Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

The Intersection of Cloud And Internet of Things And What It Means For Security

Securing The Internet of Things Using Cloud

Securing The Internet of Things Using Cloud

Last month, Salesforce.com and Philips announced their plan to build an open cloud-based healthcare platform. In the initial application, this “platform” will allow healthcare software developers, producers of medical services, insurance companies, and healthcare providers to monitor patients with chronic conditions. Healthcare information utilizing digital patient-sensing devices (internet of things) send information to the cloud to be remotely processed and monitored, allowing healthcare providers to prioritize care.

The choice of healthcare as the first industry play by a customer management software-as-a-service (SaaS) company like Salesforce.com makes sense as the healthcare industry requires the most collaboration.

It’s also a bold choice from a security perspective. If you’ve ever sat down and filled out insurance and healthcare provider forms, you know that there is a lot of confidential information that is shared – from social security numbers, bank information to personal healthcare history. The healthcare industry was warned by the FBI in April that they were “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”, and attacks have already been documented, in this example of the Romanian hacker who attacked the Vermont health exchange.

The reality is that the healthcare industry is just one of many that will tap into the innovation possibilities of the cloud and Internet of things. The world of cloud computing will become infinitely more interesting and at the same time more challenging. Imagine mass transit networks with thousands of sensors that send information about the status of buses, trains and light rail environments to the cloud to be processed, or remote oil, gas and mining stations with management sensors because of their hard-to-get-to locations. Application enablement platforms for the Internet of things are being developed as we speak.

Privacy and Security Concerns

Of course, this means that the intersection of cloud and Internet of Things (IoT) will also usher in a new era of privacy and security concerns.

Today, significant enterprise files, spreadsheets and proprietary intellectual data already reside in cloud applications like Salesforce.com, Google Apps and Box. As the era of Internet of Things dawns, the amount of data within these applications and other cloud applications developed for unique industries will increase, and be accessed by an interconnected ecosystem of organizations, networks and devices.

Advertisement. Scroll to continue reading.

In order to truly embrace this intersection of cloud and Internet of things, security is a key requirement that requires collaboration between cloud providers and enterprises.

Understanding the Responsibilities

The division of security responsibilities between cloud providers and enterprises need to be understood. Attacks at the physical or infrastructure layer–physical security, data center security, denial-of-service attacks–these are all the domain of the cloud provider. Cloud providers that offer software-as-as-a-service provide additional application layer capabilities like protection against web vulnerabilities, SQL injection attacks and configuration error vulnerabilities. As part of the due diligence to identity the right cloud provider application, enterprises can investigate the security controls that have been deployed, and negotiate for access to incident and vulnerability data.

However, access to, usage and security of the data being hosted at the cloud provider continues to be the responsibility of the enterprise. Think of it like making sure your cars are locked and valuables hidden when you park at a parking garage. Or locking your door and windows even when you have signed up for a burglar alarm service at your house.

Rethinking Security

Unfortunately, while some legacy security controls can extend to infrastructure-as-a-service (think virtualized firewalls on Amazon EC2), they fall short for software-as-a-service. Existing security solutions like firewalls may provide some visibility into the cloud application, for example, when user “John Doe” accesses salesforce.com, but will not understand the myriad of transactions within the application, how data can be exfiltrated, and the unique attack vectors. VPN solutions enable secure access to the cloud application, but are completely blind when the user is accessing via an unmanaged mobile device or unsecured networks.

Security for SaaS applications is also different from legacy malware and APT prevention solutions. The likely culprits for a breach will be insiders – malicious insiders downloading inappropriate data, errant insiders that accidentally expose files to the public, and compromised insiders whose credentials have been stolen. This can only be detected with anomaly detection capabilities that can set the baseline for normal behaviors (and transactions) and detect deviations from the norm.

Enterprises (and any entity planning on using cloud exchanges or cloud applications delivered as a service) MUST consider new cloud security solutions that provide visibility into user activities, application transactions, and deliver governance and security. For example:

Data Sharing Management – ensure content is being used and shared in a safe manner

User Management – monitor user activities, monitor users with excessive privileges and deprovision users who have left the company

Compliance Management – comply with regulatory mandates and legal eDiscovery mandates

Security Management – understand vulnerabilities, and risky and anomalous behaviors that may be indicative of a breach

It is only when we start looking at security for cloud and IOT differently from traditional enterprise security challenges can the promises of innovation truly become a reality.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.