www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

The Edge is EverywhereSecurity and Risk Considerations of a Completely Connected World

Davitt J. PotterDirector, Engineering & Technical Services, Arrow Security

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2015 Cloud Security Alliance

What Edge?!

Security: Not just a buzzword anymore!

When everything is connected to everything else, for better or for worse, everything matters.Source: Bruce Mau, Massive Change

Any business that fails to invest heavily in the IoT in the next 10 years is unlikely to be able to remain competitive.Source: McKinsey

A network of physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment. The IoT comprises an ecosystem that includes things, communication, applications and data analysis.

Source: Gartner

…Mind the gap!

Meaning… what?

The Architecture of IoT

…Mind the gap!

Meaning… what?

…Mind the gap!

Meaning… what?

Gaps in visibility Gaps in knowledge of the devices Gaps in knowledge of activity

Who drives this bus, anyway?

We still don’t do simple things well.

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.”

- Bruce Schneier, Information Security

Who drives this bus, anyway?

We still don’t do simple things well.

“There is no patch for human stupidity.” – Various

Security cannot be an afterthought!

In the mad rush to connect everything, proper security controls and designs must be considered.

SHOULD a device be able to be seen by other devices? What is ‘proper’ traffic? What does normal traffic look like? Should it be segregated? Should it be encrypted?

Slow down – just a second.

Security cannot be an afterthought!

Have you designed a security strategy? What policy or procedure does it fall under? Who controls it? Who does it talk to? When does it talk? What happens when you’re breached?

“This is what we call a target-rich environment…”

Look at all the edge devices to poke at! If your edge device is breached, how do you know? Can you

stop it at the gateway? Can you stop it at the device? Can you identify the data that was exfiltrated? Can you show me the ingress and egress paths?

Collector/aggregation points Devices Cloud-based systems

Or a security officer, or a network administrator, or…

I’m a Security Analyst!

Is security awareness part of your organization at each level of IT? Do you provide options for visibility into security data for other roles, where relevant?

More eyes can discover “ah ha” moments. Automation helps cull the anomalies, but the human brain (thus far) still can make that intuitive leap.

Questions?

Thank you!

Davitt J. Potterdapotter@arrow.com Twitter: @DavittJPotter

http://www.linkedin.com/in/davittjpotter