Rob Hornbuckle, CISO, Allegiant Air Discusses Edge Security
Rob Hornbuckle, CISO, Allegiant Air Discusses Edge Security
Hello and welcome back to the elevate the edge podcast. As always, I'm excited to be here with another fun guest and my co host Jo Peterson. Hey, Joe.
Jo Peterson:Hey Maribel.
Maribel Lopez:So today we're joined here with Rob Hornbuckle. He is the chief information security officer at Allegiant Air. And we're so excited to talk to him about the edge. You know, we're always learning more about how companies are embracing the technology. So really, to get the skinny on what's happening in the real world. We thought we'd meet with Rob, who's the CFO of the Legion. So welcome to the program, Rob. Thank you, Brian. So Rob, we know aviation has always been a technology intensive industry. It's also a challenging area, because you need to balance innovation with safety and security. So that's always a challenge. We have seen that aviation's been working with connected devices for some time, we use called machine to machine and we called it IoT, sometimes industrial IoT, but that could be more manufacturing. But today, we're talking a lot about the term edge computing and how it's making an impact on aviation, avionics applications like supply chain, proactive maintenance, predictive maintenance, all the things that we've spent some time talking about for some while but when I think about it, that's a little bit of the perspective of what we've been talking about with organizations. But Rob, you're deep in the trenches, you're seeing all the changes and challenges tell us a little bit about what you're seeing and how you think it relates to the landscape of edge computing.
Rob Hornbuckle:So my purview has a lot more to do with the security and protection of things as they run through the communication cycles. All the things that you can do with edge computing are amazing. And they can do a great thing for multiple, many industries. My discipline specifically more about making sure that once we do get them started, that they continue to go, that the information continues to flow, and that it's the legitimate actual information, as well, it's making it so that people don't intercept that information. The use of the information itself isn't necessarily with you. So I can't really speak too much to how those particular pieces play out.
Maribel Lopez:So that makes sense. I think one of the things that people are really interested in is You we talk a lot about connected devices, but you can't have connected devices or edge computing or any of this without security. So when you think about the security landscape have each seen it changed dramatically in the past couple of years? Or how are you thinking about what's going on with security.
Rob Hornbuckle:So security is an interesting animal in that aspects. There's new ideas, but most new ideas are just revamped versions of old ideas, just with a little bit of extra frosting, or a new particular way of potentially looking at them. And your trust and micro segmentation and all these other buzzwords within information security right now, which are honestly just old practices with new terms associated to them. I mean, the US military's been practicing the equivalent of zero trust since the 70s. Before there were really even anything to do with this kind of stuff. And it's just adapting those principles to something more along the lines of electronics. The main thing when it comes to IoT and edge devices, has to do with securing Wi Fi. Because the vast majority of stuff that you're looking for you're looking at Wi Fi connections, you're looking at a potential, it also extends Bluetooth depending on what you're actually talking about. So when it comes specifically to IoT and the edge devices, it's a lot of security and security practices concentrated specifically around that Wi Fi broadcast via Bluetooth and or normal standard, what you would think of this Wi Fi internet.
Jo Peterson:That totally makes sense. And I like the direction that you're going thinking about that in terms of securing the conductivity. Let me go back a different direction if I can. Airlines had become hot talk hot targets for the sheer amount of personal customer data, financial data, location data that they possess, as you think about your environment, and you think about bringing edge into your environment. any best practices that you can share in general, the audience,
Rob Hornbuckle:so those particular concerns aren't terribly unique to airline. I'd say anyone who deals in a commercial area is going to follow the exact same problems via retail store fast food, even e commerce. It's all going to fall into that same general area as far as the stuff that you've Is this and the target that people are looking for and they're looking to get into, when it comes to edge devices you're basically looking at, and not to use buzz terms. I said, we're terrible earlier in the discussion, but you are looking at segmentation of it. There's not a lot of protections you can do with certain things. Especially if you get out of airline industry. And you're looking at things like manufacturing or other areas, where you have to rely more heavily on Bluetooth and Wi Fi, you have to just assume that there's less security there. And you have to segregate it from the areas where you keep that kind of information. If you can maintain that kind of a practice, then even if something were to happen to an edge device, it doesn't really necessarily allow them to get at the type of data that you're referring to within your environment, regardless of the industry that you happen to be working.
Maribel Lopez:I think that makes a lot of sense. And, you know, one of the things that you mentioned that there are, in some ways, new new terms under the sun, we've just kind of changed them. So we've had
Rob Hornbuckle:new terms,
Maribel Lopez:new terms, but not Yeah, maybe they're new terms. But they're the same thing where they're an evolution to the same thing, right. So we've had multifactor authentication, we've had malware protection, and point protection, making sure that the end user has some level of security training. So they don't click on the email that says, you know, you want a million dollars or whatever it is, is there any other must haves that you think people should be looking at today, because I know that we keep layering security products in the market.
Rob Hornbuckle:The biggest one in the environment today, not just for my industry, but for all of them have to do with plans and Prevention's against ransomware. Ransomware is currently the biggest, most prolific thing that's out there. So anything that you can do as far as a practice around, how do you prepare for it? How do you protect against it? How do you limit it effect on your environment, be that either shrinking, when you want to call blast, radiuses have something actually going off so that they don't affect your entire system, but only certain areas, or having a really, really robust backup system so that if something happens, it's only a matter of minutes till you switch over to a backup and making sure that backup is segregated. So it can't jump between the two. The that's probably the biggest thing and current environment now is making sure you have a plan around how you're going to handle ransomware when it comes in. And then how are you going to handle ransomware? If it actually has an effect on your IoT devices? If you actually get any character that can for some reason, get into a form of IoT device and start encrypting pieces of it. What does that mean for you? What's the possibility of that happening? How could you recover from that kind of concept. It's an interesting brain activity to undergo to think on your edge devices on what would happen in those instances, especially since they're not your traditional PCs or servers or things that you would normally have this kind of a backup process for.
Jo Peterson:That's a really good point, I'm seeing people have an increased interest in bot mitigation, specifically as it relates to those edge devices. So it's some new thinking, right, but mitigation has been around for a while. But extending that to the edge devices.
Rob Hornbuckle:Yeah, so you are just using more fictional terms. If you're a manufacturing company, and you're using edge devices across your entire line that are IoT based. And you don't know necessarily how they're even programmed, or what they do the stuff that's in them, you bought them from a supplier if they all went down, because encrypted somehow, what are you going to do about that? Do you have some way of going around it to keep the business running at a minimum, even if they're not running? Have you made them so integral to your operations that you have to do something about them? ideas and thoughts around? Those are things that you need to start bringing in when you start talking about integrating your edge environment and integrating your IoT environment, whatever you're doing.
Maribel Lopez:I know a lot of people are also struggling with the fact that they have diverse environments, right. And so some things seem easier to secure than others. Some things you can run security stacks on some things. You can't. Is there any framework that you're thinking about right now that you believe is different as a result? Have you talked a little bit about some of the changes of, of ransomware. But if you were to go out, you know, we've talked about confidential computing, we've talked about zero trust. We've talked about all these different things. Do you think there's another set of security thoughts or standards or things that people are working on that are interesting
Rob Hornbuckle:Um, I don't know if there's anything quite yet there's a lot of interesting things that are all completely theoretical currently around quantum computing. But until that is actually something that actually exists, then it's not. It's all just a thought exercise. But I'm sure at a certain point, the idea of micro segmentation or zero trust is its current existence within our systems with a thought exercise as well. So it does pay to put a little bit of thought to it a little bit of ideas, what might come about when it exists, just so you're not as caught flat footed in the event that it does.
Jo Peterson:It's kind of interesting, you know, we talked about zero trust earlier. And it's not a new idea. And you've mentioned that the military has been doing it since the 70s. But we're starting to see more of a trend, particularly like as it relates to CMC, that if you're working with the government, you're just going to have to have zero trust framework in place, they're going to require that of their business partners, you think that that shift more from a regulatory standpoint is going to cause a ripple effect in the industry.
Rob Hornbuckle:So the problem you're gonna run into is not everyone does business with the government. Yeah. And not everyone even has heavy regulation around them. regulation will always drive things depending on how it functions, government regulations, and government subcontract, and regulations drive things further than anywhere else. And when you start dealing with companies that, say, a fast food restaurant, they're not going to do anything with the government, even if for some reason they built a fast food locations on military bases, the government's still not going to require them to meet cmmc certification regulation. So it's not going to drive Industries at any point, regardless of where it gets to. I mean, they might lose a contract if they get breached, and lose a bunch of military credit cards or something, but they're not really going to force them to do it until something major some kind of national paradigm needs to change, there has to be some kind of a national requirement for security, like a federal trade commission level thing from the federal government, or at least at a state level, before you really start seeing those kinds of major industry changes, like you seem to be referring to, until then, a small subset change, like with government sub contracting, or even with things like credit card processing, is only going to affect the specific areas that the targeted to effect.
Jo Peterson:Yeah, that's fair. I mean, there's got to be some sort of incentive to create change if somebody doesn't want to make a change, right. So
Rob Hornbuckle:the other problem you're going to run into, which is always going to be an issue, and regulators are always going to balance it out is barrier to entry. If you create too much onerous security requirements, you're basically eliminating the chance for a lot of smaller players to even be able to come into that environment. So you can stifle innovation to a certain degree if you're doing that kind of
Jo Peterson:thing. Yep. Um, you know, we're seeing this in the cloud space, the development of ecosystems, and the API's associated with those ecosystems. And many of the systems that I'm speaking to are concerned about API security. It's kind of a hot or bubbling topic, you've probably heard it too. And maybe you have concerns around it as well. The other side of that coin is bringing applications in, in terms of having them vetted from a security perspective, adding them into your stack, right third party apps. So kind of think of it as two sides of the same coin or sides of the same coin. What advice can you give to other CISOs and other people or people in the security community about API security?
Rob Hornbuckle:So I'd add there's a third piece there too. And that's custom programming. Ah, good point. Okay. And it adds a different spin and a different color on what you're looking at here, all of this. But you have to work at a company that does custom programming, or does a lot of their own application programming for to have too big of an effect. Sure. API security and vendor management, or third party security have been bigger topics as of late and they keep getting bigger to grow. The more that you bring in partners, the more that you need to both vet and then maintain their security levels coming in on that side. On the API standpoint, it becomes more of an issue of the more things that you handle, the more things that you add, how you handle the spaghetti of all that coming in and making sure that you're maintaining their security levels. If there's anybody listening to this that's done any of the old telephony days, when you have all of these connections coming in and transferring them around. If you're not specifically meticulous about everything that you're doing at every given point, you just end up with this giant spaghetti mess when you walk into the room. Yes, it all works. Yes, everything's connected from one place to another. But you've got to stick your arm, shoulder deep into a giant pile of cord to try to figure out which cord goes with.
Jo Peterson:So I see that you've been next to a punch down board. I have. So I see you have to? Where did that go? Yeah, well, we face this, I gotta fall it into a mess of spaghetti. Let me look for the tag. Let me let me find the tag and try to Yeah, been there done that. So thanks for the jolt from the past there love that,
Maribel Lopez:oh, then we went into Voice over IP, right. And everybody talked about like, we can secure those connections. And now like you can't find anything that is an IP. So it's a very different world in that regard, isn't it? So I know, we talked about some of the challenges that is are happening in the security arena, certainly thing that excites you about the space now.
Rob Hornbuckle:The biggest issue that I run into running a program, and that a lot of the other CISOs I talk to running programs is is just there is so much out there. In order to really build the program that you want, I end up having 2030 different partners in different companies that I'm using in order to try to build out a full program. Immediately I'm across risk, compliance, privacy and all security. So maybe I have a little wider swath than some others do. But it's still a lot of vendors to deal with a lot of relationships to maintain a lot of dashboards online or local or however they're set up in order to run through. We have utilities for orchestration that are designed simply to handle a large number of them that we have coming in. I'm excited of the idea of some of them combining together and bringing some of those numbers down. But at the same time, I'm fearful of the loss of security capabilities, if it's not done correctly.
Jo Peterson:And it's such a slog, you bring up such a good point. You know, are we over tooled, like everybody says, Oh, we're over tool? Well, right? Let's take the time then to try to figure out where the overlap is where the Venn diagram happens, who has the time to do that? Right. And, and the new buzzword is platform, everybody wants to sell you a platform. So you're smiling, because you know, it's true. Everybody's trying to, and I understand what they're trying to do. But it's so tough to try to figure out if I'm sitting in your seat, what to do away with, and what to keep, and how to better manage that whole process.
Rob Hornbuckle:Yeah, I'll say the lowest common denominator is the eyes of the analyst.
Jo Peterson:point. Good point. So I think that we have a final question for you. And it's more fun than it is. We're going to pick your security brain here.
Rob Hornbuckle:Right, it sounds like you haven't been having fun.
Jo Peterson:We have been having fun. And I mean, just getting your insight on stuff is pretty cool. And might I say you have a lot to cover. I was sitting here thinking about the fact that you know, if you're running all over all those areas, that's that's a, that's a lot. So tell us a fun fact, that can be about anything that you want to share. Not tech.
Rob Hornbuckle:Um, the I've been hearing weird ones lately, so I could come up with weird ones. And I don't know how well they play. Um Did you know that fish Burke
Jo Peterson:I love that. That's great. No, I didn't. That's wonderful. I'm not a fisherman. So don't know Maribel Did you know that
Maribel Lopez:I had no idea. I mean, there there was something the other day I was reading about turtles talking. And they had finally discovered that, you know, it was basically animals that you didn't think speak actually do speak in some way that humans can't quite comprehend. But I thought it was all quite interesting. So I love that David shipper. Well, yours and there you have it, folks. Yeah.
Jo Peterson:Thank you so much for taking time to visit with us today. We appreciate you.
Rob Hornbuckle:Yeah. Thank you so much for having me on.
Maribel Lopez:keep everybody safe. We need you. Thank you.