Building a Data Security Model for the Internet of Things

Two executives from Cisco jointly presented a Keynote at this year’s RSA Conference in San Francisco. The Keynote was titled The New Model of Security Christopher Young, Senior Vice President, Security Business Group, and Padmasree Warrior, Chief Technology and Strategy Officer spoke for 26 mins on the topic of the Internet of Things and its impact on data security best practices.

Online security is, and, for the foreseeable future will remain, one of the most important components of any mature ISV’s product platform. Cisco is no exception. But this presentation at the RSA Conference did not provide me with a lot of new information about how Cisco is meeting the challenge.

Cisco has, on a few occasions, created brands for purported industry trends, which somehow never got off the ground. Examples include the Home Technology Integration (HTI) effort, which didn’t deliver on its promise. Is the Internet of Things just another example of one of them?

Regardless of how one answers the question, the important point about the notion of an Internet of Things for this Keynote, is simply the geometric, explosive proliferation of connected devices over the last thirty years. Warrior presented some statistics including a universe, in 1980, of approximately 1K devices, which, today, she claims is approaching (or even exceeding 10 Billion).

Christopher Young depicted the problem all these devices represent to ISVs with security solutions: when the connected device is a highly complex machine like an automobile, then anyone analyzing the points where the connected device is vulnerable to malicious attack, needs to think about sub systems, component manufacturers, etc. In other words, the real conundrum is ensuring all of the OEMs contributing to the production of the final complex connected device are all sharing the same security priorities, architectures, etc.

Young did not offer any examples of how anyone is successfully coordinating OEMs to provision a truly effective security solution for connecting complex devices like automobiles to the Internet, but, one can argue, at least Cisco is aware of the challenge, which is an important starting point.

There is ample precedent for such as policy, of course, within the production of the functional architecture of automobiles and, on an even bigger scale, airplanes. Boeing, Airbus, etc. are quite effective at managing subsystems, and the OEMs responsible for them, to ensure conformance with functional standards. Why not do the same for Internet connectivity?

Warrior also noted a need for device-to-device authentication, which I think makes a lot of sense. Ethernet, unfortunately, does not support the data communications hand shaking required to provide this level of authentication, but Warrior’s comment may actually signal efforts on Cisco’s part to build new data communications protocols on top of, our beneath, Ethernet over TCP/IP communications capable of simulating the type of error checking and authentication required to really control data communications between connected devices.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved

Leave a Reply

Your email address will not be published. Required fields are marked *