With so many questions to be answered on the future of security and IoT, I’m happy to see that, once again, it’s that special time of the year when the collective movers and shakers of the security world get together to meet at RSA Conference in San Francisco. This year’s theme is “Connect to Protect” which is, I think, either a masterfully summoning clarion call for the industry as a whole, or perhaps the most ironic statement I’ve seen in a while. Possibly both.
So in the spirit of helping, or at least, cheering on the home team, here is my list of IoT wishes for this year’s RSA Conference.
Consensus on communications for the security of IoT data
There are a lot of options out there for communications, and the IoT is going to live and die on the capability to have convenient, secure, low cost, and low power communications options for all those devices. I’m especially thinking of the secure piece here.
I’d love to see some real consensus emerge on how we’re going to keep all that information secure, and what *good* security for IoT device communication is going to look like. It’s not as simple as mandating “encrypt everything” and we need to think clearly about the relevance and reasonableness of end to end encryption for IoT devices. Unrealistic standards will be as harmful as no standards because they will be ignored or poorly implemented.
Some basic standards on device security
RSA Conference is the ideal place to start moving the discussion forward on device security. I’ve argued many times that device security is really a small part of the IoT problem, but that doesn’t mean we can ignore it. I’d love to see good progress made on offering up standards for security on the device itself, and for certifying how secure a device is.
These “things” are going to be everywhere, including in our homes, cars, aircraft, and bodies, and now would be a pretty good time to lay out the groundwork for agreeing which ones are safe to use, or at least, safer than the rest of the flood of IoT devices that will be hitting the market soon. And, safety doesn’t just start and stop at with which devices are physically okay to use, but rather when we talk about safety, we must talk about privacy.
The privacy of the data gathered by IoT devices is a topic that comes up so often because, simply put, it’s so important. There will be, to put it mildly, an enormous amount of data gathered from numerous devices – devices smart enough to recognize our voices, the way we walk, even the smell of our bodies.
We have a couple of choices here as an industry. Either we get real about what privacy means, what’s sensible, and what’s reasonable, or someone else will do it for us. There are plenty of government bodies with long histories of reacting poorly to technology trends, so I’d rather not wait until our collective governments swoop in to save the day and enact who knows what kind of legislation. Bringing together the right people with the right approach, and driving the discussion has to start with us if we want to own it and keep it on the rails, so let’s get started shall we?
The security industry has decades of experience building the tools to keep information secure and safe. And, generally, we’ve done a poor job at building the tools to stay ahead of the latest and greatest threat, either because we’ve built great tools that were used poorly, or we’ve simply been building answers to problems people really don’t face. Nevertheless, we have an opportunity to help a great many organizations who are going to be building smart devices for the first time.
Let’s be realistic about the tools they will need, and let’s get moving on helping them to use those tools to keep the devices secure, and the data safe. If we don’t, who will?
No IoT washing
This is probably a forlorn hope, but can we not repeat the sometimes shameful marketing we saw around cloud, when every booth had a picture of a cloud on it, and every piece of software or hardware had the word “cloud” shoehorned (or occasionally crowbarred) into the product description.
Not every tool out there will be applicable to IoT, so can we avoid the temptation to further confuse the world in general about what it means, and stop pretending that every possible widget has an IoT use case that we just have to tell the world about?
Probably a lot to ask, I know, but RSA Conference can produce some surprises, and there are a lot of very smart people in one building at the same time, so you never know, right?
Realistically, if we’re to avoid the heavy hand of government, and yet maintain the trust of customers and users, we’re going to need to pull together as a team to build the security the IoT must rely on for the future.
So, I guess in the end the title of this year’s RSA Conference is a good one after all. Sure the devices will be connected anyway, and sure that’s not necessarily a good thing for security, but if we can bring together the best and brightest soon enough, maybe this won’t be a re-run of the security failures of the past twenty plus years.
See you there, hopeful as ever.