Developing Resilient Internet of Things (IoT) Infrastructures: Practioner’s Approach to DevSecOps

Connected society and Internet of Things (IoT) continues to challenge the status quo of information security practices. The volume, veracity and velocity of Big Data provides tremendous opportunities to innovate and solve the myriad of security problems of scale and complexities. The exponential growth of structured and unstructured data injected by ubiquitous computing, the emergence of service oriented architectures, legal and public policy on data security empowers security science as an interdisciplinary science. Security science is a leading problem for most organizations and one of the biggest big data problems a company can have. Opportunities always comes with challenges, how do we design the resilient infrastructures as DevSecOps practitioners by accelerating product innovation, improving end-user’s experience, enabling secure software design practices, mitigating business risks, managing security incidents and educating society and are daunting challenges for security practioners, legislative bodies, enterprises, law enforcement agencies and states.

The Internet of Things (IoT) introduces both security and epistemic challenges having to do with data ontology, network science , social science and system engineering.  Because the loosely coupled architectures of the IoT ecosystem enable seamless connectivity patterns that span heterogeneous industries and networks—often using public networks and application programming interfaces (APIs)—the ever-expanding IoT ecosystem introduces architectural, operational and security challenges [1].

The security engineering challenges span from social to physical science that continues to evolve around infrastructure engineering, business data compliance, public policy on digital privacy and cybersecurity. With the abundance of security metadata, insights to science and proof of concepts are imminent in the days to come. Millions of humans, software programs and devices are embodied in the continuum of security threats because of high dimensions of IoT blast radius, low entry cost for attackers, chaos rules of engagement between adversaries and porous surface attack vectors in IoT landscape.  As security science continues to evolve on interdisciplinary fronts digital security becomes trivial.  The ability to develop and manage resilient secure infrastructure at scale to address the insurmountable security threats is quintessential.

The fusion of agile development, operations and security engineering as a holistic methodology for software security engineering practices can help to address the security challenges in the Internet of Things (IoT) paradigm. Enabling and thinking security from day one instead of the last mile helps on software design practices, quality, and end user’s experiences. With the DevSecOps Manifesto [2], security spans across silos of security operations, compliance, science and engineering.  The notion of red team and blue team ensures that security war games can be simulated inside the organization to test the resilient scale infrastructure.

Managing and building DevSecOps team is challenging especially in smaller organizations where resources are limited and information security teams are small.  However, the notion of DevSecOps doesn’t rely only on the size of the team. It’s the movement of a broader software engineering community that embraces security principles across the organization to design secure software in the wide spectrum of a secure software engineering mindset with the onus on distributed and shared security that makes a significant difference.

The performance and security demarcation in systems are often confusing.  For example, Domain Name System (DNS) often gets targeted with (Distributed Denial of Service) DDOS attacks that can be vetted as a performance engineering problem.  Whereas at the tactical level, the same DDOS attack can be used as an evasion attack to diverge and isolate external threats to core systems. The issue can be mitigated at multiple layers in TCP/IP stacks.  Thus, as a DevSecOps practitioner its crucial to dive broader into an attack using a range of skills to ensure the safety and resiliency of a full stack implementation in coordination with the environment it will operate in.   

Cloud brings unique challenges and opportunities to DevSecOps practitioners to design resilient IoT infrastructure.  The Cloud Application Programming Interface (API) enables automation opportunities in scale but also changes fundamental control constraints that are well engineered in physical data center. The opportunities to develop cloud agnostic security infrastructure and controls are design constraints in security engineering but as cloud evolves, the standardization will be more inevitable.  Interestingly, the DevSecOps practices can be scaled across all clouds and physical data centers using a vendor agnostic methodology. Further, as the security scale grows, [1] Multi Agent systems for IoT security can help DevSecOps teams to address the scale and complexity of the infrastructure and formalize the blue and red agents. Data Mining, Artificial Intelligence, Deep Learning and Distributed Computing Frameworks in Big Data help a DevSecOps team to harness security engineering, operation, science and compliance issues and improves threat intelligence.

With the software ecosystem growing dependencies on external libraries, patches, Application Programming Interfaces(API), the organic ecosystem of software supply chain, Life Cycle Assessment (LCA) of software systems are crucial for resilient secure infrastructure.  The motivation should be developing systems to ensure the critical path in the supply chain. To achieve a secure ecosystem that is all-encompassing, the agility of the team to systematically apply controls to the supply chain is critical. Security is perceived as the hindrance in innovation and the supply chain pipeline but DevSecOps engages across boundaries with secure engineering practices.

In a nutshell, DevSecOps can be practiced independently across development, staging and operations irrespective of industries and domain. DevSecOps continues to evolve with IoT and Cloud, towards the next level of scrutiny and resilient infrastructure for reliable and secure software systems.  Now, its your time to engage in DevSecOps, challenge the security status quo, innovate the processes and lead the security engineering practices. Yes, rugged operations has just started.

References:

[1] – Dhungel, R. (n.d.). Designing a secure and scalable Internet of Things ecosystem using.  Retrieved May 23, 2016, from http://www.ibmbigdatahub.com/blog/designing-secure-and-scalable-internet-things-ecosystem-using-multiagent-systems

[2] Home. (n.d.). Retrieved May 23, 2016, from http://www.devsecops.org/