In our last IoT blog, we talked about the history of IoT and the evolution of issues surrounding IoT devices. In this part of the series, we will expand on the issues around IoT and the data it collects.
Research firms estimate that there will be between 20 billion and 30 billion IoT devices on Earth by 20201 and that they will have collectively produced over four zetabytes of data.2 These are virtually inconceivable volumes for the average person and dealing with volumes this high is effectively far more than a trivial matter. Given these factors, this blog is going to discuss how to deal with IoT using various (slightly modified) quotes from famous Hollywood films (let’s see how many of the films you can correctly identify before you read the footnotes!).
In this edition, we extract nuggets of IoT wisdom from Hollywood and as a bonus, provide readers with an answer key to identify where the quotes came from.
- “They may take our data, but they’ll never take our freedom!”3 With each passing day, IoT devices and data proliferate, making this quote even more poignant. IoT devices can and do affect the real world. Without knowledge of which IoT devices are gathering data inside your network and how they are connected to real-world power systems, security will fail and may fail catastrophically. Not only can data be breached, but if power management, utility management, and transport control systems connect, real world disasters could occur.
- “What I do have is a very particular set of data that I have acquired over a long career. Data that makes me a nightmare for people like you.”4 Cybercrime is a part of life now. In 2015, over a billion records of various types were breached. Today, Ransomware is spreading like mad. For those of you in organizations that create, collect, and otherwise leverage IoT data, it is a highly valuable (and therefore desirable) asset that must be protected so you are not the one receiving a message from the hacker telling you they have control over your data. Visibility into you environment, activities in that environment, and the devices generating those activities are key for applying appropriate and effective security controls.
- “If you build data, they will come.”5 Data is valuable to hackers, so the more you collect, the greater your value as a target; just ask Microsoft, Facebook, and Amazon. It is because of that data you are a target for hackers. As you build out infrastructure for IoT (or the cloud for that matter), properly identifying and securing the systems and the data is paramount. IoT devices are often difficult to patch, secure, and operate using protocols that are not part of the normal IT infrastructure controls or monitoring. Be sure that you know where those devices are located and how to protect them. If you don’t know where they are, you can’t protect them. If you don’t understand the data flows, you are bound to have ex-filtrated data. If policy allows BYOD or guest devices, it must also prescribe protections from those devices. What are those devices allowed to do within your environment and how does security enforce those policies? If you’re giving them access to your data, you better have a plan on how to protect that data.
- “With great data comes great responsibility.”6 Data is power. Just because we can collect data with sensors does not mean that we know how to properly use it. All of the IoT sensors collecting so much data have the potential for great insight and knowledge; they also have the potential for terrible misuse. Whether the data is from Industrial IoT, wearables, medical devices, or environmental sensors, it is collected for specific purposes. It can be used to identify positive and negative trends, population and behavioral anomalies, etc. If you or your organization is collecting data, ensure that the use policy for that data is clear and delivered to anyone that can be specifically identified by the data that was collected. Ensure that the collection and use policies are presented no later than the time of collections and then, as an organization, stick to the disclosed policy. Lastly, provide protections for the data in transit, in processing, and especially in storage.
- “One thing to rule them all, one thing to bind them, one thing to bring them all and in the darkness bind them.”7 In my last IoT blog, I mentioned a rather interesting and terrible situation with an IoT coffee maker. This final lesson from Hollywood builds off that particular situation. IoT devices will continue to appear in diverse shapes and uses. It is obvious that IoT is growing and the use cases, and thus the deployments, will continue to expand into all realms of our lives, both business and personal. Visibility, control and orchestration of those devices and the data they create are paramount in maintaining the integrity and operational status of each one, and the personal privacy and business confidentiality is not only expected, but required.
In closing, “Carpe Datum, seize the data!”
4 Taken 1
5 Field of Dreams
7 Lord of the Rings: Fellowship of the Rings
8 Dead Poets Society