Home » Data Protection » Network Security

When Everything's Networked

You'll need a strategy for dealing with the hidden risks of Internet-connected air conditioners, door locks and forklifts.

It would, of course, be enormously embarrassing if one of S2's competitors were to break into its product, especially during a presentation, and it cannot be denied that there are people in this field who would be amused byindeed proud ofsuch an exploit. Responsibility for securing S2 from such a debacle falls to the company's COO, Michael Welles. According to Welles, the basic architecture of the S2 system runs browser-to-controller-to-devices. Up til now, most attention has been focused on the browser-to-controller link, perhaps because external connections are supposed to be riskier. In fact, the second link is just as important, but today few controllers encrypt the device end of their communications. Here, Welles can eat his own dog food: S2 makes a product that encrypts both the commands going to the devices from the controller and the device outputs flowing back to the browser. Password protection is laid on top of these encryption layers. External access can come over a VPN or other secure link. Repeat as NecessaryFour general principles govern device networking security. The first is logical separation enforced by encryption (as we said). The second is proactivity. Secure Science's James believes a CSO ought to draw up a comprehensive threat model that includes the risks his company is likely to encounter at each stage of its growth, including important changes in status (such as going public), and build in the necessary protections, including training and standards-setting, as far ahead as possible. "The sooner security measures get built into policies, procedures and architecture, the better," he says.

The third is to use the strengths of the networkits reserves of processing and connectivity resourcesto fight its weaknesses. Networks are built up out of layers of protocols or standards. The physical layer concerns what cables and cards and chips need to know about each other so that they can exchange zeros and ones; the application layer sets the rules by which applications interact; and so on. Good device networking security practice watches activity on several layers at once, from application requests (printers probably should not be Web surfing) to department access rights (why is customer support sniffing around in maintenance?).

"Watching" here means that the network is continuously comparing its current condition to "normal," which is defined by a combination of corporate policy and historical norms. Whenever the network sees a departure from the norm, it rings the authorities, like the credit card companies that call you when your card is used for a transaction in Nigeria.