Editor’s note: Is litigation inevitable because of security vulnerabilities in the Internet of Things? What are the new kinds of cyberattacks in the IoT space? How can your business find partners for IoT opportunities you see? Vince Ricco, business development manager for Axis Communications’ Technology Partner Program in North America, shares these and other insights in this interview. Axis Communications focuses on security video cameras and is one of the original IoT companies (before it was known as the IoT), an early provider of intelligent edge devices that sat on networks. SandHill is a sponsor of the upcoming IoT Evolution Expo where Vince will be a presenter on the topic of “Protecting and Defending the Edge.”
Q: From what you’re seeing and hearing in the marketplace, do you think the “gold rush” to the IoT opportunity for new revenue streams is so predominant that companies are temporarily willing to overlook the security risks and think they can fix those issues later?
Vince Ricco: I don’t think it’s that companies are intentionally overlooking or have a plan to go back and fix it. It’s more likely that they don’t understand the exposure – like having a mindset that their current implementations of authenticating devices may be sufficient and not understanding some of the risks that go along with that. But in the IoT, non-traditional IT devices are attached to networks. They might comply with the companies’ standard authentication methodology but one of the key risks is not actually hijacking or hacking that device but, rather, keylogging someone else who is gaining access to a resource or a network element that has been newly added. They come, in essence, as an authenticated user and password. The companies are not necessarily thinking about credentials as being the way that bad people get in. There are some areas like this that I think will require more of an educational process on defending the edge. It might not be as clear cut as we think today.
Q: You mentioned defending the edge. Do you think this is the most effective place for security protection?
Vince Ricco: No. There are three areas that you have to be concerned with, not just the edge devices.
At the edge, you’re concerned with a couple of variables. One is making sure that the edge device doesn’t become a new point of vulnerability for the network infrastructure and the associated data and contents of your network in its entirety by protecting the device itself from being accessed or hacked.
Going away from the edge, you have the stream or output from the edge device. Almost by definition it goes from edge to core (network infrastructure such as servers and potentially storage) and also content being redistributed back out from a server to an edge client.
So you need to protect the edge, making sure that it’s not a point of vulnerability, and also protect the flow of data or contents across the network(s).
Q: So they need to extend their security tactics in the IoT.
Vince Ricco: They don’t have to actually redefine their cybersecurity because they add a new technology to the edge. For example, in the case of security camera video streams, you don’t want the bad guys to have access to your video and thus have eyeballs into your building. So you protect that through the network infrastructure. And there may be a viewing client for that video at the edge, so you protect the edge device. Make sure your cybersecurity standards within your network infrastructure protect the video stream in and back out, and make sure it co-exists with your existing IT cybersecurity policy.
Q: There are a lot of new types of cyberattacks in the IoT. You mentioned keylogging for authentication access. What are some other examples?
Vince Ricco: There is a lot of convergence taking place in IT and a lot of new intelligent applications are bolting on to the network, which support physical security, smart homes, smart buildings, smart grids. This may require more consideration in using network security protocols dealing with ingress/egress policies.
In the case of intelligent building automation and sensors associated with a thermostat, for example, there is another application running on a server somewhere that manages the intelligent building automation, and you’re not necessarily aware of who has access and how.
There are new cyberthreat vulnerabilities in systems that maybe don’t directly relate to specific applications, but they do affect the added servers and storage infrastructure.
Q: I recently read an article that predicted the inevitability of litigation in IoT because of security breaches. The article suggested that companies in the IoT need to change their cybersecurity risk management strategy, not just the tools they use. Do you agree?
Vince Ricco: I think that the label “IoT” is a bit too broad to say this applies to everyone. What is the device and what is it transmitting and what is its potential to become an ingress or egress point for cyber threats? This is the consideration, and I think there are segments that are the first and easiest targets for any type of litigation. Health and medical environments with HIPAA regulations, for instance, or securing data in PCI transactions, or regulations and inherent risks associated with sensitive banking and finance data. These areas are more valuable and much more open to litigation should there be exposure to that content. I think other areas are probably lower on the target list. But it’s certainly something every company needs to think about as they attach devices. What is the risk and what are the implications to corporate resources?
Q: Do you have any recommendations around the architecture of security solutions?
Vince Ricco: Basically there are two approaches. The first is a single vendor. Administrating the solution with single management and a single user interface for the vendor’s bolted-on products simplifies the core process because of single management and a single user interface. Cisco is an example of this model.
HP, Stream Networks, Brocade, Avaya and others are examples of the second model. The technology isn’t that different, but they use more open systems and open standards. It’s just a different approach. Or it may be a company working within an ecosystem partnership to bolt together a cyberstrategy solution.
Is one better than the other? That’s a crunchy vs. smooth equation in a peanut butter analogy. You can consider a single vendor / single source or a best-of-breed application from a variety of manufacturers as long as the end result provides a comprehensive solution. The technology will continue to evolve quickly, whether you’re under one umbrella or you’re working within an ecosystem.
Q: What are the risks when outsourcing to gain capabilities and services regarding security in the IoT?
Vince Ricco: There are several issues besides the usual selection criteria for a service provider. Is the vendor new to digital? Who is ultimately behind the newer technologies? How does the vendor’s technology integrate with what you’re doing today? Do you have to change what you’re doing today to accommodate one device or technology that is maybe five percent of your overall technology? And make sure you have a plan for what you want to eventually phase in to the IoT.
Q: How can a company looking for new revenue streams from IoT opportunities find a partner to help create a product or service?
Vince Ricco: If you want to be part of this new IoT ecosystem, this new environment, my advice is to first understand where your company fits today, what value you offer now that could be extended value to other businesses’ customers. Understand the adjacencies to your current technology or current product offerings and how to communicate that value to the ecosystem and become part of the ecosystem. You may see an opportunity to bolt on to others’ existing services and offerings but first may need to educate yourself on particular technologies.
Q: What are the pitfalls to avoid when buying video cameras as a security device?
Vince Ricco: You have to consider what effect it will have on the existing network infrastructure. What is the potential stress for servers and storage? Video generates a great deal of storage, particularly if it’s not adjusted and tweaked right.
The pitfall is installing it without understanding the technology so you know how to set it up properly to reduce the strain it might add to existing infrastructure. How do you set the resolution? How many pictures per second will be broadcast? What’s the effect on lighting or motion? Where do you put the camera? How long do you store the video? What are some mitigation techniques to transport a video (store locally as well as centrally)? Make sure you’re educated on putting in a system so it won’t unnecessarily consume lots of bandwidth and lots of storage.
From a cybersecurity perspective, it goes back again to understanding what you or your organization is plugging into your network. What network security protocols does it support and is it the right technology to coexist with your current cybersecurity strategy? Overall, like the emerging IoT technologies, it comes down to education and understanding the underlying network technology of these edge devices balanced with the delivery of the application(s) you are looking to add to your system.
I am a firm believer that technology should enhance the way you do business, not alter it.
Click here to register or learn more about the IoT Evolution Conference & Expo, August 17-20, in Las Vegas. Mention discount code “SANDHILL” for a 20% discount. SandHill.com is proud to be a sponsor of the event. The conference draws an international audience of IoT software companies, large enterprises, SMBs, network service providers, platform providers and device manufacturers.
Vince Ricco is business development manager for the Axis Technology Partner Program for North America at Axis Communications. Vince has over 25 years of experience working with IT hardware providers to showcase network video surveillance solutions and educate the IT industry about the ongoing technology shift from analog CCTV to IP-based video surveillance. Vince came to Axis from Allied Telesis, Inc., where he served in a number of roles, including SVP of Sales Americas.
Kathleen Goolsby is managing editor at SandHill.com.