SANTA CLARA, CA — Yes, IoT is all about the sensors, and the data those sensors collect. But without a focus on security, the whole thing is a non-starter, according to Hewlett-Packard Enterprise.
Speaking at HPE’s IoT Day at the Santa Clara headquarters of its Aruba Networks subsidiary, Keerti Melkote, senior vice president and general manager of Aruba, stressed the importance of building customer confidence in the IoT market. The basis of his argument: with the growth in the number of connected “things” expected to dwarf the number of connected end user devices, and given the lifeblood of most IoT killer apps is some of the most important data within an organization, if vendors and solution providers don’t have the security story in place, their solution — no matter how valuable it may be or how much money it may save or make the customers — is DOA.
“If customers don’t feel comfortable that their network is secure, they’re not going to embrace IoT. This is the first thing to solve,” Melkote said, calling security and customer fears around it “one of the largest barriers to broader adoption of IoT.”
Customer fears are not unfounded. Despite IoT-connected devices being seen as a nascent space (particularly in comparison to what it promises to be in a mere year’s time), HPE shared that 84 per cent of IoT adopters have themselves seen a related security breach — with malware and spyware being the two biggest concerns, with DDoS attacks and physical theft also being not-infrequent occurrences.
“Typically, the focus of security has been about users and users’ devices — the phones, tablets, and laptops,” Melkote said. “But the new attacks are not targeting users’ devices, because there are easier targets. There’s no antivirus software for these ‘things,’ and most of them have basic, single-purpose operating systems. Because they don’t have the security built in, if hackers hop on them, they can then use them to attack the rest of the network.”
Given that stern warning, it’s probably no surprise that HPE has a fairly well-developed IoT security story going for it. While the foundation of that story is in the Aruba ClearPass technology that supports security policy enforcement across the network, it was bolstered earlier this year when HPE purchased its former partner Niara, which offers machine learning-based “internal security,” something Melkote said is a very necessary element of protection considering that most of the ‘things’ that need to be protected against are inside the network. ClearPass and Niara form the core of what Melkote calls an “inside-out” approach to security.
“Firewalls are still valuable to protect from the outside, but when you’ve already got penetrations, there’s very little that protects from the inside out,” he said.
Melkote and his team showed a demo of Niara and ClearPass working together — the former discovering and disclosing network-connected systems that were suddenly behaving unexpectedly (in the case of the demo, a connected security camera that was suddenly uploading a large amount of data to a country to which it does not usually connect), and the latter shutting down the compromised camera’s access to both the internal network and the outside Internet.
“Without a good security story, companies simply won’t adopt it. There’s too much at risk,” Melkote said.