In episode 10 of the Let’s Connect! Podcast, Tim Danks, VP, Risk Management & Partner Relations at Huawei Technologies USA, joins us to talk about standards, scale and security, or more specifically, the methodology and strategy of IoT security at scale and how standards organizations can offer guidance.  

As VP, Risk Management & Partner Relations, Tim Danks is responsible for understanding and managing business risks in the context of cybersecurity and privacy across Huawei USA businesses and toward external stakeholders. Further, he is responsible for developing and enhancing partner relationships towards key external stakeholders across academia, channels partners, industry, and suppliers utilizing his broad understanding of Huawei’s local and global business operations. His background includes a diversified mix of operational experience, from both the vendor and customer perspectives, with a primary focus on risk mitigation and management in delivery environments. In addition, he has achieved repeated success in building organizations through improved methodologies, processes development, and effective tools that enable efficient and cost controlled service delivery toward internal and external stakeholders.

Interested in connecting with Tim? Reach out on Linkedin!

Huawei is a leading global provider of information and communications technology (ICT) infrastructure and smart devices. With integrated solutions across four key domains – telecom networks, IT, smart devices, and cloud services – Huawei is committed to bringing digital to every person, home and organization for a fully connected, intelligent world. 

During the discussion Tim touched upon Huawei’s TECH4ALL initiative, which is about powering digital inclusion by driving equity with technology. He also mentioned NIST, which you can check out here for more about Standards, Scale and Security. 

Key Questions and Topics from this Episode:

1:25 Introductions

3:20 Risk Management, Security & Privacy

6:00 Standards for Security & Privacy

10:00 Security Operations and Infrastructure

14:00 Edge and Scale

15:30 Security Strategy & Worst case scenarios

20:00 Final Thoughts

Transcript:

- [Ken] This is the IoT for all media network. Hello friends in IoT welcome to Let's Connect, the newest podcast in the IoT for all media network. I am Ken Briodagh, Editorial Director for IoT for all and your host. If you enjoy this episode please remember to like, subscribe, rate, review and comment at all your favorite podcasting platforms. And to keep up with all the IoT insights you need, visit iotforall.com. Before we get into our episode the IoT market will surpass $1 trillion in the next few years. Is your business ready to capitalize on this new and growing trend? Use leverage is powerful IoT solutions development platform to efficiently create turnkey IoT products that you can white label and resell under your own brand. Help your customers increase operational efficiency, improve customer experience or even unlock new revenue streams with IoT. To learn more, go to iotchangeseverything.com that's iotchangeseverything.com. Now let's connect, my guest today is Tim Danks, VP risk management and partner relations for Huawei. And we're gonna talk about security in IoT today, an evergreen and ever popular topic. Welcome Tim to Let's Connect.

- [Tim] Well thanks for having me.

- [Ken] That pleasure is entirely mine. If, folks aren't familiar with you, Tim, or with sort of what you've been working on at Huawei lately. Can you give us a little bit of your background and sort of how your work fits into IoT?

- [Tim] Yeah Ken thanks again. I've been with Huawei now for about 10, 11 years, and I've been in the IoT or the ICT rather industry for roughly 35 years. So I've got a little bit of background there and I've been working with technology for many years. In the past eight or nine years I've been heavily involved in risk management's security and privacy. So pretty cleared responsibility for ensuring the security of devices and so on. And I think one of the things in recent years that I've been having a lot of experience with is our consumer division, which of course has a variety of aspects in the IoT space.

- [Ken] Of course, I think the first place to start is you mentioned that you've been sort of doing risk management and for a long time, and I'm really interested in that. Because I think IoT is as an industry has a real risk profile and a perceived risk profile, and there's sort of a perceived perception, problem insecurity in IoT. And I've been trying to sort of as a media person and communicator around the technology trying to overcome that for years. So I'm really interested in whether or not you agree with me in the basic premise that the perceived risk of IoT, which is that well, A the machines are going to come and get us all and B, that our all of our data is now basically available to criminals of all kind. And the real risk profile, which is I think in a very different and less hyperbolic place are very different. And that we need to sort of figure out how to change that perception as sort of an industry. Do you sort of agree with that general premise and why in either way?

- [Tim] Well, yeah, I think I would agree to an extent I think it's always about a balance, right? Certainly we have to be cognizant and aware of the risk that comes with any IoT device. We know that, if you decide to go with the cheapest IoT device out there a sensor or something like that, you're looking at, you're sacrificing something, right? And typically when you go for the cheapest device you're in this space, you're probably also considering that, that cheap device may actually also have security issues. Because where they cut corners and where we cut costs, it comes in those spaces where we're trying to, and you're trying to do something cheap, but as opposed to less expensive or in the right market space. And that will always brings risks, right? I think if you look at it we have to look at the holistic risk of any IoT device and any ecosystem is only as strong security wise as its weakest component. So if you, insert a very cheap and let's say, take a smart home for example, if you put a very cheap camera in there that you've gotten through some obscure website or whatever. And you put that in there the security protections are probably limited to some extent, and now that device could be potentially be an entryway into your system. But I think we also have to look at, how can we develop standards? 'Cause the way to mitigate or to manage this risk because we know risk can never be 100% mitigated but we can definitely manage risk. And we can, the first some of that risk and find different ways to manage it. But one of the things that can help in that space is really having very clearly defined standards, defined global standards so that we are all operating in the same space and trying to achieve the same end result which is a secure product that protects an individual's privacy and so on. But.

- [Ken] Sure.

- [Tim] That's something that takes everybody's effort, right? That's a, that's not, that's a public private sector joint effort to achieve something like that.

- [Ken] Of course, and I think that there are a bunch of different constituencies in IoT trying to establish various standards over their vertical or something else. You've got the industrial internet consortium who's put forth several standards and the, what is it? The OTC, Online Trust Alliance I think is, has done.

- Yap.

- [Ken] A couple and of course GSMA is dealing with privacy and things like that which is related of course, to IoT operations. Although I guess more on the consumer side to be fair. So, and here in the States we've got NIST and several other government more government side agencies trying to create an enforce standard. I tend to think that there's never going to be one standard to rule them all for IoT. It's just too fragmented and diverse and customized and industry. And if you disagree with that, please stop me. But I think.

- [Tim] Yeah. There will always be a variety of standards, right? And I mean, because it's driven for different each different standards driven for different reasons, driven from a different perspective and so on. So you're always going to have, but I think that you mentioned this and that's one of the ones that I really kind of subscribed to is NIST approach. Because they're having a look at this and more and more they're using global collaboration to come up and develop their standards. But a lot of what they're trying to put together is around frameworks.

- [Ken] Right.

- [Tim] Because we know that you can't necessarily take one single standard and apply it to everything because everything has its nuances. Every product is not created equal, every service is not created equal and every risk that's out there is not created equal. So you have to.

- [Ken] Yeah.

- [Tim] Have that, have the right balance and I think understanding how to manage that and creating frameworks I think is a great place to start. I know if you, if we look at things like GDPR in Europe, which is essentially the privacy legislation, right? There's some security aspects to it but it's not very prescriptive on what those are. It doesn't say what you have to do it just says you have to do something.

- [Ken] Right.

- [Tim] And internally here we actually at Huawei we actually took the approach of marrying GDPR together with the NIST cybersecurity framework. This was several years ago to create a framework for assessment risk assessment of our consumer products platform, to identify challenges and risks that are both from a security standpoint but with a specific focus on privacy. And so by marrying those two together which are both broad kind of expectation, there's a broad expectation beats to coming out of those frameworks. Or at least the NIST framework, you help to it starts to help you understand all of the nuances of the risks that you're having with respect to security and related to privacy. And I think, so I think to your point, we really have to work together. And I think even though there will be multiple standards and around the globe and all the time by bringing them together where we apply the appropriate things I think the frameworks help to align that.

- [Ken] I think I agree with that because I think frameworks are by their nature, flexible to the specific and are more designed for general guidelines that it's mechanism that's suited to the way IoT works. Generally I love the idea of combining frameworks like you were just saying with NIST and GSMA to create one that works for your operations and that kind of thing. I want to sort of bring this down because we've been talking about a lot of sort of high level points here. And a lot of my listeners are going to be thinking about security in terms of how does this impact my business? And how does this impact my operations? What do I do with this? I know for a lot of folks, they just handed us to the IT department or something and say, "I don't want there to be a breach on our stuff." Or "I wanna make sure that anything we implement in our operations is protected fix it, put a firewall on it, do whatever." And that I guess is a way to do it but I'd like to sort of pick your brain a little bit. What should folks be thinking about as they're thinking about a framework to work within or a strategy to take for protecting their own networks, if they're using IoT in their operations and even farther up the line making sure that they're offering secure solutions to their customers, if they're IoT creators?

- [Tim] So there's a lot packed in that question. Well, I think you need to start somewhere and it's best to kind of choose a framework. There's so many let's say there's so many standards, as you mentioned out there, there's ISO 27,001, there's a variety, there's the NIST cybersecurity framework, there's the NIST 854 control, all of these different frameworks out there, COBIT 5 and so on. I think that you need to try and pick one and start with that. My personal experience, that I found the NIST cybersecurity framework has a good overall framework, because it covers areas that many of the others don't, or haven't in the past now a lot of them are starting to cover some of those areas as well today in Kerberos in newer versions. But the thing is that it's at a level that you can then take it down a layer to get more specific to your business, right? To you what your business is and that goes and it should be applied no matter whether you're looking at it from as a vendor selling a product, as an operator using the product because the vendors, their responsibility and they should be starting and as any business should is looking at privacy and security as part of the start at the very start. Don't wait until after you kind of indicated out what should they do to implement this and agreed some of us are behind so you need to kinda catch up. But at the same time anybody today in today's environment need to be thinking about security and privacy from step one, right?

- [Ken] Yeah.

- [Tim] And so if you can put that forward and you can create a, use a framework to establish that and then build from there. But it's the vendors and suppliers responsibility to create these products that are secure and that have security features and functionalities. But it's also the responsibility of the suppliers and certainly, sorry the service providers and operators and ISPs or whatever it may be to implement those security features or us as, whether it's an IT enterprise or whatever to implement those security features. But then the last piece is it's also about the user the consumer has to use and enable those features. One of the things we know that the average consumer out there has 120 I think on average accounts. 80% of those accounts use the same username i.e your email address and 50% of those accounts you use the same username and password combination.

- [Ken] Yeah.

- [Tim] So that. Can result in a lot of challenges and that's even in the IoT space. So we really need to be forcing other methods of authentication and driving better implementation of authentication, especially for IoT type devices.

- [Ken] Yeah I think some of the struggles has been making those lightweight enough to work on the very edge devices and or at the very least to be flexible enough to use at scale.

- [Tim] 'Cause that's yeah and that's, I mean, that's part of, I think to your point. And that's a very valid point I mean, when we see these devices, the cost constraints and size constraints and memory constraints whatever you want to, whatever aspect you want to it constraints your total investment that goes into the security aspects of it. Typically securities is one of the first things that we see given up in some of these devices, right?

- [Ken] Right.

- [Tim] But with the economies, with the scale, with the explosion of IoT that's happening right now we're just at the start of it. Like, I mean, we're not even close to the bell curve on this. And so with that explosion is going to come enough scale to help with the aspects and to give you that bandwidth to be able to put some level of security or to spend a little bit more to put a security into those devices and improve the overall ecosystem for everyone.

- [Ken] Yeah I think that you're right that the more scale there is the more commonplace it becomes, the more the standards become. I don't wanna say regular because that lends toward regulatory and that's a whole different debate is whether or not it's top down and bottom up. And I don't wanna get into that right now.

- [Tim] Did they become the norm?

- [Ken] Did they become the norm? Yes agreed I think that, it's going to become easier over time to implement these things. I'm curious philosophically about security. What camps you like? Are you a private network behind the firewall kinda camp? Are you a open standard make sure you're doing identity management well, camp? Obviously you're good at this so you're gonna be a mix of the two camp but well where do you like to land?

- [Tim] I, I've said it probably once or twice already. I think a lot of this is about balance. It's about using the right mechanisms in the right pieces of your ecosystem. For high value data and information, obviously you wanna have the most secure, apply the highest risk measure and risk averse approach that you can in lower ends or less valuable, let's say assets or the you apply what, but again you always have to keep that in mind that your weakest point is also your weakest point of entry into the system. So.

- [Ken] Yeah.

- [Tim] You've gotta be careful about that. But I think for me it's really about finding that balance and applying the right approach to the risk and risk is always a calculation of, the likelihood and the impact and so on. So you have to consider all of those things and doing proper risk assessments. I think the RMF from NIST is also extremely good to understand that your risk exposure and so on.

- [Ken] Yeah I think NIST does a lot of great work and I'm gonna put the link to some of these NIST resources in the show notes for you folks out there listening, so you can check those out. The most fun part of security as we've learned from every disaster movie is to talk about the worst case scenarios which are different for everybody and every company, everything from a command and control function loss to data leakage can be the worst case scenario. I tend to think that the most likely worst case scenario is always the one that makes somebody the most money, which to me says data leakage is the thing you need to worry about most. Because if someone is going to take the risk as a bad actor of trying to breach a network what they want is something they can sell again on the other side, almost all the time and that's going to be data, right? So isn't there an argument to be made that some of the work on encryption or blockchain integrations or all of the other stuff that's happening with crypto is sort of the leading edge and maybe the most important sector of security technology for folks to work on.

- [Tim] Yeah, I think you're right, the crypto is definitely, I think the foreseeable future is where we're going to focus a lot of the security efforts to starting to encrypt. I mean, we have to understand that the bad guys are there and if they want access to something, they're going to get it. And if it's a nation state or if it's an individual hacker they're going to get access one way or another through a variety of different methods. I think one of the things we need to do is to just assume that, that is the case. And so how do we protect when we assume we have Derby networks or, something that you have to look at encryption? I mean, it's the way forward. I think the challenge that presents though is some challenges for the good guys, about things like, being able to monitor the bad guys traffic and keep an eye and keep tabs on them. So how we solve that problem is still a challenge because we can't have any government or anyone having a backdoor because if somebody has a key to the back door then ultimately that can get abused other ways. And by other for a bit, we have to stop that, right? So but at the same time, how do you make it so that you can enable both law enforcements? It's a challenging dilemma, but I think you're right crypto protecting the data, the data is essentially it's the asset, it's the most valuable thing out there.

- [Ken] I want to give you the floor. If there's something we haven't talked about yet that you think it's really important that the listeners leave with, or are thinking about in their security planning and implementation or even advising of their users, the floor is yours. Anything that you that you think they should go away with here this is your final thoughts moment.

- [Tim] Final thoughts, well I think we touched on quite a bit today. And I think one of the things maybe we didn't really capture was talking about resiliency. We can do what we can to create secure products and address privacy and develop ecosystems that are secure and so on. But I think it's also important to consider resiliency. How does a system, or how does a device platform bounce back from an issue? Kind of recover, we've all heard about the bricked devices because of some hack or some thought. But can the system recover can it become rigid? Is it resilient enough to come back into a normal operating mode without completely everything being lost? So that's a big point too, that needs to be considered, maybe something we talked about the global standards and certifications against global standards and trying to drive towards that. And I think I agree with you there's some good work has been done in that space. We need to continue that it needs to be a collaboration between public and private sector to drive that but we also need in conjunction with that kind of a trust through verification approach, which means, you don't trust somebody just because them or just because you used their product before or whatever you need to verify everything. It's a zero trust environment today and you have to assume that there's challenges with every network you're working on and that it could potentially be compromised at any given point and being prepared for that. So it's really about kind of looking at those worst case scenarios. Huawei has been kind of hit with several let's call it multipoint supply chain challenges over the last several years. And I guess we're getting into the supply chain a little bit now, but at the same time it's important to look at all the risks and those that might happen and the probability. The probability factor has changed dynamically. We also have to consider how did the, how the, how has the pandemic changed our view of risk? And that applies to everyone and including in the IoT space. So.

- [Ken] Yeah.

- [Tim] Yeah but let's end this on a positive note. I think.

- Yeah.

- [Tim] We've talked a lot about risks, we've talked about a little bit of the negative stories but maybe here's where we can add a little bit on the positive side, digital inclusion and making sure people have access to these technologies IoT type technologies. And a lot of the IoT is driven by AI. There's a lot of great things going on out there through a tech for all initiative that we've always been driving, trying to take, bring technology to the disadvantaged. And when we say disadvantage, we mean, whether it's geographically or economically, socially or physically even disadvantaged trying to bring technology to those at the most need of it can have the most use. And a lot of that technology is IoT type technology that helps them. We have a variety of different things out there but I should, I'll send you a tech for all our linked to our site on tech for all. It describes a lot about what we're doing and I think that's great thing or so.

- [Ken] Yeah. Please do and folks you will magically now instantly find that link in the show notes. Where you'll be able to check that out for yourselves 'cause tech for all is doing some really, really amazing work. And I think that it's something that everybody sort of should have known for a long time, that access matters. But it's one of the most important and most positive things we've learned over the last year is that, that access is critically important. It is as close to being a utility without being recognized as one as we have at this moment I think.

- Yeah.

- [Ken] But tech for all. Is doing some great great work in the area of expanding access, not just to IoT but to internet and connectivity in general. So please check those links out. Unfortunately, Tim, that is just about all the time and maybe a little extra that we have for here today. But I really appreciate you chatting with me and for giving me so much of your time.

- [Tim] I appreciate it, Ken. It's been a great, great discussion.

- [Ken[ Thanks again to all of you listening out there. I hope you've enjoyed our discussion and if you have please make sure you like and subscribe, so you don't miss out on any of our episodes. We post every week and I hope you'll leave us a rating, review and comment on your favorite podcasting platform. If you'd like to suggest a guest please click on the link in the description. And we also have a great sister podcast on our network called the IoT for all podcasts. So make sure you check that out.

- [Ryan] Hey, Ken, let me jump in real quick and introduce your audience to another awesome show on the IoT for all media network. The show that started all the IoT for all podcasts where I bring on experts from around the world to showcase successful digital transformation across industries. We talk about Applications in IoT solutions available in the market and provide an opportunity for those companies to share a device to help the world better understand and adopt IoT. So if you're out there listening and haven't checked it out be sure to go check out the IoT for all podcast available everywhere.

- [Ken] Thank you, Ryan now get back to your show and thank you all for joining us on this episode of Let's Connect. I've been Ken Briodagh, Editorial Director of IoT for all, and your host. Our music is, "Sneaking on September" by Otis McDonald's and this has been a production of the IoT for all media networks. Take care of yourselves. You are listening to the IoT for all media network.
Hosted By
IoT For All
IoT For All
IoT For All is creating resources to enable companies of all sizes to leverage IoT. From technical deep-dives, to IoT ecosystem overviews, to evergreen resources, IoT For All is the best place to keep up with what's going on in IoT.
IoT For All is creating resources to enable companies of all sizes to leverage IoT. From technical deep-dives, to IoT ecosystem overviews, to evergreen resources, IoT For All is the best place to keep up with what's going on in IoT.