If you've ever watched video of a large building being “imploded” you'll know the feeling. There's an instant, between when the explosives go off and the building starts to collapse, when it looks like everything might just hang together. The moment when the bricks and the beams all seem to float suspended – just for a moment – before they transition from “building” to “collection of falling parts.”
Welcome to your view of 2015. Because, by 2016, that's what it's going to feel like. It will feel like the last instant when we had control, when the pieces were together, when we knew where everything was.
You see, the explosion has already begun, and while the pieces of what we currently think of as “information security” are still hanging suspended – despite the irresistible forces pulling against them – it's only an illusion. It's all about to start coming apart.
The metaphorical explosion, in this case, is the very real explosion in the number of “things” that make up the nascent Internet of Things (IoT). The advent of immense numbers and types of portable, wearable or simply smart consumerized tech is going to change the way we think about corporate and information security forever. We've spent a lot of time discussing the slow death of the perimeter, or whether there's a new perimeter (in the cloud, around your data, on your person, etc.). It won't matter. Because, someone just triggered the explosives and most of us never ever saw the TNT being carried in the front door.
"...device-centric thinking will no longer scale to meet the problem we are facing."
The IoT will change everything. Everything. And while it will take time for the full import of those changes to become clear, what we can be sure of is that the ideas that have formed the core of our thinking when it comes to information and security will no longer be relevant. They won't even make sense.device-centric thinking will no longer scale to meet the problem we are facingdevice-centric thinking will no longer scale to meet the problem we are facing
Consumer IoT devices are already walking in the front door of your business every day. Health-monitoring tech and internet-connected cars and smart devices of every type are already becoming the norm. If you thought bring-your-own-device (BYOD) was annoying, this is going to feel like living through some kind of biblical disaster movie.
Personal IoT devices will infest your network in numbers so great that you will barely be able to manage the traffic, let alone keep the data secure and understand the inherent risks of all that unfettered communication and data sharing.
It's going to require us to abandon much of the device-centric thinking to which we've grimly, stubbornly clung, despite every indication that it no longer works. Even data-centric security may seem quaintly anachronistic, once the data becomes so difficult to track and manage. The challenge of the IoT is that its sheer scale, its utter, massive, chaotic scope, will overwhelm every attempt to keep it under control.
If the move to cloud required us to gracefully surrender some degree of control, so the advent of the IoT will demand an almost zen-like acceptance of a world in which little is visible, let alone managed. Attackers, never tied to any particular world-view, will quickly embrace the opportunities of all those unmanaged, unsecured things walking in your front door every day. IoT devices – designed to be simple, inviting and easy to use – will consistently err on the side of “user-friendly” at the expense of being secure. Any assumption, otherwise, is to ignore decades of bitter lessons on the forces of the consumer technology market – and the bad guys know it. So, while we might be stressing about how to deploy mobile device management to employee-owned smartphones, the bad guys will simply skip ahead and attack something else because there will be so many something else's to attack.
In case anyone is quietly thinking to themselves: “Yes, but not in my network,” please refer to similar comments regarding personal laptops, cloud services and smartphones. I think Don Quixote is looking for some company tilting at windmills, if you're available later.
So, the explosives are in place, the button has been pressed and we're watching the world, that we lovingly crafted for the past decade or so, hang there in space, waiting for the inevitable to happen.
And, while this may be some years off yet, we'll see 2015 as a year in which the first pieces of the old world order begin to separate and collapse, giving us that glimpse of how the new world will look.
For the year 2015, we must therefore begin to clearly and directly face the reality that the old, device-centric thinking will no longer scale to meet the problem we are facing. There are simply too many devices to manage. Furthermore, we must accept, without reservation, the brutal shift in power that has already occurred between the hierarchical “IT can decide what tech you use” and the reality of consumerization in which the IT department is lucky if someone even tells them what they are using.
Security teams must spend 2015 preparing for a world of wearable, portable, smart tech that is as promiscuous in its data sharing as it is varied in its form factor.
Because the attackers are...and they've seen this particular disaster movie before.