, your actual well-being. For example, this site http://www.vitality.net/glowcaps.html is about reminding you to take medications. What happens if you start to rely on this with your critical meds and someone ‘hacks’ it?

This blog is in no way a criticism or a doomsday prediction of the trend. I love this stuff and cannot wait until every aspect of my life is a blink, gesture, or eventually a thought away. However, whereas previously our lack of knowledge in basic self-defence principles related to the Internet could have caused embarrassment or the loss of a few quid, the Internet of Things could, quite literally, put your life in danger.

If YOU let it.

As a previous article If You Want More Privacy, Stay Off the Internet stated, the conveniences you crave have a price, and the price is only going to go up the more you expect from it. The Internet is like gambling, only bet what you can afford to lose.

It’s not about the RIGHT to privacy, we all have that as a basic Human Right, it’s that you cannot EXPECT privacy given the inherent insecurity of the medium, the criminal element, and good old fashioned stupidity.

You are not owed security, or perfection, so the due diligence is entirely yours, as is the ongoing maintenance and security monitoring of your new functionality. The things you will be able to do will be unbelievably tempting, but keep these points in mind:

  1. Start Small – don’t sign up for every new thing when it becomes available, you will never be able to track them all, let alone secure them.
  2. Keep it Simple – automated notification of the need for milk is harmless, automating insulin doses is not.
  3. Rely on Nothing – especially when your physical well-being is concerned. Always, ALWAYS have a back-up if your primary mechanism fails.
  4. Minimise the Impact – expose only what you don’t mind losing. Insure everything, especially your finances.
  5. Take Responsibility – blame yourself if things go wrong, don’t waste your time pointing fingers at others. This was YOUR choice, live with it.

Like everything that’s coming in the future, innovation has benefits matched equally by the downside. ‘Government’ will do its best to protect us through laws and regulations, but they will fail to keep up with OUR demand for functionality. Security experts will do their best to protect us, but they too will fail to keep up with the competitive rush to fulfil OUR demand.

Enjoy it, just be careful.

Personally I’m going to be interested in what ‘butt-dialing’ will look like in the next decade. You’ll probably come home to find your vacuum cleaner ordering pizza and watching porn.

Internet of THings

Vendor Due Diligencce

Vendor Due Diligence: Assessing Cloud / Service Providers

There is a lot of confusion about how to treat Cloud providers from a vendor due diligence, or compliance assessment perspective.  I’m not sure why, they are just another service provider. The Cloud, in and of itself, adds nothing.

My thoughts on The Cloud are not a secret; Don’t Get Me Started On ‘The Cloud’, but it needn’t be all negative.

So you have – or you want to – outsource/d some aspect of your business function, usually an ancillary part, unless your business is almost entirely white labeled (like in e-commerce for example), and must therefore ensure that the service provider treats your data and/or systems the same way (or better) than you do.

In theory, the only reason you would not be able to measure your service/cloud provider against a defined standard, is if you don’t have one.  You have one, right?  That, by itself, precludes your compliance with ANY standard or accepted good practice.

All too often the real issue is that organisations are trying to outsource their problems (PCI compliance for example), and not focusing on their business needs in general.  While you can outsource almost every business function you can never outsource responsibility.  You can even outsource some of the liability (cyber-insurance for example), but it’s your name that will be dragged through the mud if things go wrong.

It bears repeating; You can NEVER outsource, or in any way deflect, the responsibility for the protection of the data you control.

The way to look at this is to see all 3rd parties / vendors as just a different department of your organisation.  You should have THAT kind of control, and it’s up to you to ensure that they are meeting their commitments.  Service Levels Agreements (SLAs) are a difficult concept, especially for Cloud providers, but that should not your problem, it’s should be theirs.

Here’s a lengthy but good article from IBM on SLAs; Best Practices to Develop SLAs for Cloud Computing

They may have just chosen to jump on the cloud bandwagon, and see this as a way to multiply their client base using the same, or retro-fitted, infrastructure (you need built for purpose).  Calling it a cloud service is, in this case, another phrase for smoke and mirrors.  However, there are some excellent cloud/service providers out there, and you will know them by the way in which they answer, or in some cases entirely pre-empt, your concerns.  They will:

  1. come to you with detail about how they will manage your systems / apps etc, and this will almost certainly support your policies or compliance. Ideally the services will be independently certified as compliant (against PCI for example, and if relevant).
  2. have no problem incorporating your policies or regulatory reporting needs into their service.  They may already exceed yours in this respect if they follow the concept of go-with-what’s-hardest-and-everything-else-is-covered.
  3. have various levels of SLA already defined from which to choose.  Be VERY wary of any cloud / service provider who has no pre-defined SLAs.
  4. have a seamless way for you to measure them against the SLAs.  The old misquoted cliche; You can’t manage what you can’t measure, while irritating, is completely appropriate here.
  5. be able to assist, or train you, to find everything you need during a compliance assessment.  YOU must be able to answer your auditors/assessors questions, you can’t just point at your vendor.

If you don’t have a vendor due diligence program, you need to get one.  If you don’t have a set of defined policies and business need SLAs, get them.  And if you don’t know how to go about any of this, ask someone who does!

Just like in Top 10 Roadblocks to PCI Compliance, not knowing how to do something is not an excuse, there are quite literally hundred of experts who can help you.

Find one.

[If you liked this article, please share! Want more like it, subscribe!]

No Cloud

Don’t Get Me Started On ‘The Cloud’

With the exception of the iPhone ‘S’ versions;, The Cloud is perhaps the most irritating concept of the last decade.  It is the definitive re-branding of an existing service in order to drive new business in an era of doubt and uncertainty.

Security issues have become far more mainstream over the last few years, and lawmakers in every country are struggling to keep up with the demands for better protection of personal data.  So what we have now are hundreds of companies providing cybersecurity services ‘In the Cloud’. As though this is something new, and a must have for all organisations.

Breaking it down into its simplest terms, services in the cloud are services provided over the Internet.  Haven’t we had this for quite literally decades?  Why is the service to manage your firewalls suddenly a Cloud service, what’s wrong with simply calling it a MSS?

There are really only two valid ‘Cloud’ services;

1. Access to applications or resources you don’t have, and;

2. Distribution of functionality.

Everything else you do ‘In the Cloud’ is simply outsourcing, which is a perfectly valid, and often the best option.

Like everything else in security, never buy anything based on either a perceived need, what is the latest-and-greatest, and especially not a compelling sales pitch.  All capital expenditure, and moves toward outsourcing start with a business need, not external influences. This  includes compliance to regulatory standards.

You don’t need Cloud per se, you need a business process made cheaper, more efficient, or more competitive. HOW you get that done MAY include Cloud-esque services, but that will be determined by your Risk Assessment. Not by your CEO who read an article on his/her way to work, and certainly not by the fear of not having the latest toy.

Cloud services also add a layer of complexity that will generally be missing from most bespoke managed services; shared resources across multiple clients.  Who has access to your data?  How is your data kept separate from everyone else’s?  Because Cloud is a relatively new phenomena, SLAs and contract language has yet to catch up, so vendor due diligence takes on additional import.

In terms of providing a platform expertise that you don’t posses, or an operational resilience you simply can’t afford, Cloud may be an option. That said, you have best be sure your ‘Cloud’ provider has designed their service from the ground up, and not adjusted their marketing material. The latter, sadly, is by far the most prevalent.

Bottom line; do your homework, and run your needs by a security expert before taking the plunge.