He says, "...it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that." In this interview, Steve talks about how (surprise!) the current BYOD trend is making things worse, but isn't necessarily responsible for the worst security holes, and offers benefits that might outweigh the increased security risks it brings.. (Note: The transcript contains material not included in the video.)
Slashdot: I am Robin Miller for Slashdot and with us today is Steve Hasselbach from Peak 10, and we are talking about the Internet of thingies, which, as you know, from having watched Slashdot, my friend Tom Henderson and I are somewhat obsessed with, including the time when we found the easily hacked internet coffee pot. And we thought that was amusing but stupid. Now Steve, of course, is talking about a little bit more enterprise and a little bit more useful things. So Steve, what are people getting, I mean corporately, out of allowing things on their network?
Steve: Well, what they are getting when they allow these things on the network is they are allowing that user to probably be a little bit more productive in their job. They might have found something that’s a little bit useful for them in their personal life and they want to bring that into the business life. Similar to the Smart Hub—to this thing right here. There were days when we would connect one of these things to a network and now you connect it to the network. Then there is the concept of bring –your-own-device.
Steve: Now people or companies don’t want to necessarily pay for the laptops, well the users want to use their own laptops--there you go. Because we are controlling, right. We want to control all these things. I want to sit at my desk, I want to control that coffee pot. I want to control that refrigerator. I want the refrigerator to tell me when things are out of that refrigerator or when they are empty, ‘you need to do this’, or ‘you need to do that’. Well, that’s great. So we’ve got these connected things, righ?. And they all run, they have to run some sort of operating system, right, there’s something core there, they are not running something big and heavy like Windows. They are running something nice and lean like they are going to run like a version, some version of Android, a fork of Android or some lean and mean Linux, a meaner version of Linux or something like that. It can run on really small really inexpensive hardware. And now those are connected to your Wi-Fi. There are tools out there that allow IT shops to be able to enforce policies on your devices before they are able to connect to any type of secure corporate network.
Steve: That’s one thing that they’ll do. The other thing that they’ll do is they’ll have their private secure corporate network where they can enforce everything on it, but then they’ll also add the guest network that’s there. So when somebody comes in to the conference room from outside and they need to get on to the Wi-Fi and they’ll say, “Look, you are not connecting that thing to our network, but you can connect it to this guest network,” where they have a lot more security restrictions on the network itself, where I don’t care what happens on that side of it, but that thing’s going to have to go through all the corporate firewalls and everything else just to be able to get to talk to any of our assets. So there are tools that allow them to control those things. And the first line of defense really is that wireless network. Because all these devices, the internet of things it is all about wireless. So you have to have your protections and control. Who can get on that secure wireless network, and then who can’t get on that with those things. So in my line of business, Peak 10 is in the data center business.
Steve: So I meet with prospects all the time who are looking to move into the cloud or they are looking to move in to one of our data centers and put their stuff in there, so I get to see all kinds of businesses. I get to see the finance businesses, and the healthcare businesses and all over the place, the ones where there is heavy regulation—it is out there. And it used to shock me, it doesn’t shock me anymore, but you’d be so shocked and surprised at how noncompliant this country is in terms of businesses around things like healthcare data and all that. And it is not the big hospitals. The big hospitals that we have as customers they are doing a pretty good job at it.
Steve: It is a big task for them. They are doing a good job.
Slashdot: Yeah, well, they have IT departments and they have enough money they can hire smart people.
Steve: Exactly. It is those medium sized ones and small ones that can’t afford or don’t have the expertise. And so now thrown on top of this, is the fun IOT device that they want to bring in that makes their life easier.
Steve: They have no clue, they have zero clue whatsoever about how to secure that, and what’s involved in it. They just know that it is fun and that it works and that it is great. So what I really worry about is down the road, so what’s the lifespan? The lifespan of somebody’s IOT devices might be six months to a year. They might just get a gadget that’s just a disposable gadget, but then there is those couple of devices that you get that hang around for two or three or four or five years—it is something like a GPS tracking device that logistics companies use to track their trailers all around the country. Those things once again, are probably going to be in service for quite some time. After a while, after a year or two, they start putting out new versions of the product, and they stop patching the old ones.
Steve: So we’ve got all these security vulnerabilities that get discovered or not discovered and there is no patching that is going to take place on there. And you cannot control that. There is nothing you can do except to say, “Look, you’ve got to upgrade these devices every year.” And so when you talk about, what is the impact to enterprise IT? Well, there is going to be potentially a big monetary cost. It is not just about bring-your-own-device. It is about the ones that businesses are buying and using to help support their organization.