What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and IBM has integrated Watson with Alexa/Google Home, to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

Why Aren’t Cloud Vendors Pushing Encryption More?

Microsoft is currently embroiled in a major legal dispute with the US government. US prosecutors, seeking to gather evidence from a Microsoft cloud customer in a drug-related case, are asking for Microsoft to turn over various customer records even though the data in question is held in an Irish data center. Microsoft has argued that the US government has gone too far with this request because the data is held in a foreign country and that authorities in that country are not involved in gathering the data. The government has argued that this case does not violate the sovereignty of a foreign state, since Microsoft can produce the requested data remotely without use of its staff members in another country. The case, which started in 2013, has been escalating: Microsoft has refused, thus far, to turn over the data and a number of companies (including AT&T and Apple) and others have filed friend-of-the-court briefs in support of Microsoft’s position.

Aside from a number of legal, ethical and political issues – as well as the big issue of how successful cloud computing can be in the future if any government can demand information from a data center in any other nation – this case raises the importance of encrypting data in the cloud. For example, if Microsoft’s customers could encrypt data before it ever got to the company’s data centers, and if Microsoft did not have access to the keys to be able to decrypt this content, requests for data from government or anyone else would be rendered moot. Of course, the US government in this case could have pushed the party whose data is being requested to provide the keys, but the important point for Microsoft is that they would have been only minimally involved in this case, if at all, since they would not have had the ability to produce the data. This presupposes that the US government could not crack the encryption that was employed, but that’s another matter.

Moreover, if the customers of cloud providers encrypted their data before it ever reached a provider’s data center, this would offer the latter the quite significant benefit of not being culpable if their customers’ data was hacked in a Sony-style incursion. Unlike the Sony situation, which has resulted in the publication of confidential emails, pre-release films and other confidential material, well encrypted content could probably not be accessed by bad guys even if they had free run of the network. This would help cloud providers not only to avoid the substantial embarrassment of such a hacking incident (which, I believe, is inevitable for at least one or two major cloud providers during 2015), but it would also help them to avoid the consequences of violating the data breach laws that today exist in 92% of US states.

Cloud providers should be pushing hard for their customers to encrypt data, if for no other reason than it gets the providers off the hook for having to deal with subpoenas and the like for their customers’ content. In this case, for example, Microsoft could have avoided the brouhaha simply by being unable to turn over meaningful data to the government.

The bottom line: cloud providers should push hard for their customers to encrypt data where it’s possible to do so, and customers should be working to encrypt their content where they can.