IoT, The Cloud, and an Exercise in Trust...

This quote from W. Edward Deming has always stayed with me throughout my career, that and the X-Files episode 'Trust No 1'. I've personally always questioned everything, it's just the nature of who I am and probably why a job in security always fits me.

In my previous company, I was known as Captain Bottleneck. Now I am sure that whatever smartass put that on my office door meant it as a slight but I wore it as a badge of honor. As the Manager of the security department, I asked why on everything! Why do you need this port? Should we expose this to the internet? What's the patch process? And with the authority to do so I had no problem slowing down progress for the sake of security.

But here we are... 2021 everything is connected and data flies above our heads like clouds in the sky. I'm not trying to be a cynic on technology, I love tech! It makes life easier and IoT is fun as hell to play with. I have a Wifi enabled litter box... a litter box. But in reading Nicole Perlroth's newest book and diving further into the world of cyber weapons, zero-days, and the underbelly of the digital world it has created some thought-provoking ideas.

The internet as a whole is one big trust fall. In the early days, you had to mostly be concerned that the attractive female you were talking to on AOL IM wasn't a 300lbs dude in his mom's basement named Chuck. But since e-commerce and bringing money into the picture you had to worry about your cash flow. Take a look at the early days of eBay, scam city! You add in PayPal and you have protection on these scams. They still happen and I don't know how these folks get paid cause PayPal almost always sides with the buyer. Still, there are many parts of e-commerce that take place outside of this realm. I buy and sell video games on Instagram as a hobby. It is a 100% trust exercise. We see pictures we claim something, pay for it in Vemo or something, and then hope it shows up. Now, this community acts its own version of the Bushido code and will quickly out scammers or people that seem shady, but what about our company data???

Why/How can we trust cloud providers? The cloud has quickly become a $100b market. Companies every day are 'forcing' themselves into the cloud transition because I think they believe they have to in order to keep up. (I say this from experience where a previous employer said we had to go to the cloud and when asked why it was "We have to get to the cloud") There are many advantages to the cloud. Speed is probably the driving one, but are we sacrificing security for the sake of speed? I think my problem is how much are we willing to trust our data to be out of our possession? Because once you drop it on some S3 or Dynamo it may be yours but it's not on a system you own. What keeps a disgruntled AWS engineer from swiping it and throwing it out for the world to see? Or a bad zero-day in AWS code that hasn't been patched? What nation-state could already have an 'employee working there to siphon off data?

These are all things I question. I know... all of this could happen in our own private cloud, but... you can fire someone that steals in your own office cause they work for you. Amazon has 25k employees that work for AWS and guess what they are also your employees if you host with them but you have no control over them.

IoT is a whole other Lion to tame. I use a ton of it, I love home automation, but I also keep a deep level of control over it for a home user. It's on its own private wifi separated by a security gateway from my user wifi. It is completely volatile. Last week I had issues that I had to rectify because a few of my vendors added more ports for certain functions that I was yet to allow through the gateway. Good luck finding all these ports... The vendors just want you to give it unfettered access to the internet and move along clown!

The use of IoT is quickly becoming ubiquitous especially in America where we love an easy button. Everything is IoT and while it makes life easier it's also a lot easier to disrupt life when it fails. We are not far from a world where someone just decides to shut off all utilities until they get paid or imagine a hospital's IV pumps all going off at the same time until someone gets their money! It's like robbing a bank without having to leave the comfort of the couch!

I hope this provokes your own thoughts and I would love to hear them. I'm not trying to convince anyone from moving away from the cloud or away from IoT. These are just thoughts I previously didn't dive into, just my inner Bottleneck coming out. I see us in a very quick transition from owning our data to trusting ownership to three companies we have no control over. I'm sure if I sat down and read all the EULA there are protections in there in regards to data theft... but I can almost guarantee those protections are not for you.

In God we trust... All others bring data.

-Adam