An IoT Security Use-case: Part 1 – The Challenge
How Out-of-the-Box Thinking on Security Enabled Business Agility and Growth
Managing budgets is a significant part of any organization’s security efforts. The most immediate and natural reaction to any security effort today is – more money. More money is needed for more security tools, more consultants and more operators. But does more money, more security tools and more people really buy you better security?
Lets talk about what’s involved in protecting a single IoT application platform with today’s security technologies. For example a bank ATM network. To do this we will first identify the various functions, tools and processes that need to make up the security system.
For the next couple of weeks we will be using this ATM network as a use-case for our discussion. Interestingly enough, this is a real-life use-case problem that Acreto has addressed. So bear in mind that the elements, factors and challenges defined here are not hypothetical. They are very real challenges that a financial organization faced as part of their business expansion efforts.
The organization’s traditional branch model was expensive, complex and created many ownership and agility challenges. The lack of agility posed the greatest obstacle for the organization. Their traditional growth strategy involved acquiring real-estate with very specific attributes in very specific locations. This required either a long-term lease or outright purchase of the building. This process took time – and if after much effort, the right building, with the right attributes, was not available in the right location, they had to make some tough decisions. Depending on the importance and priority of the area they either moved on to the next area or went through a resource and time consuming build out.
The organization’s chief strategy officer had a plan to address the burdens of their current slow and tedious approach to business and IoTs factored heavily into it. They would use a combination of ATMs and Interactive Teller Machines (ITM) as well as mobile banks to augment their web site and branch portfolio.
Their strategy was to continue the personal experience using ITMs that are capable of interactive video conferencing with a 24×7 centralized teller community. The teller community is able to support a very broad, geographically distributed network of ITMs that each function as a mini-bank. Customers can also receive live personalized service by tellers in the mobile banking units.
This approach meant that they could expand at a significantly more rapid pace while still supporting their entire product line. They were able to deploy their ATMs and ITMs in a matter of a few weeks rather than many months. They could also accomplish this at a much lower cost, avoiding construction, legal, compliance and security costs, as well as long-term lease commitments or acquisition costs.
Moreover, with their mobile banks, the organization would be able to go to their customers to provide services rather than be inconvenienced by having them come to a branch. On weekday mornings the mobile bank could be situated at major commercial and industrial areas. On weekend mornings, the mobile banks will be at the beach. Weekend afternoons servicing patrons at sporting events or the park and on Saturday night, concert and nightlife hot spots.
There are many benefits to this approach that include agility, coverage and adaptability to customer demands at a much lower cost. However there was one major obstacle – SECURITY!
These units would be located in a variety of locations including office buildings, airports, train stations, stadiums, hotels, courtyards and even operate curbside. The ATMs, ITMs, Mobile Banks and web site all used untrusted networks. Mobile network LTE and Satellite connections for roaming units as well as WiFi, and Ethernet networks provided by the building facilities for the others. In many instances they use some combination of connections for redundancy and availability.
Though it may seem common sense that ATM and ITMs have hardened cyber-security protection baked in, the actuality is shockingly the opposite. These units are purpose-built IoTs designed to serve a very specific purpose and many do not have much by way of cyber-security protections. It was both surprising and concerning to everyone!
This concern was borne out when the Acreto team was able to remotely access a test ATM via the Internet and successfully issue commands to it. This was a show-stopper for the organization.
In this series we will break down this use-case and discuss the security fundamentals necessary to protect platform of this type. As well we will breakdown the components of the platform, that range from clouds, SaaS, external vendors and IoTs. Finally, we outline how the Acreto platform was used to deliver simple, uniform and consistent protection for the entire ecosystem.
Stay tuned for part II – Security Fundamentals for IoT Ecosystems next week.