Salesforce Security CTO: 'We Need To Change The Way We Build Everything' To Ensure IoT Security

The Internet of Things is not only creating more security vulnerabilities for various vertical markets – it's changing the way the industry needs to approach security, said Salesforce CTO Taher Elgamal.

Elgamal, speaking Tuesday at IEEE World Forum of IoT, which takes place this week in Reston, Virginia, said that the concept of threat modeling is changing for the industry because security experts are still trying to understand the full spectrum of attacks on connected devices.

"We need to change the way we build everything," he said. "When you cross to the physical world, the value of these devices is not obvious anymore. We need to re-evaluate the threat modeling."

[Related: Google Shows Its IoT Smarts With Launch Of Android Things Operating System]

Sponsored post

Many security experts come from an enterprise background and can evaluate the risk analysis of these types of systems – but IoT will expand the technology environment to include anything from a pacemaker to connected cars or factories, making it harder for security specialists to assign a value to the losses incurred by attacks.

"If someone hacks a car and drives it into a river, what does that mean? It's a very different threat – we didn't think of these things when we built enterprise security systems," said Elgamal. "Once we spread the connectivity across ecosystems, the threat happens when users connect the entire internet to the car."

It's hard for security vendors and partners to identify future security threats that come along with IoT, because of the rapid innovation in the market, Elgamal said. A new detection model for threats is needed to address these issues, with different functions to detect various vulnerabilities in an IoT system.

One solution is to equip each node in an IoT solution with intelligence to detect abnormal behavior and ensure endpoint devices have firewalls. "We want a fabric that can detect and protect against unusual behavior … a system that gets better over time as it learns patterns," he said. "We are still very early in this phase of civilization … much learning is needed and new threats will continue to emerge."

Going forward, Elgamal said a stronger emphasis needs to be placed on security by manufacturers, particularly in the manufacturing vertical, where security vulnerabilities lead to a life-or-death situation.

"Crossing into the physical world of IoT is taken very lightly – but it shouldn't be," he said. "As a society we need to build systems that are better and that aren't open so that hackers can access them."

Robby Hill, founder and CEO of HillSouth, a Florence, S.C.-based solution provider, said he is seeing the opportunities for IoT solutions in the healthcare space – but also recognizing the risks that come along with so many connected devices.

"I don't think the IT community is ready for the onslaught of Internet of Things devices coming online," he said. "IoT devices have been exempted from the policies that we already have with our mobile devices. The point is well made that we need to re-think securing non-computer devices because they're proving every day to be more and more vulnerable to security attacks like DDoS."