Johan Sys, the manager
of IoT Security at Verizon, sat down with us at the recent RSA Conference to
talk about issues in IoT security. Johan was both articulate and informative,
with some very useful advice. Below is our edited Q&A.
IoTP: What are Verizon’s security businesses?
JS: Verizon Enterprise Solutions provides cybersecurity
solutions for federal and corporate security, such as denial of service attacks
(DDoS) and IoT security. Basically, we cover the spectrum of solutions
(network, managed and advanced) for enterprises of all sizes and in a broad
range of verticals. .
If you look at the companies we deal with we’ll get the
right people with the right expertise in that area to address their questions
IoTP: What do you find are the biggest challenges regarding
JS: The biggest challenge is the scale, the number of
devices out there, which, according to most everyone, will be in the billions.
IoTP: Does Verizon provide IoT devices?
JS: No, we partner
with different platforms, although we have our own set-top boxes for our FioS service,
we’re not an IoT supplier. Although we do
provide technology for a car sharing program.
We have two innovation centers, one in San Francisco, where
you can see all the partners’ connected devices - we work with partners to test
their IoT devices on our network.
We also resell partner products in our Verizon Wireless
Destination stores, and do some resale , such as in wearables.
IoTP: Are you finding that people are concerned about IoT security?
Is it top-of-mind?
JS: In IoT, the requirements for security by enterprises are
top of mind – at least the people we talk to.
IoTP: Is Verizon’s security solution global?
JS: The IoT security and management platform is US only.
IoTP: What do enterprises need to know about IoT security?
JS: From the enterprise perspective, before starting an IoT
project, I would recommend that companies define very clearly their use case
and build security as part of the project. Don’t do it as an afterthought. Have
security as part of the roll out. Sometimes it may not be possible but, start
with something very specific and grow from there versus trying to do everything
at the same time.
However, there’s not one security model for all the IoT use
cases - health, smart cars and smartphones have differences in how you build
them. It’s not one size fits all. Although there are some common items; we discuss common guidelines in our DBIR (Data Breach Investigations Report).
My recommendations are to be sure to understand the purpose of
what you’re developing. Collect and transmit only the data you need to. Make
sure to have access control as fine-grained as possible. If you transmit data,
be sure it’s encrypted. Especially with the IoT, you have the risk of breaches,
but even a higher concern is privacy. Encryption is a requirement, but it’s
important to separate data from privacy. How you do that differs across the
IoTP: What’s the responsibility of the consumer when it
comes to IoT security?
JS: For the consumer community, do as you’re told. Keeping
up with updates is the biggest thing users can do. Don’t say “no” to updates.
Let it go through. From a credential point of view, use different credentials
for different devices, don’t use the same PIN number across devices; use different
passwords or PIN codes across the devices.
IoTP: What do you find exciting about all this?
JS: I love this question! The sheer scale of the IoT is
fascinating. Because of the scale and type and number of devices, the challenge
I like a lot to solve is to automate the heck out of security, which is
different than what’s happening now.
Another reason why I think IoT is fascinating is that there
will be many different new technologies over next couple of years. In five
years’ time a lot of people will need to rethink their approach to the
Internet, from an architectural perspective.
I also believe that SDN (software-defined networking) will
play a big role going forward. We’re working with Cisco and other vendors on
SDN. See our news release.
IoTP: Tell us more about SDN and the IoT
JS: Specifically for the IoT what is exciting is within the
corporate network. To connect via WiFi under corporate rules goes out the
window with IoT, especially with consumer devices. If people connect with WiFi
and Bluetooth, you have to assume connecting to a host network, and you’ll have
no idea who will be looking at it.
Basically, through SDN, you can extend your corporate
network to include a device more securely. Have a protected network on the
lower level. SDN is a big enabler for IoT security for the enterprise (although
not in every case), it’s pretty important for IoT security deployment.
With SDN you can reroute, you can almost have the network
include a virtual firewall and have the full network controls, which you couldn’t
There’s a lot of focus on collecting and analyzing IoT data
for breaches. The amount of data is so huge; the volume is too much for Big
Data and analytics. If you try to look at each packet, you’re generating too
much data. With SDN, you don’t have the traditional boundaries between intranet,
extranet and the corporate network, it’s elastic, so that helps.
By the way, Verizon recently announced its SDN
strategy as a whole (not specifically IoT), but worth a look.
IoTP: Talk more about issues with Internet architecture.
JS: It has to do with scale. For a long time IPv6 [note: the
way devices are assigned an Internet address] has been promised. IoT absolutely
needs it; we’re hitting the limit of IPV4 regarding the number of nodes. It’s
about how can you manage a billion devices.
IoTP: Do you find that business units, as opposed to IT, are
getting involved in IoT security?
JS: I would say so. Unlike other technologies, the business
users are concerned about security; it’s not a secondhand concern. Even though
major breaches haven’t happened yet with the IoT, I would say that the business
unit is asking for security from a risk management perspective.
Business units with consumer devices are concerned about the
cost of the device and the cost of security for billions of devices - just
think about even a couple of cents per device multiplied by millions. This cost
can be quite substantial, so that concern is again with the business units.
IoTP: What is Verizon specifically doing with IoT security
for its customers?
JS: Verizon’s position in IoT is specifically that in B2B,
you can’t not have security. What Verizon is adding to businesses are more
packaged solutions. My recommendation regarding deploying IoT security is, don’t
do yourself, there is network deployment, firmware, and too many different
developments in the IoT ecosystem. If you want to accelerate deployment, partner
up with one, two or three partners and deploy with a packaged solution.