Episode 10: IoT Security
Organizations have only just begun discovering and benefiting from the opportunities provided by the Internet of Things. The ability to capture and analyze data from distributed connected devices offers the potential to optimize processes, create new revenue streams, and improve customer service. However, the IoT also exposes organizations to new security vulnerabilities introduced by increased network connectivity and devices that are not secured by design. And advanced attackers have demonstrated the ability to pivot to other systems by leveraging vulnerabilities in IoT devices.
For this episode, host Neira Jones is joined by Ellen Boehm, VP, IoT Strategy and Operations at Keyfactor, and Paul Hampton, Senior Product Manager at Thales.
Neira advises organisations of all sizes on payments, fintech, regtech, cybercrime, information security, regulations (e.g. PSD2, GDPR, AML) & digital innovation. With more than 20 years in financial services & technology, she believes in change through innovation & partnerships and always strives to demystify the hype surrounding current issues. She enjoys her work as a strategic board advisor and non-executive director. She also provides coaching, training/e-learning, speaking, payment security expert witness services, and helps with M&As cybersecurity due diligence. She likes engaging on social media & regularly addresses global audiences in person or virtually.
She is the 1st Advisory Committee member for PCI-Pal, a global leader in secure payments & chairs the Advisory Board for mobile innovator Ensygnia. She is proud to be an Ambassador for the Emerging Payments Association and a friend of the Global Cyber Alliance. You'll find her on the Refinitiv list of Top 100 Influencers in Financial Services, the Planet Compliance Top 50 RegTech Influencers, the SC Magazine list of the UK's 50 Most Influential Women in Cyber-Security 2019, the Cybersecurity Ventures Women Know Cyber 2019 (100 Fascinating Women Fighting Cybercrime), the Jax Finance Top 20 Social Influencers in Fintech 2017, the City AM Powerful Women in the City List, the Richtopia Top 100 Most Influential People in Fintech. Tripwire nominated her "Top Influencer in Security To Follow on Twitter" in January 2015, CEOWorld Magazine nominated her Top Chief Security Officer to Follow on Twitter in April 2014, she is the Merchant Payments Ecosystem Acquiring Personality of the Year 2013, the SC Magazine Information Security Person of the Year 2012 and is an InfoSecurity Europe Hall of Fame alumni. She was voted to the Top 10 Most Influential People in Information Security by SC Magazine & ISC2 in 2010 & has served on the PCI SSC Board of Advisors for 4 years. She is a British Computer Society Fellow.
Neira has previously worked for Barclaycard, Santander, Abbey National, Oracle Corp. and Unisys. Her clients span industry sectors, including financial services, fintech, retail, legal, consulting, information security & technology.
She loves technology and cars...
Our Guest Speakers
Ellen leads the product strategy and go to market approach for the Keyfactor Control platform, focusing around digital identity security solutions for the IoT device manufacturer market. Ellen is passionate about IoT and helping customers establish strong security implementations for the lifecycle of their overall IoT systems.
Ellen has 15+ years experience leading new product development with a focus on IoT and connected products in Lighting controls, Smart Cities, Connected buildings and Smart Home technology. Ellen has held leadership roles in Product & Engineering at General Electric and Sky Technologies over her career.
Paul spent over a decade working in the banking industry launching and securing online banking and early fintech initiatives. He joined SafeNet in 2011 (later acquired by Gemalto) and led the fast growing payment cryptography product business for eight years. Following the acquisition of Gemalto by Thales, Paul has taken on the management of Thales’ cloud cryptography services platform.
Businesses are increasingly confronted by the cost and complexity of protecting data across disparate IT infrastructure and hybrid cloud environments, a scenario made worse by a growing shortage of skilled security personnel. Paul can speak directly to these challenges, bringing broad cloud-related domain knowledge on topics such as cloud security and specific cloud service provider issues. He also brings deep business level expertise on the role of Hardware Security Modules (HSMs), in the context of these security challenges; he believes strongly that HSMs act as trust anchors that protect encryption and the cryptographic infrastructure of the most security-conscious organizations in the world, by securely managing, processing, and storing cryptographic keys.
Paul is a highly capable and knowledgeable security practitioner with an excellent grasp on information security both as a technical and management discipline. He has over twenty years’ experience in the industry and hold a number of certifications including CISSP and CISM. Paul’s specialties include information security management, cryptography, software engineering and authentication.
About this Episode
Remember the early days of the emergence of Internet of Things (IoT) devices? The rush to market for consumers to enjoy the modern conveniences offered by these devices shocked the security community. Security experts were concerned that these devices were built with no security in mind. As more of these devices appeared on the market, those security apprehensions were found to be correct. Vulnerabilities have been discovered in many of these IoT devices. Has the security of these devices gotten better, or remained the same?
On the latest Security Sessions podcast, I am joined by a distinguished expert in the IoT space, Ellen Boehm, Vice President of IoT Strategy and Operations at Keyfactor. Ellen has extensive experience in cybersecurity, and specifically, the understanding of IoT risk.
IoT devices have grown exponentially in recent years, and are expected to exceed 64 billion devices worldwide in the next four years. This is a massive growth, as well as an equally substantial risk footprint. What's more interesting is that these devices are no longer home-based novelties. They are present in every organization in varying capacities and functions.
The good news is that security is no longer being ignored during the manufacturing of the devices. Due to the enormous scale of IoT growth, human processes cannot possibly keep up pace with device security – therefore one solution to achieve security for these devices is through automation. This is not a simple task, as it involves all aspects of the device lifecycle, and of course, a layered security model is essential.
In the podcast, Ellen agreed that numerous challenges arise because of the scale of IoT adoption, and builds on the idea of a layered IoT security model by adding the concept of on-device key generation in order to uniquely identify every IoT device. Digital identification would fulfill a critical element of attaining a zero trust architecture, especially important for industrial technology edge devices. Secure firmware flashing is also a way to enhance assurance of device security, allowing for audit capabilities and controls around these devices.
There are also data privacy implications with IoT. In the absence of good security, two obvious privacy violations include spoofing the identity of a registered user, or even spoofing the device identity itself. Just as layered security can better protect a device, layered data leakage can assist an attacker in building a mosaic attack; an attack constructed from small pieces of information to build a larger picture of an individual, or an organization.
Ellen's experience with medical clients gives her a more critical view of the need for data privacy with IoT devices. She emphasized the need to keep medical IoT data confidential, no matter how seemingly insignificant it may seem. Data manipulation of an IoT medical device can have a dramatic impact, not just from a life and death perspective, but also from a continuity of care perspective.
From a peripheral standpoint, the development and increased deployment of 5G technology will also impact IoT security. 5G will act as an accelerant for the growth of IoT. While there are benefits of increased bandwidth and connectivity, this also broadens the attack landscape. The risk of more devices, more information, more quickly can create unanticipated opportunities for malicious actors.
Is there IoT security awareness training for employees who use the technology? Yes, and Ellen uses the example of a retail grocery store to effectively demonstrate the point. When we think of all the devices that operate in a supermarket in order to help it to function efficiently, each one of these endpoints presents an entry point to the network. Remote work has extended corporate networks, creating more access points. These are all parts of the specialized awareness that needs to be conveyed to the staff.
The rise of IoT has not gone unnoticed in government circles. Recently, the US signed the IoT Cybersecurity Act into law, directing the National Institute of Standards and Technology (NIST) to draft guidance for IoT vendors to implement security best practices. These guidelines and recommendations can often lead to the development of regulations.
Of course, regulations take time to develop, as well as achieve passage into the mainstream. In the meantime, there are steps that organizations can take to secure IoT devices for the consumer. Best practices include strong identity and access management (IAM), as well as integration into a corporate IAM system. Along with that, strong encryption, certificate-based authentication, or the ability to layer an organization's certificate onto a device will go a long way towards creating a more secure IoT environment. Above all, automation of these actions will enrich the process.
Above all, it is important to remember that all the steps cannot be accomplished overnight. The IoT environment must be treated as any other part of the organizational infrastructure. Just because it is a small device, it poses an equivalent risk as the larger systems, and must be treated with the same due diligence and due care.
Security Sessions Podcast
For the latest on cloud & data security
This podcast series explores the technologies, people, and processes behind information security. We’ll delve into topics like data security, remote access and digital transformation, as well as the people and technology that make it all work behind the scenes. We’ll speak to Thales and industry experts to bring you fresh perspectives on how to navigate the world of cloud security.
We invite you to subscribe to Security Sessions, a podcast bringing you insights from industry experts on the latest cloud & data security news and trends.
Listen to Previous Podcasts
Series 2 Podcasts
Episode 1: The 2021 Thales Access Management Index
The shift to remote working and the acceleration of cloud-based services have put a strain on identity and access management infrastructure. As remote access becomes the norm rather than the exception, many organisations need to evolve their security approaches in a world where there is no longer a defined perimeter, according to the 2021 Thales Access Management Index.
In this first Thales Security Sessions episode of series 2, François Lasnier, VP Authentication and Access Management Products at Thales, joins regular host, Neira Jones, to talk through the key findings of the report. They will discuss how COVID has introduced new security concerns around remote working, and explore some of the key challenges of trusted access in a cloud-first world.
Series 1 Podcasts
Episode 1: Real Threats for Real People – What has the pandemic taught us?
Are businesses being forced into digital transformation too quickly and therefore cutting corners? How to businesses adapt to the changing threat vectors as more valuable data gets pushed further out into the infrastructure due to remote working? These are some of the questions we are exploring with guests Rick Robinson and Todd Moore.
Episode 2: More digital, more risk: where is the trust?
More digital, means more ecommerce, more digital payments, more financial fraud and cybercrime and ultimately more risk. Many organisations within the payment sector are being pushed into digitisation more quickly as they move to operate online to keep cash flow – without doing necessary due diligence on the best solution or vendor and with security not really on their agenda. These are some of the issues we are exploring with guests Arthur van der Merwe and Simon Keates.
Episode 3: Do you know who I am? The digital identity challenge
More digital also means more interactions where the various parties are interacting without knowing each other. This is linked to the much needed focus on digital identity, IAM, CIAM, authentication, behavioural analytics. Has the pandemic forced people’s perception of digital identity to change as they have been forced to accept the digital transformation in their own lives? Our host Neira Jones discussed this topic with guests Sundaram Lakshmanan and Francois Lasnier.
Episode 4: Time for the crystal ball – What to expect in 2021
In this episode we are looking ahead at what we can expect in 2021 and reviewing how 2020’s remote working, separation from family and teams have changed us. Have a listen to some of the interesting insights from Neira’s guests, Troels Oerting, Chairman of the Board of the World Economic Forum’s Centre for Cybersecurity (C4C) and Ashvin Kamaraju, CTO and Vice President Engineering at Thales Cloud Protection & Licensing.
Episode 5: The Challenges of Digital Transformation
Many businesses have been forced to accelerate their digital transformation strategies due to the pandemic and doing it successfully has become a major challenge. What do organisations do to transform their infrastructure to where it needs to be from a technology standpoint? The new threats are here to stay – so what is the best DX practice from a technology point of view? How do you focus on the technology process and preservation of your infrastructure?
Episode 6: Data Beyond Borders: The Schrems II Aftermath
Are the current rules and regulations for securing information and maintaining privacy fit for purpose when you think about the future? Do you think work and lifestyle changes brought about by Covid-19 will have a regulatory impact that we need to plan for? Neira discusses these questions with Enza Iannopollo, Senior Analyst at Forrester and Thales’ own Mukesh Chandak, Business Development Director.
Episode 7: More digital, more cloud: To trust or not to trust
More digital will mean more cloud. Now in the second year, the Covid-19 coronavirus pandemic has prompted an acceleration in the adoption of cloud technologies by IT leaders worldwide, which looks set to continue for the foreseeable future. Previously organizations have primarily looked at new application development and deployment for cloud, taking a ‘cloud first’ approach. However many have now pivoted towards a ‘cloud now’ approach. In this two-part episode Neira talks to Chris Harris, EMEA Technical Director at Thales and Vaughn Stewart, VP of Technology Alliance Partners, Pure Storage.
Episode 8: 5G – With Great Power, Comes Great Responsibility
5G is poised to change how digital technology-based solutions are delivered and consumed across different industry verticals by connecting people and devices using high quality services whenever wherever. In this episode Neira is joined by Prashant Deo, Senior Information Security Consultant at Tata Consultancy Services and Chen Arbel, Vice President Business Development, 5G & Cloud Security and Thales.
Bonus Episode: The Shift to Passwordless Authentication
Passwordless and FIDO authentication is one of the hottest topics on the radar of identity and access management professionals. While passwordless authentication offers convenience for end users, not all methods offer the same level of protection. In this special bonus edition podcast, Garrett Bekker, principal cybersecurity analyst at from 451 Research and Asaf Lerner, Director of Product Management at Thales discuss the merits and various angles of moving to passwordless.
Episode 9: The 2021 Thales Data Threat Report
The shift to remote work and the acceleration of the shift to cloud-based infrastructure have profoundly impacted security teams. With the security risks and threats that these changes pose, most organizations have some work to do to improve their security posture, according to the new 2021 Thales Data Threat Report. In this episode, Neira Jones is joined by Todd Moore, VP Encryption Products at Thales, to talk through the key findings of the report. They’ll take a look back at the key trends seen in 2020 and the impacts of the pandemic that have carried over into 2021.
Episode 10: IoT Security Trends
Organizations have only just begun discovering and benefiting from the opportunities provided by the Internet of Things. The ability to capture and analyze data from distributed connected devices offers the potential to optimize processes, create new revenue streams, and improve customer service. However, the IoT also exposes organizations to new security vulnerabilities introduced by increased network connectivity and devices that are not secured by design. And advanced attackers have demonstrated the ability to pivot to other systems by leveraging vulnerabilities in IoT devices. For this episode, host Neira Jones is joined by Ellen Boehm, VP, IoT Strategy and Operations at Keyfactor, and Paul Hampton, Senior Product Manager at Thales.
Episode 11: Quantum Computing
The threat and arrival of quantum computers is ever-present with physics breakthroughs, more Qubits, quantum “supremacy”, and cloud service providers designing quantum computers, but what does it really mean to data protection? Is it really the end of encryption as we know it? In Episode 11 of the Thales Security Sessions, host Neira Jones is joined by Mike Brown, CTO at Isara, and Michael Gardiner, Solution Architect at Thales, to discuss the ways in which quantum computing will change the technology landscape, and how organizations can deal with the potential security threats that quantum brings.
Bonus Episode: Encryption in Quantum Resistant Networks
Network security encompasses the security tools, policies, and techniques used to monitor, prevent, and respond to unauthorized network access. Having such a broad definition and, therefore, challenging approach, it is important that businesses know what key areas to focus on and what enterprise tech solutions they should look to ensure appropriate, airtight protection. Dr. Eric Cole, Founder and CEO of Secure Anchor Consulting, speaks with Julian Fay, CTO at Senetas, a global partner of Thales. The pair explore the primary concerns of network security within the realm of data in motion with the help of key findings from our latest global survey on the encryption of public/private networks.
Bonus Episode: Adopting the Shared Security Management Model
Shared security, also known as shared responsibility, is a cloud security management model that describes the distribution of enterprise data security management and accountability between a company and its cloud service provider(s). The framework essentially enables improved productivity and unparalleled agility, so why isn't every organization adopting it? Dr. Eric continues with Chris Martin at Thales, delving into the main areas of organizational risk concerning cloud migration and vendor native decisions before shedding light on the limitations of a single service provider. The guests then discuss the shared security model - its benefits and the implementation process. Final thoughts centre on what organizations need to understand about control over all users and effectively build a best practice shared security strategy.
Episode 12: Building a Trusted World for Crypto Payments
Bitcoin and other cryptocurrencies have exploded in value—making them an ever-more attractive target for scammers and hackers. So is cryptocurrency secure? How can businesses and individuals make sure they protect their digital investments? And what are the key security measures that should be implemented to secure the cryptocurrency backend? In this episode, we’ll be exploring the current cryptocurrency landscape, and how we can make a trusted world for crypto payments. Joining our regular host Neira Jones for this episode, we have Nitin Gaur, Director, IBM Financial Sciences and Digital Assets and Krishna Ksheerabdhi, VP Product Marketing, Thales.