Delve into Zero Trust
Field service organizations are constantly monitoring and paying attention to devices in the field so more and more we are seeing security as a core feature within our product as opposed to it being a necessary evil. At PTC, we are invested in security so today we are speaking with our partner, Tyler Gannon, Vice President, Product Marketing and Strategic Alliances at Device Authority to discuss the whole area of security and how they view security in terms of their customers.
Delve into Zero Trust
Field service organizations are constantly monitoring and paying attention to devices in the field so more and more we are seeing security as a core feature within our product as opposed to it being a necessary evil. At PTC, we are invested in security so today we are speaking with our partner, Tyler Gannon, Vice President, Product Marketing and Strategic Alliances at Device Authority to discuss the whole area of security and how they view security in terms of their customers.
Welcome to Speaking of Service, the podcast that uncovers practical ways to grow service revenue, control costs and improve customer satisfaction. If you're looking to innovate, gain a competitive edge, or just learn about the latest service trends, you've come to the right place. Today, Anthony Martha meets with Tyler Gardner, Vice President, Product Marketing and Strategic Alliances at Device Authority to discuss the complex world of security and security as viewed by global governments and customers. Well, good morning. Good afternoon and good evening, everyone, and thank you for joining us here today. My name is Anthony Moff. I am part of PTC Iot segment. Prior to joining PTC. For those of you who have not met me before, I have been heavily involved in the digitization of service organizations in the United States here. And I'd like to thank Chris Wolfe or Wolfie, as we call her here. She's lending me the chair and letting me take the reins for a few sessions here. And what I want to do is host a mini series here on a very important and relevant topic in Iot, and that is security. And I'm joined today by device Authority's Tyler Gannon. Tyler, I'd like to introduce yourself to the crowd here. Yeah, thanks for having me today, Anthony. Certainly a timely topic. So my name is Tyler again, and I'm the vice president of Product Marketing and Alliances for Device Authority. I've been a device authority for about three years, but I've really been involved with enterprise software and security for about 25 years, about half of that with Microsoft going back to the trustworthy computing days. And so today's topic, I think, is a tale that is as old as time refresh for today's cybersecurity environment. So excited to be here to talk about a little bit today. Great. So, you know, I was thinking about this. We were talking and back in 2007, sometime ago, it seems like ages ago in the in the technology world, it's a long time ago. But in that time, TLS was considered to be secure. That's the way we did secure communication. So long as you had TLS, that's what we had. And today though, the field service organizations, they're really paying more attention to security because there are more threats, there are more opportunities. There are significant number of people out there trying to basically take hold of. And it's essentially identity theft for assets as opposed to identity theft for people. And they use that content. They use that material to get information about people or to make access into environments. Now, we are heavily invested as PTC. We have a large number of engineers who are invested in the world of security. And we have partners like Device Authority who are also invested in that because when we get into this Iot space, when we start connecting assets to the Internet, that creates a threat. It's an opportunity and a threat. We have to balance that. The opportunity, of course, being that we could do service faster, the threat being now they are exposed to people taking an attack, possibly attacking them. So one of the things that's really been an issue for us as of late and we hear it a lot is zero trust. And that's a it's an interesting term because it says nobody's trust it. But at the same time, I think a lot of people within our environment and I mean that environment of Iot and connecting assets to the Internet, they're not really sure what Zero Trust means. So let's start there to at least baseline what Zero Trust actually means. Yeah, great question. I think you're right. Zero Trust is a term that has taken the industry by storm. You know, the concept has been around for some time, but I would say over the last year to 18 months, it's become sort of the watchword for cybersecurity. And I think because of that, it's become confusing at best for for a lot of organizations as they now feel like they have to have zero trust in the challenges. Zero trust is not a thing. You can't go out and buy a zero trust and call it a day. It's really it's an approach. It's a paradigm, if you will. And it takes a process, a continuous process to achieve zero trust. And I always like to go back to the next definition of zero trust. They're the ones that essentially have coined the term and promoted it, and they're sort of the stewards of that of the standard or the architecture. And really when you read it, it's a simple little abstract that they put out on the website that says this is actually it's a move away from just simple static sort of network based perimeter security and a move toward protecting individual things. Right. Users, assets, other resources that are connecting into your enterprise. And the reason that's happened is because I think over the last ten years, you know, I talked about in my intro the Microsoft trusted security environment or the Trustworthy Computing Initiative that they had going back to 2002, I think. And that was all about protecting PCs and operating systems for all these people that were now connecting to the Internet and then SSL or TLS as the modern and became the way to actually protect the communication over the Internet. And so over the years, you know, as this has progressed, I think people have done a really good job of hardening the security perimeter, putting up firewalls, making sure they're segmenting areas of the network. What has become low hanging fruit for bad actors in today's environment are those devices, those individual devices or user accounts that might not be paid strict attention to. And so Zero Trust is basically saying, hey, there can be no implicit trust anymore. You have to identify every user and every device that is trying to connect into your network resources, assign an identity, and make sure every single time it's trying to connect, you can validate. It should be there and it has the right security controls in place to protect what it can do within within the environment. So sort of the summary of Zero Trust, the way we like to say it is identity has become the new perimeter. And that's the way the baseline that we use. And that tends to be very easy for easier or I should say for an individual, because an individual is able to go through sequences. It becomes a little more complicated process when we start talking about a machine, a piece of equipment that's connected to the Internet to provide data back to a service organization. Yeah, absolutely. We and we like to say I mean, it's it's really hard for a security leader today because they have to worry about three very specific categories of identity. Right. There's user identities, which you mentioned, and we know the mechanisms with multi-factor authentication for hardening that identity and managing that. There are now machine identities, which is sort of a growing and very broad term. Right. So machines can be everything from your your mobile phone, laptop to servers, software applications, APIs, containers that are found all throughout your networked environment. But now there's also this concept of Iot device identities, and these are typically high value devices outside of the network perimeter, beyond traditional security controls that actually interact with the physical world. And so a breach of one of those has a far more detrimental impact potentially than just a data breach. So, yeah, it's a tough, very tough environment to navigate as a security leader. And let's talk about that identity, right? You and I can give a license, we can give a QR code, we can give some type of an ID and put a passcode in and go through that process. But what are your thoughts on the current methods that we are using, say, like tokens, share certificates, you know, are they sufficient in this world of uniquely identifying an asset in the field? Yeah, that's a great question. And I think there's there's technology that's been in place for a long time, such as PCI that is, you know, the sort of the highest level of security and it's standards based. So, you know, it's achievable for a lot of people. But then it gets confusing as to are tokens okay, do we have to use certificates? How do we manage that? And they are slightly different approaches, right? Tokens uses a symmetric key. So it is a cryptographic key. But because you have a shared key between the client device and the software application in the cloud or what have you, if that device gets compromised now, there's a lot more potential for for breach and intrusion at the network side. Certificate based authentication gives you a little bit more security because you're now using asymmetric keys, which means that even if, say, the public key gets compromised, there's still a private key that makes it harder for for bad actor to get in and move laterally within a network and and do damage. That is not to say that it's foolproof, because a lot of this, whether you're using tokens or certificates, comes down to how you apply them, how you manage the permissions in those in those keys and how you age them. So you mentioned shared certificates, which is something that we've seen a lot of that in this day and age is really opening the door for a lot of potential liability because you know that actors are smart enough now where they'll go out and say, oh, there's a very, very well-known piece of industrial equipment I can probably buy that used on the Internet. And now I have physical access to a device. And if there's a certificate that's been hardcoded by the manufacturer that is sitting on that device, I now have access to that and I can use that to spoof or clone a real device and get get access to a network. And that's kind of scary because as we know, credential based attacks are probably the most prevalent out there today. I think it's something like 60% or more of attacks are based on compromised credentials. And when you get into a network with with sufficient credential access, you now basically have unlimited opportunity to do damage within that network. And that's why when you look at the data out there, I mean, it takes on average an organization, something like 250 or 240 days even to identify that they've been breached and then another 80 to 90 days to contain that breach. So things like shared certificates, things like tokens that don't expire, that in today's day and age, that is that's not sufficient. I think and I think a number of the people who are listening and have probably received at least one notification that their data has been compromised in some form of breach. And there have been a number of these in the private sector, in corporations, you know, stores, for example, credit cards have been breached. And I'm sure, again, a number of people have seen those come up. By the way, your data has been exposed and the only offer that they can give their customers in that scenario is we're going to give you a year's worth of free credit monitoring just in case somebody actually did steal your identity or tried to steal it. So imagine, though, that attack surface now being a million machines because that's what you're monitoring as a service organization begets it gets to be very high profile and very actually scary when you think about it. What can be done. So if we look at this now, companies are doing this because they have a liability, they have an exposure. But it seems like maybe the industry's not moving fast enough, or at least maybe there needs to be some consistency because if you look at what's been going on at a policy level in the United States, we had a couple of executive orders in the last two years, three years. We had the Omnibus Act and we had the the Cyber Resiliency Act in the EU. So the the government s are trying now to present a profile that is a best case scenario. So what are your take on some of those? Yeah, absolutely. And you mentioned three really important ones that I think have all been big drivers of zero trust as a as a security trend. Certainly the White House executive order in 2020 114028 that sort of kicked off this notion of government backing of of an industry trend. Right. And and what that basically, I would say mandated because an executive order technically is not not a law. But what they basically said was, you know, if you if you are part of critical infrastructure or anywhere in the government supply chain, we expect you to do two things. One is adhere to a zero trust architecture in your security posture and to implement software supply chain security in the form of a software building materials and the two are actually sort of really tightly linked together because what the software bill of materials essentially does is provide additional granular identities around a device and the software that's running on the device because as you know, in the Iot world, a device could have software coming from multiple vendors that have contributed to it throughout the supply chain, from manufacturing to when it actually goes operational in a customer's environment. So a software bill materials, for example, will tell you if there is a foreign code from an adversarial nation or things like open source code that might be vulnerable and might have a known exploit out there today, that that external threat platforms can tell you about. So those three together really have, I think, consistently said this is sort of the base level that you need to shoot for. And that's why I talked about Zero Trust as being a paradigm or an approach and a continuous process, and that's the way those government regulations or proclamations are headed. So the White House, for example, they they most recently implemented the National cyber security plan, which which talked about creating government guidance and agencies to help organizations figure out how they can achieve this, who are the right partners to to enlist and whether or not really are subject to this. Now, I will say critical infrastructure, which is part of both the White House executive order and the EU Cyber Resilience Act and part of the FDA regulation. That's critical infrastructure. I challenge any organization to say they're not part of critical infrastructure because critical infrastructure for most of us, you know, it makes sense. It's it's the water supply and it's energy and it's transportation. But it also refers to communications, dams, emergency services. Obviously, the defense, industrial base, financial services, food and agriculture, health care, emergency services within within the police and fire department. So it's really, really broad. And so, you know, I think what the government is saying is pretty much everybody needs to pay attention to this, too, in order to achieve the right level of cybersecurity standard now. And, you know, if you take that even a step further, there are the requirements, not just to have zero trust, but there are requirements in some of these bills to have a maintenance window. In other words, to deal with any maintenance to the software that you have to close any of those loopholes which which is a whole nother level of that the service world or the manufacturer has to figure out how do I do that? Because now you're sitting there saying, well, have 100,000 machines in the field. How do I actually get that updated? Right. So another level of work that they have to embrace or at least get their customer to figure out how to work with them to do that. And that's that's one of the advantages of, say, of an Iot platform is you might be able to do that remotely, very efficiently, but that's even added in there. And that's a lot of people don't realize that's part of some of the requirements for this, not just zero trust. Zero trust is a big push, but the maintenance component. I believe in the EU it's a five year window, minimum five year window for that maintenance compliance. Yeah. So not only not only manufacturers located within the EU, but manufacturers that want to sell into the EU market, they basically have, I think, a requirement to manage security and and maintenance for for the initial five years. And then it's sort of, you know, you can you can envision a scenario where in a competitive market, a good manufacturer might extend that window where they say they'll take they'll take responsibility for maybe the first ten years for security, especially for, you know, if you think about health care and and high value surgical equipment or in the manufacturing industry, high value manufacturing robots or even in in mining the mining industry. Right. Million dollar mining equipment that might have a useful life span of ten years. Yeah. And that's actually in the manufacturing world. We see that a lot in the services world, the equipment that's ten, 20, 30 years old, you know, it's extended. And in fact, in the medical world, what you very often will see is a piece of equipment used in one part of the world, and then it gets re apportioned to a lower cost country that couldn't afford the original equipment. So it's it has a long lifespan for that piece of equipment in the range of like 30 years in some cases. Yeah. And that actually you highlight a, I mean that's that's a particular challenge with Iot devices, that notion of ownership, transfer and identity because it could spend the first ten or 20 years in one location associated with a particular organization's security environment. And then again, you're not going to throw away a $3 million surgical robot. It'll probably go to a secondary and tertiary market, and it's still going to maintain its hardware identity. It's the same physical device, but how do you assign new credentials and help it onboard to that new security environment? That is a challenge from a service perspective and from a manufacturers perspective. Yeah, there's even the practical component of it, meaning we can self-identify, but a machine can very often. And when you put things online that self-identification is a very big advantage to the service organization to understand what they're dealing with. In addition to it being important from a security perspective. Yeah, no doubt. So to wrap things up here, what advice would you give to a field service organization today that's really in the world of Iot or getting into the world of Iot as it relates to, you know, security, obviously, like what key things should they focus on in their efforts to start their program or build their program and make it stronger? Yeah. Now, fantastic question. And I think I mean, we've covered a number of those. I think one is really understand the legislative landscape today because depending on what market you are in, what is today, an executive order could very easily become a law with certain requirements for security posture and basic levels. And and understand, I think where you sit within the critical infrastructure landscape, I do think it's it's pretty all inclusive. And you'd be surprised at how many organizations sit somewhere in the government supply chain. And what you don't want to do is set yourself off to where you're no longer getting government contracts or you're no longer allowed to sell your your device or service in a certain customer settings because you don't comply with the legislative landscape. I do also think, you know, from a zero trust perspective, CISA has put out the zero trust maturity model and I think it provides a pretty good model for looking at where we sit today and where we might get to, because it kind of starts with basic, which is, you know, all of our security is manual and enforcement of security policy is all manual. And that's, I think, where a lot of organizations are today. And as you add levels of automation and other security capabilities, you go up to the top level, which is optimal and at the optimal stage. That's where security is fully automated, policy is fully enforced. And essentially you have an environment that lends itself to the Zero Trust architecture moniker, if you will. So I think understanding in those environments and where you know, the particular product or customer scenario that you're servicing sits within, that will help you maybe be consultative to the customer and maybe be able to predict what you might have to achieve in the future because you don't want to be caught being out of compliance and having a supply chain come offline because of a product doesn't meet certain security regulations. Yeah, and that's those are great insights because realistically, to your point, security is no longer a nicety. It's not even a necessity. It really has to be taken to that next level and you have to look at it as a critical part of your infrastructure in order to be able to do the job that you want to do and do it securely and safely. Yeah, for sure. And I think one just one last thing with regards to the advice is it's easy to go out and look at a shiny object to say this is going to solve zero trust for me. But I think it's it's more appropriate to figure out what your use case, what's going to what's going to deliver the most value and find the technology that works for that specific use case rather than taking a one size fits all approach. Because there are a lot of choices out there and Zero Trust is used, I think a little too much in the market too to describe a product or service. And it doesn't always again, if you're talking about network based security only, I think it's doing a disservice to the customer. And you really do need to look at those, you know, individual devices, individual users and so forth. Yeah. And that's that's a great way to wrap this up. This is really not a thing. It's a journey. Right. This this is the it's not a sprint. It's a marathon motif because we're continually evolving. That's what we've seen in the world of security. It's not I've implemented and secure. I've implemented and I've had to add and add and add to that process and in some cases have even had to pull back and re conform reform. That service offering or that security component to change based on what's going on in the world today. Well, I'd like to thank Tyler for joining us today. This I enjoyed it. It was a great discussion that we've had here, and I'd like to let everybody know that we have a couple of upcoming episodes. I did say it was a mini series, James Penny from Device Start. He will be joining us to talk about the impact of AI in the world of Iot. And in addition to that, we're going to bring one of our customers in Fujifilm's China site to talk about how they looked at security and how they upgraded their security profile in their IOT program. So thank you for joining us today and we look forward to seeing you in the future. Thanks for listening to the Speaking of Service podcast brought to you by PTC. If you enjoyed this episode, please subscribe wherever you get your podcasts and leave a rating or review and be sure to check out other episodes to hear new perspectives on improving life for aftermarket professionals, service teams and the customers they support. If you have a topic of interest or want to provide feedback, email us at speaking of service at Etsy.com or visit us at FT.com. Slash Speaking of service.