“Five 9s, NERC/CIP, HIPAA Compliant, CISSP…” When it comes to device or “thing” security you’ve had numbers and a variety of security certification acronyms thrown your way. While this information really does mean something, we want to dive in and tell the whole story. “If you read between the lines, these up-time commitments and certifications imply that device security and reliability are a reason to avoid connecting your machines to the Internet. But, nothing could be farther from the truth. Once you start streaming GPS location, device health, messages and so forth, the security and reliability of the device itself skyrockets.” Digi’s Collaborative Strategy Leader, Rob Faludi pointed out. So, in this post, we’ll cover the downsides of leaving devices unconnected.
Device Cloud’s leader of information security, Don Schleede, breaks down how attaching devices will lower security risks. Below he explains why and how.
Let’s start with an analogy. Imagine you have a nice house, close to the city, but still a little rural. You install the best security system that money can buy. But it is not hooked up to any phone line, and never reports back to a centralized and managed center. What happens when a burglar breaks in? Chances are that your system will be going off for a long time. Are you really protected? The same concept applies to a device.
Centralized data collection and management provides the following 6 benefits:
1) Centralized Identity and Authorization
When a device is connected you are able to track-ability of logins and use of the device. You also have the ability to do a much simpler password restore operation and to federate your userid and password to your central ID repository, where password expiry, authentication, is monitored.
2) Firmware Updates for Security
Device connectivity to a system like Device Cloud allows for automatic notifications of firmware updates for your devices. Firmware updates can easily be rolled out in a batch methodology, instead of visiting each device, and having the chance of missing a few devices.
3) Configuration settings
Connectivity offers the ability to store off-site the configuration of your device. You also have the ability to create a “gold configuration” for all of your devices. Also, if you need to meet a security standard, all devices can be validated against a standard, and suggestions for improved security can be recommended. For example, you may have 120 devices, but one of them is mis-configured, and is insecure (not running SSL for example). This can be alerted within a console.
4) Centralized Logging
Centralized logging for devices makes for easier manageability. Connectivity enables you to do advanced analysis and correlations on devices. For example, can you do brute force detection on your current devices? If a device starts to malfunction, the visibility of that malfunction can be centralized and someone can be easily alerted.
5) Asset Management
Having one location where all of your devices are located, and the ability to tell the status of the devices, gives you a nice clean way to manage your inventory and identify missing devices. If a device is stolen, they may be able to be recovered. This is similar to someone stealing an iPhone, and trying to enable the stolen phone on a new account.
6) Disaster Recovery/Replacement of Bad Units
Devices that are connected have minimal downtime due to broken devices. The last known configuration can be replaced on a new unit. And, there’s the option of spinning up a new device is trivial if a disaster were to occur.
Overall, devices are small, and typically are limited in CPU, memory and power. To include many of the security features needed today in each device is just impossible because of the limits. The better approach is to “off-load” or shift those functions into the cloud. When a device works together with a device cloud service, it has the ability to cooperatively work together to increase the overall security of the device, and all devices in general. Better device security through security information sharing.
Are you interested in learning more about Device Cloud’s security? Here’s a page on the website. We also offer a white paper on iDigi security here. Have a question about device security? Ask in the comments section below or on Twitter.
If you love security, we are looking for a motivated individual who would like to make Information Security their full time job. We are looking for someone who has 3 years experience in the computer industry (Highly motivated without 3 years? Still apply!). The role is about 60% technical, and requires someone to be familiar with common security setting in windows AD domains and Unix systems. The ideal candidate has had some scripting or minor programming background.
Security tasks for this role would include the following:
- Security technical investigations
- Running vulnerability analysis software
- Writing scripts to test vulnerable web sites or systems
- Giving recommendations on how to “harden” a server
- Working with developers to fix and identify security vulnerabilities in code
- Working with common security technology, such as Network Intrusion Detection sensors, Security Information and Event management systems (SIEM – aka. Log collection and correlation engines), Certificate management, and Identity management
Interested? Let us know in the comments section below or on Twitter, we’ll connect you with Don Schleede who is hiring for this position.