IoT in India: Security ChallengesCisco's Pravin Srinivasan on How to Mitigate Emerging Risks
The business imperative to leapfrog and embrace new, disruptive technologies has left the Indian security infrastructure a patchwork of solutions, processes and services, replete with gaps and redundancies.
Yet, even as organizations shake off red tape and lethargy in an effort to consolidate and streamline their infrastructure, the Internet of Things emerges and promises to make the waters even murkier.
Scalability is one issue that is going to become synonymous with IoT, says Pravin Srinivasan, head of security sales at Cisco India, And the security aspect of IoT is going to be no different.
"There exists a large security infrastructure that has been built over the last three to four years - a lot of it is in response to the specific trends and needs. IoT is going to drastically increase the attack surface with many more devices, operating systems, protocols, and endpoints connecting to the network," he says.
In this interview with Information Security Media Group, Srinivasan shares insights on the foreseeable challenges and how organizations can plan ahead to secure the emerging IoT landscape. Srinivasan also discusses:
- Security parameters of the emergent Indian IoT ecosystem;
- IoT challenges and hurdles in India;
- How to future-proof existing security infrastructure for IoT.
Srinivasan has more than 15 years of industry experience, the last nine years at Cisco. Most recently, Srinivasan was part of the India Commercial team where he was responsible for the development and execution of the "Vertizontal" strategy - working with the field sales/PSS teams as well as with partners to build business and vertical solutions. Before joining Cisco, Pravin worked with Dell India and Wipro Infotech.
IoT and Security
Varun Haran: What is the situation in India with respect to the Internet of Things?
Pravin Srinivasan: I would say a lot of our customers are in the initial stages of evaluating how IoT strategies will benefit them. This is across verticals - manufacturing, hospitality, healthcare. They are at various stages trying to evaluate IoT.
From a security perspective, they all are pretty aware that security could be a big show-stopper, or it could become a complete enabler for millions of devices onto the network. Because the issue with security and IoT is that it drastically increases the attack surface, which means that there are so many more devices, operating systems, protocols and endpoints, so there are a lot more pathway into the network. So, accordingly, a lot of the customers that we are talking to are not only evaluating the benefits of IoT, but also how to address the inbuilt security challenges.
If enterprises envisage bringing onboard a large number of devices in an IoT environment, I see two or three main challenges, vis-a-vis the existing security infrastructure. Probably the most important one is the inability to scale. Today what has happened is that there exists a large security infrastructure that has been built over a period of the last half a decade. A lot of it is in response to the specific trends and needs. For instance, an organization decides that they need an extranet to bring a dealer onboard, and so they invest in the security solution to enable it. Now when you start to expand that - and that's a basic example - so instead of connecting PCs, you start connecting tablets, mobiles, laptops and other devices, maybe even cars, the scalability of the infrastructure comes into question because it was never designed to scale to thousands of disparate devices. This is one of the primary challenges for IoT implementation.
The second challenge that we see is that a lot of security solutions are very legacy, perimeter-based solutions. However, IoT is very closely linked with large amounts of computing, analytics, big data, and a large part of this is happening in the cloud. How do we scale the existing security infrastructure to the cloud in a seamless manner while thinking about IoT at the same time is another challenging question.
The third aspect is that moving to IoT is going to give rise to new threats and challenges that may require a different kind of security solution. How do you seamlessly integrate your existing security solutions with the new solutions so that [they] do not become a silo? These are some of the challenges that I definitely foresee if one just tries to take an existing security solution and then bring it into the IoT world.
Haran: What are some of the things that Indian enterprises can do to plan in advance to plug these holes and prepare their infrastructure for IoT?
Srinivasan: The first thing most organizations need to do is figure out what [IoT] connectivity is required for each business for which they will get the best bang for their buck. The context in which they implement IoT will define their risks. This means evaluating what benefit and what part of the IoT universe they would like to implement that makes sense to their business. For every organization the benefits are going to be different. For instance, the biggest benefit to a hospital is automating stuff like ICU equipment, so that every single monitor is on a single network and all talking to each other. This can help hospitals overcome the shortage of skilled staff that are needed to take care of high-end equipment. A lot of Tier-III cities face the lack of skilled manpower, but what if monitoring can be done centrally for every equipment and every patient? This would allow the hospital to scale more efficiently and treat more patients, at the same time indicating the areas that need security scrutiny
The second part is to adequately analyse the current infrastructure and select the right security solution that helps them scale to meet upcoming needs five years down the line. This is a lot more complicated because in a lot of cases technology is developing. What was not possible six months down the line is very much possible today, and stuff which we think is science fiction today will be reality in two years' time. So a road map needs to be built which takes into account drastic changes in technology itself.
The security part of this equation is much more complicated. Like I mentioned, it's not just about tapping hundreds and thousands of devices. It's different operating systems, network, protocols and different manufacturers. So we will have to figure out first what is a benefit, where do you want to go, what's the existing infrastructure and then a phase-wise approach needs to be built - what is possible today and what is not, which can be added as it becomes available? So it's not a fixed three- or five-year plan, it's a completely living plan that keeps changing every six months and needs to be revisited. All of this needs to be done in parallel to ensure that your IoT plan starts to make sense.
Haran: So, what is the situation on the ground when you speak to your clients? Are they talking to you about IoT? What are some of the challenges that they are highlighting?
Srinivasan: Sometimes we don't have clients who will call us and start the conversation saying I want to do IoT, or I want to do IoE. To be honest, I don't think the conversation can start that way. So, a retailer would speak to us about how to make their supply chain a lot more efficient, cost-effective, which means tagging every single element with wirelessly enabled tags, so it can be tracked from start to finish. While that is a wonderful example of IoT/IoE, the conversation is not necessarily IoE.
We have hospitals we are speaking to where we are figuring out how to ensure that every bed or every equipment above a certain value can be tracked in real time. We are talking to hotels to ensure that the guest experience is much better, and with manufacturing firms. Even government organizations are looking at increasing the surveillance so that they are not just tracking people, but also tracking equipment. So it's more contextual and specific to their business needs and those are the kinds of conversations that are gradually taking place. In fact, lot of them probably don't even realize that that's an IoE conversation.
Privacy, Legislative Issues
Haran: What is the kind of legislation that you anticipate will be required to administer this growing ecosystem of devices? What are some of the privacy concerns and how do you see it panning out in India?
Srinivasan: To be very honest, from a legislature prospective, I may not be an expert in the field. But there are certainly going to be challenges. For example, many companies have started opening up to BYOD. In such a scenario, to what extent does the data on the device belong to the organization or does it belong to the user? The network belongs to the organization, but the device belongs to the user, but the data is both on the network and the device, so at what point does the ownership change hands? That's a bit of a gray area, for starters. And if you scale that to an IoT perspective, it is even more so: Where does the line blur between an organization and a user?
Privacy concerns in India are at a nascent stage because a lot of organizations are now just scratching the surface, and they are first looking at implementing stuff. I don't think any organization has actually looked very closely at the legal side of things, while these things may have started gaining momentum in more developed markets. Legal challenges are coming ... but if you ask me currently what those are, I would be hard pressed to tell you because right now we don't have full visibility into what the regulatory or legal challenge might be in this nascent ecosystem.