Senthil Ramakrishnan, lead member of technical staff in AT&T’s Internet of Things organization, business.att.com, joined Peggy Smedley to talk about how companies can create an approach for edge-to-edge security as part of their digital transformation. He also shares some key tips to help companies avoid costly mistakes when considering IoT (Internet of Things) security. There’s often little or no consideration given to how legacy applications will be managed as we move to the cloud. He addresses if we need to change our thinking—and if so, how cybersecurity comes into play in this area.
To hear this interview on The Peggy Smedley Show in its entirety, log onto www.peggysmedleyshow.com, and select 10/23/18 from the archives.
Peggy Smedley:
Let’s start talking about how companies can actually talk about edge-to-edge because I think that’s a great way to talk about security—how they can create an approach for edge-to-edge security as part of their digital transformation. Because I think when we talk about security, everybody kind of gets lost in a lot of different areas and I think when we talk right now, there’s so much happening when we talk about digital transformation to the cloud and the edge, but I think that’s a perfect place to start this morning.
Senthil Ramakrishnan:
Absolutely, Peggy. That’s very true. So, you know the way we approach it here at AT&T is by defining a multi-layered security strategy, a framework almost. We’ve taken the IoT ecosystem itself and then broken it down into different layers that we can manage and secure. We’ll talk about each of the layers but essentially the strategy behind this is that we take each layer, independently, secure it, but then also allow some collaborated security between these layers, so that when you stack all the layers together you get an end-to-end secure system.
What we’ve done is essentially four layers: the first layer being the end point of the IoT device itself that is actually collecting the data, the second layer is the connectivity layer, or the network that is caching the data that the devices have collected, and the third layer is the application layer where the data is stored and processed.
These three layers essentially make up any IoT system, like the device, the network, and the backend. Being able to secure each one of these independently, for example on the device side, how you identify each device uniquely and how do you authenticate it back into the backend, that’s critical. So we’ve got some solutions around using the SIM card not only to authenticate back into your network resource, but also back into the AWS application, for example.
The next layer, the connectivity layer, which is very important mainly because your IoT devices are not going to be very easily accessible, they’re all over the globe possibly for larger companies, spread out across cities if it’s a smart cities-type deployment. So, connectivity becomes very important and providing secure connectivity. Now that’s AT&T’s bread and butter, but that becomes a very integral part of your end-to-end security architecture.
Finally, the data application layer, which is sitting most likely in the cloud, as we can talk about further, but most likely in the cloud, that needs to be secure, too, because that is the central location where all your devices and all your IoT solutions are pushing data to, that’s where the actual value of your IoT solution lies, so securing that becomes key.
Finally, we can take all of these three layers and graph it with something like a threat protection or threat protection solution, with which you can add some collaborated security between the layers, combining all these together to provide that end-to-end security.
We recently acquired AlienVault on the IoT side. I’m excited because we’re taking their existing, very strong security threat protection platform, and pivoting that, or adding the IoT use cases to it so that we can quickly launch that in the IoT space as well. So, taking this approach, I think, is very critical for any digital transformation for any enterprise of any size. They really have to understand the IoT architecture.
Smedley:
Let’s talk about that because you talked about where AT&T’s bread and butter is, you talked about the cloud being a central location, then you talk about threat detection with AlienVault, so there’s some really critical points that you touched on. We have a lot of C-level executives and you even have it in your own AT&T report, that we get a lot of them that don’t understand what they need to share and so I think a lot of companies make costly mistakes when they consider IoT security.
Can you give us some key tips that companies need to do when looking to help companies avoid those mistakes right away, so that they look at the right things first and then implement a good IoT security strategy?
Ramakrishnan:
I think the first thing is understanding what IoT is. It begins like you said, you hit the nail on the head, the big impact is at C-level. Those at that leadership level need to understand that there are some differences between IoT and IT. Or I should say many differences between IoT and IT.
That has to propagate down, all the way down to the working level. So the primary mistake that many of our enterprise customers make is that they start deploying IoT without really understanding the difference.
So usually what happens is the C-level executives get together, they say, “Alright we got to do this.” Let’s just take for example a smart building deployment. They pull in their existing IT team and they say, “Hey, go turn out a smart building solution.” So that IT will use its existing skill sets with people, and use the existing tools to go out and build their IoT solution.
But, the mistake they’ve made is that they have not really included the new challenges, the new security challenges that IoT brings about. For example, we can talk about the three layers. If you start at the devises, the devices are not standard at all, but the building solution might have a thermostat that is very low powered, but it might have a camera that is much higher powered. But how do you manage both of these with a set of existing tools? That’s near impossible. This heterogeneous nature of the hardware as well as the operating systems and the shockwave on these devices that makes it really difficult to manage using some existing enterprising mobility management tool. So that’s very difficult.
The second challenge is these devices are going to be having a very long lifecycle. A standard IT device averages around three to five years, and then they are completely oppressed. But they’re all standard devices, they’re on a standard OS, they have standard hardware, everything can be standardized. But in IoT, those lifecycles are much, much longer—10 to 15 years. Put it out there and forget about it, as long as it’s not causing havoc to the company.
Then location, the IT teams are usually centralized, the ops teams especially, but IoT departments, again, as we talked about can be global, can be national. It’s very, very spread about.
So essentially, these enterprises, right from the beginning, handicap themselves because they’re not using the right set of tools to deploy IoT. So I think, before they begin, once they start their idea of concept of deploying IoT inside their industry, they have to build a strategy where they understand the IoT ecosystem, the challenges that it brings, specifically from the security prospective. Then define, almost a security design lifecycle where they’re able to define the risks at the very beginning of the deployment, they build solutions to mitigate that risk, and then include that as part of their production design.
So, I think starting from day one is very important with IoT deployments.
Smedley:
But can you do that in a world today when you already have global companies that have different things in place? We already see companies operating in these very disparate systems and very disparate operations, and you’re kind of hodgepodge-things together. Are they able to go back and say, “We’re going kind a piece meal things?” Or, do you say, “I’ve got to start from scratch?”
How do you get them to think we’re going to revamp what we’ve been doing all along and say, “We’ve got to rethink things differently,” and get a mindset that says, “We can’t do it the way we have been doing it all along and now we have to think,” because, I mean, your own research says 80% of companies have been breached. It’s still happening out there. It’s a phenomenal number to think. We all know this, yet we have such an astronomical number of breaches still going on.
Ramakrishnan:
Peggy, I think it all starts with education again. That was one of the main reasons we put out that cybersecurity insight report that was focused on IoT security. I think it came out a few quarters ago.
It was focused on IoT security and the target audience was really the C-level, because at the working level those decisions are very hard to make. There’s a lot of factors like cost, time, resources that come into play, which the C-level leadership team has to decide on.
We at AT&T have put a lot of effort into not only developing these IoT security solutions for our customers, but also an entire education program where we can go talk to our customers and educate them at the C-level and close to that level about what is the risks they are taking if they don’t follow a good IoT deployment strategy.
The insight report is one example. We also have an IoT security alliance as well, where we’re working with several partners to sort of broaden that leadership and education. We’re working with many standard bodies as well. We’re doing a lot of stuff to educate our customers first on why they need a separate IoT security strategy compared to just the standard strategy they have today.
Smedley:
Let’s talk legacy applications that need to be managed and moved to the cloud. Do we need to change our thinking as well with that?
You’ve given a lot of ideas here, but I keep going back in my mind I guess to manufacturing, because they’re not starting from the beginning. Does cybersecurity come into play here? Because again you’re not going to start from scratch; you’re going to work with legacy. You’re going to try and figure out how to do things and you don’t start from the beginning.
Ramakrishnan:
You’re right. Like industrial manufacturing, most of my hardest studies for customer security issues probably come from that space.
We went out to visit one of our connected-car customer manufacturing plants and they wanted to connect their factory. What we found was a lot of these systems are running Windows 95. That was a shock. This was a couple of years ago.
That’s what these industrial control systems are running because it works and they’re not going to upgrade it any further. So, in those cases you’re absolutely right. They can’t throw everything out the window and start from scratch. But what you can do is again use that multi-layered strategy to say, “Okay, I’ve got my end point devices, which are these ICS systems for example. Now what type of connectivity do I need to mitigate my risk to get the data off these devices back into some cloud provider?”
So, that risk assessment, that risk mitigation process is still going to have to be done whether it’s a completely new design or moving an existing design into the connected space.
So that’s inevitable, but once you have that multi-layered strategy, you can manage your risk. There’s never going to be a situation where you have zero risk. But what you can do is manage your risks so that you know that your end point layer is probably the most vulnerable, while the other layers are secured. So you know any additional investments that have been made for your deployment can be focused in that area as well.
That sort of leads us into that cyber insurance space as well, because now that you have your risk assessment you can then decide what type of cyber insurance you want, how much you need. It all sort of melds together from this design process to the deployment process, if that makes sense.
Smedley:
Okay, so now you throw out this cyber insurance thing and I have to ask because I don’t understand cyber insurance, because I’m afraid people are using cyber insurance in the wrong way.
Are they using cyber insurance as a bandaid? Are they thinking that they need cyber insurance and they don’t have to do the right things to invest in cybersecurity? I just wonder if cyber insurance is being used in the wrong way instead of the right way. Are they using it properly?
Ramakrishnan:
Honestly, it’s a very new offering that is available in the market. So right away, you’re right. Customers are not using it the right way.
When the cybersecurity companies started offering cyber insurance, the idea was to really centralize companies to invest in cyber defense. The whole idea of cyber insurance essentially is to do an assessment, a risk assessment of your deployment—identifying areas where you have exposure. Then put that down in to different buckets. There could be a financial bucket, and that financial bucket could be legal costs, response costs, data lost costs. Then you also have other buckets like resources, things like that. So basically you get a risk assessment, then you tell that enterprise, “Hey, we’re not going to just give you cyber insurance because you guys have completely insecure. Here are the areas you guys need to go fix and secure so that we can then offer you cyber insurance.”
The companies offering cyber insurance are not going to take a huge risk on that company themselves. So really, it was about quantifying that risk and then offering some incentives to invest in cyber defense. But companies really are not looking at it that way. Companies have limited budgets and they say, “Hey, I can either do cyber insurance or I can do cyber investment, or we’re going to get breached anyway, so let’s go cyber insurance,” which is really the wrong way to go about doing things.…
Smedley:
But that’s crazy. That’s just me, if 28% of your research is saying, “They’re using insurance as a substitute for investment in cyber defense,” then they’re asking to be hacked. I’m just sorry, that just says to me, open the door bad guys. Hey, guess what, we’ll just pay for it later. That’s just insane to me. That’s the most ridiculous thing I’ve ever heard.
Ramakrishnan:
It absolutely is. That insurance is only going to come into play in the worst place that a breach happens. So, what we’ve done here at AT&T is whenever a customer brings up the topic of cyber insurance we start off with let’s go back to design. Let’s talk about what you guys have and what you need to do to reduce and mitigate your risk, and then we can come back to cyber insurance because Peggy, at the end of the day, you and I both know that it is never a 100% secure system. Every system is going to have some vulnerabilities, but it’s really about managing that risk.
So, the cyber insurance is just another tool in that company CSO pocket to manage that risk. That again comes back to education. We have to educate customers that this isn’t just a solution for IoT security, that this is just another tool in your IoT security belt.
Smedley:
I’m sorry, whoever is in charge of those companies; whoever is making these decisions shouldn’t be in charge of those companies. I don’t know who’s in charge, but those are bad decisions. You’re just leaving the door open for all of these bad guys.
You guys and others are doing really wonderful things. I guess the problem is we always know we’re vulnerable. You just described what the problem is. We understand that, but there’s things we can do that we didn’t know before. Like what you’re just describing.
Let’s talk about the positives. There are training programs. There are workshops. There are so many things companies can do today that we didn’t even know, let’s say two years ago, three years ago. Why aren’t companies taking that money and saying, “Let’s find the right people?” Because there are really good schools and opportunities to roll out the proper phases to put some money behind insurance, but also some money behind finding the right talent to put security systems in place, and having the right technology in place because it’s a double-edged sword, right? I mean you’re doing both?
Ramakrishnan:
Correct, correct.
You know, I know, I keep harping on this, but it essentially goes back to the same fact. Most companies don’t see that difference between IoT and IT. To them it’s just another technical solution or piece that needs to be deployed.
If all you have is a hammer, all you see is nails. So these teams continue to go down that same part of existing solutions, existing tools, because they don’t understand that difference. They don’t see the need to go get additional education or go acquire additional tools.
That is a huge gap in the IoT today. But really, the IoT is still in its infancy. We’ve talked about that huge number of 50, 60 billion devices in the next few years, but that hockey stick shaped curve hasn’t really happened yet. It’s going to very soon, and unless these companies quickly realize that “Hey, the IoT is a different beast compared to what we have today, let’s go start a new IoT security strategy in order to keep ourselves safe,” it’s going to be chaos when that boom actually happens.
So, that’s exactly…you know, it has to start at the top. The C-level has to understand. And Peggy, as we’re meeting with our customers now, as we go to these trade shows, and conferences, I think, slowly that awareness is coming—especially at the upper end with larger corporations and enterprises. They are really getting it. But it’s all the way at the other end of the spectrum, the small, medium-level businesses that don’t have the budgets, don’t have the people to build out these strategies. That’s where I think the risk is high.
But, there are a lot of consulting services. AT&T offers professional services for security design. Not just putting out our products, but those services are available from several security providers.
So I think for these smaller and medium businesses that’s kind of where they have to go because education and new tools isn’t going to solve it for them. They’ll still need help from companies like AT&T to secure their IoT solutions.
Smedley:
AT&T has even talked about working with Ericsson, and the IoT cybersecurity device certification programs. What’s your prediction? Industries have to work together to keep the bad guys out. It’s not about that you all have to be competitive anymore. In some ways the industry has to be competitive, but you also, as an industry, have to find ways to keep the bad guys at bay.
So talk about your predictions where cybersecurity is headed in the future. I think as an industry we all have to work together to keep the bad guys away.
Ramakrishnan:
That’s very true. There’s a lot of work going on in that space. The CTIA example that you mentioned is one. They brought together several carriers in North America and outside the U.S., as well to get together and define an IoT device testing a strategy. Today you can put any device, on any network, as long as you get a SIM card, or some connectivity to access that network.
Most of these devices don’t have any security built into them. Like most devices don’t have the default admin passwords changed on them. That’s why that whole virus happened. Took down the DNS service with huge impact. Something as simple as somebody didn’t change a password on the device.
So that CTIA effort is very specific to that, but there’s a greater effort, not just in the cellular region, working with the GSMA organization to develop end-to-end IoT security, requirements, and validations. That’s something we put out, but within each industry in each vertical there is a lot of collaboration going on as well.
All of these are really specific to the IoT within each industry. There really isn’t any standards around the IoT and there’s not a lot of regulation. So I think before we get too much of restrictive regulation enforced, I think it’s always in the best interest of the industries to get together to understand and define what they have to do in order to prevent and secure themselves really.
Smedley:
How do you see emerging technologies like blockchain playing a role in IoT security?
Ramakrishnan:
IoT, again, is all about data collection. That’s why there’s millions, and soon billions of IoT devices out there collecting data for us. So, in addition to blockchain, we’ll talk about blockchain, but machine learning and AI (artificial intelligence) are becoming very critical for IoT and for IoT security as well.
These devices and applications are not just collecting the IoT specific data but there’s a lot of security data that we can gather off of these devices as well. So using, for example, machine learning and then AI to define what the behavior of an IoT device is and if it changes its behavior, it could potentially be infected or have some issues, right?
So there’s a lot of applicability of technology like ML (machine learning) and AI. The blockchain specifically is going to be very important. It’s a perfect fit there because it’s all about data. But the problem with blockchain again is going to be that it’s very resource intensive whereas IoT devices are really in a low-powered device.
So there’s newer blockchain architecture’s being defined for IoT that make use of the core fundamentals of blockchain, but they are a lot less resource intensive. So I think those are going to come into play pretty big in the IoT space.
We recently did a pilot of a proof of concept with Ericsson in a connected car space where we’re using blockchain to remotely test.