Guest post by Ken Tola
There are many definitions in our lives that appear to be commonsense but are difficult to define when inspected a little bit closer. Self-consciousness is a great one, as is being successful. In the IT world, by far the hardest concept to define is “security.”
Security means safety. But what does that mean? Well, safety translates into protection, but protection from what? The answer lies in with the concerns of the person requiring security. For instance, running high-end encryption and next-generation network intrusion protection does little to help the person worrying about physical theft of their equipment.
Unfortunately, when things are difficult to define, people tend to regress to some common denominator that is more easily grasped. Success is therefore attributed to wealth, self-consciousness to being human, and security to encryption.
In all cases, the definition falls far short of the reality.
In modern systems, security is actually a multi-faceted effort that traverses the gamut, from physically protecting against theft to digital walls built to keep out unwanted intruders to protecting data in transit. There are massive verticals devoted to detecting malware, looking for internal hackers, tracking stolen property, and yet none of those are concerned with encryption. Users have to prove themselves (authentication) to systems through logins, smart cards and biometrics, and none of that is remotely related to encryption. Complex systems are used to manage access (authorization) to valuable resources, to keeping your personal data safe and to locking down critical infrastructure and, again, none of that has anything to do with encryption.
So why are security vendors – Internet of Things (IoT) in particular – so focused on leveraging encryption as a comprehensive security solution?
Within the IoT, the problem is exposed by the inherent complexity of this nascent industry. There are dozens of major approaches vying for dominance in the IoT solution space and there are a dizzying number of vendors specializing in an ever-expanding number of niches. This is not a critique of the IoT, as almost every new IT effort starts this way, and it will be some time before things settle down and IoT becomes mainstream.
From a security perspective, this chaotic industry appears impossible to truly protect and it is sufficiently complex that people fall back to a common denominator – encryption. People mistakenly convince themselves that encryption will protect their systems. This false sense of security persists despite the fact that almost every current IoT hack has come from a lack of proper authentication or authorization.
The reality is that security is too prevalent, too intrusive and much too visible. As a counterpoint, consider how communications work today. Despite the inherent complexity of the IoT, systems can still communicate, data is broken down into packets, sent across the wire and reconstructed on the other side. Nobody worries about connectivity because people long ago figured out that forcing humans to manually breakdown emails into packets of data and transmit those packets over the wire was not viable – so why are we being asked to secure those packets?
Modern security options are significantly limited because they exist in the wrong place. Many options have to be manually written into code which means that they are subject to the IoT protocol wars and subservient to the different niche verticals. Being trapped within these confines typically translates into an inability to cross over different modes of communication (WiFi, Bluetooth, OTA, RF). These limitations then spiral into a series of one-off solutions that only cover a specific segment of an overall IoT system. Thus people attempt to use options such as SSL/TLS for cloud communications, LAN-based encryption for local servers to controllers and, at most, communication mode-specific options such as ZigBee for controllers on down.
Ignore for a moment the massive overhead that prevents such efforts from succeeding and focus on the fact that these are disjointed options. Nothing is connected together and, at each stage, there is a security hole ready to be exploited. Now try imagining how somebody would ever manage such a system – at scale – with millions of devices, running innumerable different protocols over a plethora of niche verticals.
The concept is ludicrous in its insanity.
Security has to move down and transform from something companies, programmers and network engineers battle into a ubiquitous layer of protection that simply works. The complexity of the system should not impact the complexity of the security. Each side should be able to change and run independent of the other. By completely separating out security, options such as cross-mode protection and remote administration become realistic possibilities – even at the scale of the IoT.
At Phantom we are taking the first crucial step to this end. We have built a remote-controllable smart security layer that authenticates devices, authorizes communications and encrypts data and we accomplish this work in a way that is invisible to the host system. With Phantom, there are no more code modernization efforts, no more security intrusions for system and network engineers and no safety obstacles for companies deploying new systems. Phantom works at all levels of an IoT system and across all communication modes.
While we represent the first crucial step forward, security is anything but simple and more work needs to be done. Security has to become transparent and it needs to be more than just encrypting some data before sending it over the wire. Phantom is building the core infrastructure to this end but more work needs to be done to truly protect companies and people from the physical to the digital. Security, properly defined, is hard to do but that work has to become invisible to the people needing its protection in order to be at all viable in the exciting new world of the IoT.
Ken Tola is the CEO of Phantom, an IoT security startup. Follow him on Twitter