Last Updated on November 12, 2020
When you think you know something and you actually don’t, you might find that out the hard way… especially in the realm of Internet of Things (IoT) security. The IoT is fraught with complexity, aka “the enemy of security.” And the IoT realm is only becoming vaster and more complex as devices and services morph and proliferate.
A recent episode of The Virtual CISO Podcast focused on leading-edge IoT security guidance—which includes defining what an IoT device (and by extension an IoT ecosystem) are currently accepted to be. Fielding the questions were two industry thought leaders from the Cloud Security Alliance (CSA): Aaron Guzman and John Yeoh. Aaron is a co-chair of CSA’s IoT Working Group, as well as product security lead for Cisco Meraki. John is Global VP and head of research at CSA.
CSA has recently come out with some extremely valuable guidance on IoT security, which introduces base-level security controls to mitigate many of the common risks associated with IoT environments. Such environments typically include multiple types of connected devices, plus cloud services and various networking technologies. The data that IoT environments process is equally diverse, ranging from “low-value” data to mission-critical services.
So what are we potentially talking about these days when we say “IoT”?
“I’ll take the first stab,” Aaron bravely asserts. “An IoT device is a physical device or a service that is controlled remotely via a user interface. So whether that would be mobile or web… And it’s network- connected, so it has to be controllable remotely.” Podcast host John Verry, Pivot Point Security’s CISO and Managing Partner, recalls: “I had a conversation with one of our clients, a very high-level person in their legal department. They have a huge array of IoT devices, and she defined an IoT device as and per the California SB-327 guidance as basically, ‘Anything that can be authenticated from outside of the local area network,’ with no definition of what a local area network is, or what ‘authenticated’ means—which is really another crazy-broad interpretation.”
“If it’s a device that has network connectivity that’s controlled via an app, to me that’s considered IoT,” Aaron reframes.
“It’s a very broad term, for sure,” agrees John Yeoh. “I think, like Aaron said, it’s any device that has connectivity, especially Internet connectivity. And I think it’s not just a connected device these days, but the expansion of what that means, right? We’ve all had laptops and mobile phones and computers that would connect to the internet. But the expansion of the type of devices that now connect to the internet is so different…”
“We talk about sensors, and really small compute devices that don’t have their own operating systems,” John continues. “They connect differently, so we need to protect them differently. … When we look at a connected device and ty to take that top-down and bottom-up approach: start from the device itself and how you would secure or connect that device. And then, also, from your systems themselves that are connected to the device—how can we implement security across that?”
“But when it comes to just a connected device, I feel like it’s just, man, anything that’s connected. An IoT device is anything that’s connected,” emphasizes John.
By both these expert definitions, a mobile phone is an IoT device.
“It would be helpful if we had a better definition [of IoT], right?” John Verry observes. “… You have all these people who are saying, ‘Do I need to test this device?’ And they don’t know how. I’m like, ‘Look, you need to consult legal counsel.’”
“I’m not sure with the definition anymore,” John Verry acknowledges. “I thought I knew a little bit ago…”
If you have anything to do with securing an IoT ecosystem, or need to update your view of IoT, check out this podcast with Aaron Guzman and John Yeoh.
To hear the whole show with Aaron and John, and take your pick from our many other cybersecurity podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.
Podcast host John Verry, Pivot Point Security’s CISO and Managing Partner, recalls: “I had a conversation with one of our clients, a very high-level person in their legal department. They have a huge array of IoT devices, and she defined an IoT device as and per the California SB-327 guidance as basically, ‘Anything that can be authenticated from outside of the local area network,’ with no definition of what a local area network is, or what ‘authenticated’ means—which is really another crazy-broad interpretation.”