IoT Channel Chronicles: 10th Magnitude Teams Up With Microsoft To Secure Medical Supplier's IoT Solution
10th Magnitude Pushes Internet of Things Security
Microsoft is looking to its channel partners to bring its Azure IoT Suite's security services to customers deploying Internet of Things applications through a new Security Program for Azure IoT. And one of its partners, Chicago-based 10th Magnitude, is amping up its IoT security strategy. As part of the program, 10th Magnitude has developed a security framework within its IoT practice. 10th Magnitude's IoT security audit involves an evaluation phase, including threat modeling, cloud assessments, encryption reviews, and authentication reviews; a training phase, which trains the customer for remote monitoring, data analysis and remediation planning; and a remediation phase, which provides solutions to identified risks.
CRN sat down with Mark Johnson, cloud solution architect, and Brian Blanchard, vice president of cloud solutions at 10th Magnitude. Here are excerpts from the conversation.
How did you get involved with Microsoft's Security Program for Azure IoT?
Brian Blanchard: Basically, Microsoft pulled together a group of IoT security leaders and partners to come together and help advance standards and processes, helping customers implementing IoT have a more secure, manageable solution. That's a joint effort between ourselves, Microsoft, and 10 partners globally. It's publicly available as a set of standards and as an audit control process.
What are some IoT security initiatives you've created or projects you're working on through the program?
Mark Johnson: We had a few meetings and are trying to pull together two internal projects: One is a whitepaper on IoT security, and the other is coming up with a threat-modeling mechanism for how mature your IoT security platform is. It's really a maturity model, how far along are customers in developing security for their solution or IoT platform – we bring it to customers and tell them how far along they are, where they might find gaps.
[The program includes] system integrators, people focusing on security, companies focusing on IoT. But really the goal is driving each other to make sure we're delivering security across the board. Microsoft is giving back to us in a couple of ways. We talked about a cool way to do some penetration testing or hacking of each other's systems. That's something we've been thinking about adopting within the group and expanding that.
What kind of security concerns and strategies are you seeing in different vertical markets?
Brian Blanchard: I'm seeing the level of security kind of differs from industry to industry, and what data we're pumping through. In the healthcare space, there is a high degree of security from everything from the individual device that might be monitoring blood pressure, to the gateway and how it registers with the central data systems, so you can tell confidently that you're getting the blood pressure from the right patient, all the way through to how the data storage is presented – and security is the number one conversation throughout, because of HIPAA guidelines.
If we get into other areas, though, like monitoring the functionality of a tractor in the field, security isn't nearly as big of a concern, and now it becomes an operational security conversation around how do we get that tractor's data and be able to provide command and control to it, without comprising the core IT systems that we have to keep secure as well. So it's a little bit different from space to space.
Why did Microsoft create its Security Program for IoT Azure? What opportunities does the program open up for you?
Brian Blanchard: The big reason Microsoft formed this group and program was to begin to offer auditing capabilities. So that's been the first and foremost space: to help people understand what their risk profile looks like, and where they are exposing new risk. We're seeing all kinds of ideas coming out of that, going beyond the audit; so now that we've understood your vulnerabilities, how do we protect against those? We've done code reviews on the software being deployed to the field to make sure every device is using encrypted keys and the right communication channels, to deeper security audits and services around providing the right level of row-level encryption and the integration of Azure [Active Directory] or B2C to give you control of who has access to the data once it comes back.
What's the biggest security challenge for customers looking to deploy IoT applications?
Brian Blanchard: The biggest difference for partners is in a lot of partner ecosystems today; they're still focused on application security data all in one location. It's almost more similar to the cloud model for security, where you have to start thinking through, how do I secure things and still let them be geographically dispersed? And that's the biggest challenge we see people struggling with for IoT, is how do we get dispersed data centralized? How do we secure the footprint? It's similar to traditional distributed multi-office models: A lot of the same skill sets apply, but if channel partners focus strictly on-prem, one location at a time, they'll have to go through an evolution to think of that distributed type of model.
Can you give us an example of one use case where you have worked with a customer to secure their IoT solution?
Brian Blanchard: [We have] a California-based medical supplier we've done some work with. They had a device that was essentially hardware that could be located in a nursing home. It would pick up information from things like scales and blood pressure cuffs, all different devices in the facility, and centralize that data back through FTP to a traditional website that could then pick it up and pull it into their application. We did an audit on that system, and realized that they weren't really using a modern IoT type of solution. They were using more like a file-share type of solution.
What kind of services did you offer the customer?
Mark Johnson: We were using all sorts of Azure services to help us. IoT Suite helped us do the gateway authentication, so we knew where particular information was coming from and that it was authorized to send data to us. And then we used IoT Suite to send commands back to the IoT devices; you knew that you were talking to who you should be talking to and nothing else was getting into it.
What was the key IoT security flaw that this customer faced?
Brian Blanchard: That's a key part of the strategy. Originally, their device made the same assumption that a lot of devices do, which is that if I can plug the URL in the cloud and can toss data up to it, and its encrypted data, then it's secure. But what we pointed out to them was that there are two big security gaps there. One, there was no device handshake when the data was pushed up. So there's no guarantee that the address you're pushing it to was really where it was supposed to go. So anyone who had access to the internet pipe between that device and their web server could have re-routed it to another server and scraped data off, and you would never know. Conversely, the website didn't really know that the devices pumping in data were approved devices. So if you wanted to create a pump that made it look like people's blood pressure cuff was getting different readings from what they were, you could easily push that out and no one would ever know.
How did you work with the customer to secure these flaws?
Brian Blanchard: So we implemented a two-part IoT Suite security model, where every device had an encrypted key and was provisioned before it went to the field. And then there was another key inside of the web servers to receive the data. The two keys had to coincide, and match up with a registry that showed what devices were talking to which server. And if devices without the appropriate key ever spoke, it was flagged and reported as potentially false data. We wanted to make sure there was no one possibly stealing data, or misrepresenting or re-routing it. So those were two really big security gaps we were able to fill in with the IoT Suite and the device registration component to that.