Nikhil Batra, Research Manager – Telecom, IDC said that 37m accounts had been hacked, with 9.7GB of data including names, addresses, and credit cards. He presented market research around cloud security, opening with a dramatic analysis of the highly publicised hack of Ashley Madison, a website for those looking to have an affair.
With IoT, Batra said, hacks have much bigger repercussions. Examples included hacked cars, where a connected car means relinquishing control to technology, and drones which have fallen out of the sky. He saw security solutions shifting to a more proactive approach, with security representing 12-15% of cloud spending today.
Andy Solterbeck, Regional Director – APAC, Cylance, said the capabilities of cloud security service providers were orders of magnitude more sophisticated than those of enterprises. The problem is that the attack surface is the network endpoint – where 95% of all attacks start.
Ashok Vasan, Vice President, Digital Transformation – Asia Pacific & Japan, CA Technologies, said that his company provides security and digital transformation in the cloud. Hybrid cloud is the future, he said, and its multiple entry points mean that identity management is critical. Application and services developers need to build security into their services, he said.
Brendan Leitch, Director of Marketing, Asia Pacific, Ixia, said security in the enterprise means managing end user devices and enterprises need high levels of granularity and visibility of cloud-based data. He pointed out that most large enterprises are not ready to put production apps such as Oracle databases and other transactional systems, along with SSL decrypt systems into the cloud.
Peter Lunk, VP of Marketing, Menlo Security, said some customers are still providing complete access to everything to some administrators, and the first thing is to close those accounts down.
Frank Wiener, VP Marketing, Wedge Networks, said his company has virtualised security software to protect the cloud. Larger enterprises are definitely ready for the cloud, he said, but SMEs don’t have resources to do that. And the threat landscape and attack surfaces are changing as enterprise boundaries have dissolved. He agreed that endpoint security was essential but that but a security layer in cloud was just as necessary, which is where service providers can help.
Sunny Tan, Head of Security, SE Asia, BT Global Services, said customers expect security to be there, they also ask us to resolve security problems. He agreed that the attack surface is changing and that customers are now asking about the Internet of Things.
Wiener said the service provider is in ideal position to inspect packets flowing to/from a device so we work with them, allowing them to offer Security as a Service.
Solterbeck said the IoT challenge is that it is a low resource environment, in terms of power and items such as memory. To secure that environment means security must be embedded in endpoints to mitigate the spread of malware.
Vasan said the IoT isn’t fully understood yet. As an example he cited smart TVs, which have an operating system and connectivity, which means vulnerability extends right into the OS. He said the open API culture drives digital disruption but it also opens up devices and potentially the enterprise to the Internet. So those devices need to be securely governed and managed.
Leitch said he saw some verticals adopt IoT aggressively such as hospitals – they take on their own testing of endpoints and connectivity, similarly airports in Asia which invest heavily in sensors for baggage and aircraft. Car makers are very cautious, he said, and only interconnect audio first.
Wiener said there are a lot of implications to the IoT with very critical issues in areas such as infrastructure like dams and cars. People are looking at hijacking control, communications to a device – are they consistent with what’s expected for a particular device. The IoT is an area of evolution, is not mature, and constant change is to be expected.
For Cylance, Solterbeck said that current approaches are not working. Our Dust Storm report found Japan’s infrastructure was compromised so we need to shift the approach fundamentally, he said.
Vasan said that it is difficult to conceptualise what testing needs to be done, and the cost is huge – for example, if a commercial aircraft is one of the Things, so we need to simulate the environment. This goes too for water control devices, medical devices, cars etc., nd this in turn means we need realistic test scenarios.
Leitch said that all device makers do testing before shipping. But while they test devices and the architecture, that’s not enough. We say people need testing – how are they organised, do they respond to attacks, what plans so they have and how do they execute against that plans, etc. so people testing is that last level of testing, he said.
Courtesy: NetEvents
