Data Security insight zone - discussion with Jackson Shaw

[MUSIC PLAYING] So IoT-- Internet of Thingss-- in the enterprise, I think is one of the most interesting areas right now. A lot of companies are doing work in this. And it's mostly around things like sensors and being able to determine, for example, what is room occupancy? Is somebody in a room taking this kind of information, whether it's from temperature sensors, or room sensors, or even electrical sensors? And how much power is being used. or whether power is being used at all. Imagine the correlation between something like is there someone in the room, and is there power being used. You'd be able to tell whether you've got, as they call it, vampire resources, draining your power. All of this, real-time data being streamed somewhere, probably outside the enterprise and being analyzed to provide information back to the company about things like power usage, heating, cooling, literally anything from giving you the opportunity to do real-time adjustments and understand the real-time costing of things within a company. A lot of CFOs are looking at this. A lot of the infrastructure people are looking at these types of things. It's one of the biggest areas right now, I think, for building management and the industry, in general, around IoT. So moving forward with an IoT deployment and what steps should you consider? Well, there's a lot of things to think about. My example that I give everybody, and I think this applies equally in the enterprise or in the home, is when I did a traffic analysis of the IoT devices in my home, 8% of my traffic was going to China. Now, is that a good thing? Is that a bad thing? I don't know. But it's a great indication of some of the things you have to think about when you start deploying IoT devices in your enterprise. Who made those devices? Who makes the software on the devices? How do you know where they're communicating, whom they're communicating to? What is the security of the devices? How secure are they? Has anybody done penetration testing of the devices? What is the security profile for the devices? There's a lot to consider. Another one is, do you have those IoT devices on your corporate LAN? Just imagine the worst case situation where one of those IoT devices is a bad device, and it's been hacked. And if that's on your corporate LAN, someone is getting access to your information. So you need to think a lot about how you virtually separate these IoT devices in your firewall and in your security infrastructure. And you need to spend a lot of time looking at the devices and understanding how they've been built from a security posture perspective. Build your risk profile and your responsible files if there is a security breach around those devices. And don't forget about privacy. IoT devices are sending data back and forth. What kind of data is it? Is it PII data? Is it private data of some nature? Where is it being stored? And how is it being stored? You need to think about all of those things. IoT and identity, big topic. Absolutely, we believe that identity extends to IoT, or IoT needs to have identity. And the reason for that is, if you think of IoT and you think of devices, you think of somebody's office, or you think of a building that's putting in smart meters, that's putting in thermostats. How many are there? There's going to be way more of these sensors than there are people. Who owns those sensors? Who do you need to contact when there is some kind of an issue with the sensor, or if a sensor needs to patched or updated in some fashion, or you need to track where those sensors are? So being able to tie a sensor, an IoT device, to an identity or a person is a very important thing. It's going to become increasingly prevalent as more and more IoT devices get deployed in the enterprise. So you want to get a handle on that identity. You want to be able to understand who owns those devices and who to go to if there's a problem, or heaven forbid, there's a breach. Is the password dead? Unfortunately not. I wish the password was dead. I suffer a lot from the same things that you probably suffer from, which is logging in multiple times every day. The problem with having so many systems at companies, or even a few systems at a company is that you need to remember the password for each one of your systems. And most of these systems have a different security policy. In my own company, I'm changing passwords on a 30-day frequency, a 45-day frequency, a 90-day frequency. So you can imagine that you have to constantly change these passwords on different systems, remember them, change them to something different. It's pretty hard. And then the other problem is that sometimes these systems have different security standards around them. You may have to use a SmartCard to access something. Or you may have to use your one-time password. And the problem with that is you have to have those systems with you. You've got to have your SmartCard with you. You've got to know the password. You've got to have your one-time password, which may be on your mobile phone. All these things reduce productivity. They increase security, but they reduce productivity for you and I. And it's a very unfortunate thing. I'd love to say that the password is dead or dying. I know there's a lot of people working on this kind of a problem. But it's still there, and we all have to suffer through this, unfortunately, for today. So is it possible to have strong security and at the same time, have happy employees? Because up until this point, that's been pretty darn hard. Because as I've said