In Internet of Things, M2M Security Gets Short Shrift
Within the rapidly proliferating realm of talking machines there is a woeful lack of security that could leave important systems vulnerable to compromise and ultimately threaten the viability of an important emerging technology space.
Send to Kindle
There’s a dirty little secret in the grand promise of the Internet of Things: Within the rapidly proliferating realm of talking machines that enables this hyper-connected ecosystem, there is a woeful lack of security. That shortcoming could leave important systems vulnerable to compromise and ultimately threaten the viability of an emerging technology space on which many have pinned high hopes.
Understanding the scope of the problem requires imagining just how big this Internet of everything could be. By some accounts, we’re on our way toward 200 billion Internet-connected machines by 2020, according to IDC Corp. Let that sink in. We’re moving into a world where automated machine-to-machine (M2M) transactions will outnumber traditional human-to-computer transactions by an order of magnitude.
Cisco Systems Inc. claims the market for these hyper-connected devices will top $19 trillion in the next eight years. Those heady figures could be at risk, however, if security gets short shrift and the devices become unpatched, unmonitored badlands for hackers and cybercriminals.
Attempting to get a handle on the scope of the problem, SSH Communications Security teamed up with Forrester Consulting for a survey of 151 U.S.-based hosting and cloud services providers as well as IT security decision-makers in financial services, government, retail, manufacturing and utilities. The goal was to see how well respondents understood M2M security issues and were safeguarding their assets in automated computing environments.
If you’ve read this far, you’ve probably already guessed: not very well.
It turns out the rise of M2M connections in data centers across most industries has far outstripped the ability of organizations to secure them. The resulting misalignment of security and compliance priorities is placing these organizations at risk, the survey found. It’s a subject that’s close to home for Helsinki-based SSH, pioneers of the secure shell protocol that bears its name. SHH is the de facto standard for data-in-transit security, at least where security has been given adequate consideration.
“Misunderstanding how best to secure M2M transactions -- and whose responsibility it is to do so -- has placed organizations under significant risk of data breach,” said Tatu Ylonen, CEO of SHH Communications Security and the inventor of the eponymous protocol. “As organizations across all sectors embrace the concept of the Internet of Things, enabling more objects and sensors to communicate to support new business models the need to automate M2M connections is increasingly critical.
“We commissioned this study to discover how financial institutions, enterprises and government agencies perceive their M2M security needs,” said Ylonen. “We discovered that they must take bold steps to evaluate the scope and strength of their M2M security strategies if they are to prevent data theft and comply with industry standards.”
According to the SSH and Forrester findings, M2M processes are now in use to some degree in just about every business organization and 62 percent of those polled say they plan to increase M2M use over the next year. Half are using M2M for logistics management and customer service and fully half of the financial institutions polled say they use M2M connections for billing.
That pervasive use and anticipated growth of M2M tends to support IoT’s champions at Cisco and elsewhere who see the automated, machine-connected world as the next step in business technology’s evolution. But despite the real traction M2M seems to be enjoying, its early adopters are giving security short shrift. While 68 percent say IT data security is a critical priority, only 25 percent feel the same way about M2M systems, even those tasked with carrying high-value payloads.
The problem, according to SHH officials, is often less about basic security protocols and more about the management of security elements on M2M networks. That’s borne out in the overwhelming number of survey respondents who felt their SSH implementations were adequate even though most knew little about critical aspects like Secure Shell access controls and centralized key management.
These are issues that will need to be sorted out soon if IoT is ever to realize its potential. They are also issue where the channel might gain a foothold in this emerging space and take advantage of the opportunities within.
As Michael Osterman at Osterman Research puts it: “The Internet of Things holds great promise for enabling control of all of the gadgets that we use on a daily basis. It also holds great promise for cybercriminals who can use our homes’ routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks.
“Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won’t work to solve the problem.”
For solution providers that have been struggling to get a handle on a business model that makes the IoT profitable, security is a key value-added service. Partners should be pushing their clients, particularly in key verticals, to take a hard look at their security strategies and posture whenever they deploy any new network devices.
As the Forrester study succinctly points out, every M2M transaction “starts with one machine logging into another using an authorized identity. These identities are powerful-- they provide access to critical systems and high-value data. Make sure your compliance and security initiatives fully account for onboarding, offboarding and monitoring of machine-based identities and credentials.”