Technology has changed the world radically. But, to date, the world hasn’t changed as fast as technology to. There are a couple of concepts that are concerning as we head into the reality of CPS-deployed systems. The first is that standards don’t exist.
Many companies are considering the Bring Your Own Device (BYOD) conundrum, evaluating the value and cost (as well as the risk) of allowing employees to bring their own devices to work. The value for the company is that a single device now connects each employee to the company. It also connects them to their life, which means they will always have their work phone with them.
It opens a door, and once that door opens, not even Pandora will be able to close it.
My phone is a component of the personal operating space called my personal cloud. When you, as my employer, enable a BYOD program, you are inviting my personal cloud into the Workplace. By default, you are also allowing me to connect my personal cloud to your network. The image that comes to mind here is of Charles Schulz’s character Pig Pen. My personal cloud extends all around me like Pig Pen’s dirt cloud.
(Image Source: Wikipedia)
And there’s another problem to consider. CloudTweaks is full of articles on the ever- expanding reality of the Internet of Things (IoT), more properly called Cyber Physical Systems (CPS). Why CPS and personal clouds? Because your corporate network is connected to every single CPS device my phone is connected to. I am the Trojan horse. I bring the Greek warriors inside your corporate security and, without knowing it, I am also the one that opens the trap door.
Some of the devices I connect to are harmless. But, given that they are simple harmless devices, someone can modify them. Do I care if there is suddenly a red dot in the upper right corner of my home weather station? Nope, I just need to know how much rain is falling on my house. But that dot isn’t a nice dot. It is sort of the modern equivalent of a laser targeting dot. We see them on TV all the time, when the bad guy suddenly realizes there aren’t two guns pointed at him but 200. I can mandate that all BYOD devices have Bluetooth disabled and are not directly connected to the corporate Wi-Fi network, but I am just putting lipstick on a pig, as the old saying goes. Once that phone connects to and moves corporate data, I am at risk as a company.
Beyond the personal cloud, there is also the issue of the home cloud. I call it the home-private cloud because it is a stationary-managed solution that provides computation and storage for the people who live in my home. It, along with my personal cloud, are now happily connected to your network. My Trojan horse that I carry in my pocket is connected to an even bigger Trojan horse.
Now, I am not advocating that enterprises send their IT security professionals to every house that connects to their network. There need to be easily managed personal and home-private cloud security standards, and by easy I mean automatically deployed. If you connect to a corporate network, that network can connect to the security control center of your network and verify that it hasn’t been modified or hacked. If it has, quarantine the phone so that the Trojan horse can’t be deployed. The same is true of my personal cloud. Having standards that include easily deployed and managed security settings will at least keep the horse in the barn. It won’t roll the Trojan horse into the middle of your corporate network and then hand it the keys and say, “Have at our corporate secrets.”
We need simple security standards for home-private and personal clouds. They don’t have to include complex security rules. Rather, they could consist of a single chip in the phone and a single device in your home that will tell you if, in fact, that cloud has been compromised.
Dismantled Trojan horses make great firewood for the winter.
By Scott Andersen