The Year Ahead in the Industrial IoT

Connected World

In 2016, we saw breathless growth in the industrial IoT market with a bewildering mix of solutions confronting the industrial operator.

Head on over to Peggy Smedley’s Connected World where I’ll give you my predictions for the IIoT market in 2017 to help you plan for the new year. Topics I cover include:

  • IoT security moving to the forefront after the DDoS attack
  • Predictive asset heath with machine learning
  • The Internet of Humans and Machines represented by Digital Twins
  • Which IoT platform players will make it and which ones won’t

Don’t miss it!

 

Internet of Things Predictions for 2017

Hyperspace

When it comes to IoT predictions, 2017 will see solutions solving business pain points jump to hyperspace as VC funding dries up for many platform plays.

As we move into 2017, the marketplace will start to separate the “build it and they will come” crowd from IoT solutions that add compelling business value. When it comes to value creation, I anticipate we’ll finally see technologies that abstract machine learning algorithms plus data prep and cleansing to solve business problems for specific equipment. Think of this as an advanced analytics extension to existing digital twins. Vendors that seize upon this technology will see success in the $900M Industrial IoT market. On the other hand, the vendors promoting generic, often cloud-only platforms that try to be all things to all people will face a tough road ahead.

The IoT platforms set to take off are the ones tailored to specific industries and flexible enough to run on-premises, in hybrid mode and in the cloud as needed by customers. I’m not just talking about cloud offerings that work with edge gateways in the fog. I’m talking about solutions that are truly portable. On the security front, industrial customers will struggle to safely IoT-enable machines that aren’t securable and were never intended to be on the Internet. This will continue to be a problem until next generation versions of industrial equipment rolls off the assembly line with built-in compute, storage, IP networking and security. Expect lots of the industrial world to remain air-gapped and firmly in its M2M comfort zone.

Lastly, enterprises that can merge domain expertise, data science and machine learning will realize cost savings by stretching equipment maintenance cycles and avoiding downtime by predicting asset health. This represents the true value of IoT in business.

Mobile Apps Must be their own Fortress to Withstand Attacks from Hackers

Fort Knox

A mobile app must be its own fortress and never assume platforms are encrypted, authenticated, use VPN or require a PIN for security.

I guess developers can’t count on anything these days. How you deal with security is what separates consumer app developers from enterprise app developers. The best apps assume an insecure, unencrypted and completely compromised mobile platform. In a world of bring your own app (BYOA), this will differentiate consumer app developers from trusted enterprise app developers. Imagine the scenario where a logged-in device is left behind in a taxi and is stolen before device security kicks-in to log the device out. A window of time ranging from five to fifteen minutes of exposure is realistic.

So how does a mobile app take charge of its own security? On launch, it must prompt for enterprise credentials like a password, PIN, face or fingerprint before allowing a user inside the app. Eliminate the use of cached credentials and tokens or keep expiration times to a minimum. Next, the app must provide its own encryption for data at rest. This is accomplished through the use of a mobile platform’s crypto APIs. Oftentimes you can reuse login credentials as a password and salt value. Use this to encrypt all downloaded and user-entered data before saving to local storage. The app must use TLS or per-app VPN tunnels for all remote communication to secure data in transit. Lastly, trustworthy apps should never take dependencies on platform capabilities they don’t actually require.

Reduce risk to your business by insisting every enterprise app you build or buy provides its own comprehensive security capabilities. Is your company making app security a top priority?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Delivering Apps to Mobile Devices via Remote Pixel Projection is a Terrible Idea

San Antonio

The use of remote pixel projection technology to view Win32 apps on mobile devices should be considered nothing more than an interim workaround.

What’s the fastest way to move Win32 desktop apps to mobile devices? Don’t feel bad if you chose a remote desktop or screen sharing technology to project PC desktops to smartphones or tablets. This happened decades earlier when companies migrated from 3270 terminal emulation to PC apps. Lots of screen scraping took place to avoid large rewrites.

If you’ve tried various remote desktop technologies on smartphones, you found yourself doing a lot of pinching, zooming, panning and scrolling to accomplish simple tasks. The intermittent nature of wireless data networks results in a frustrating experience. A lack of offline capabilities leads to application errors and possible data loss. Nonexistent integration with essential smartphone sensors leaves employees without the contextual experiences they expect. Obviously, tablets fare much better due to larger screen sizes that more closely match the desktops they’re trying to render. When paired with corporate Wi-Fi, this delivers the least-bad remote experience. The tablet + Wi-Fi scenario is the best compromise for large apps that are difficult to migrate or third-party apps that are out of your control. In limited scenarios where sensitive corporate data is not allowed on a device, remote desktop technologies keep your device free of data. For everything else, remote pixel projection should be a short pause on the road to complete mobile migration.

Reduce risk to your business by using remote pixel technologies in situations where sensitive data cannot be securely moved to a mobile device. Is your company taking a pass on employee productivity by not migrating legacy desktop applications to mobile apps?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

It’s Time to Dump your 1990s App Authentication

Orlando

Migrate Win32 applications secured by client/server database logins to mobile apps that use OAuth & enterprise cloud directories for authentication instead.

Do you know Scott Tiger? Are you familiar with SA and no password? If so, you probably worked with client/server database security mechanisms from companies like Oracle, Microsoft, IBM and others. Anyone who’s built client/server, multi-tier database systems over the years has worked with Oracle Net Listener, TNSNames, Sybase DBLIB, ISAM and VSAM drivers plus a revolving door of Microsoft drivers. App logins were typically the same as the database login. DBAs were in control and app developers worked with what they were given. Sometimes data access was secured through the use of views or stored procedures. Things improved when databases started supporting integrated authentication where data access could be controlled by users and groups found in the company Active Directory.

Today’s mobile apps don’t connect to client/server databases this way. Win32 apps connecting via the LAN or VPN can kick the can down the road a bit longer. Everything else talks to databases with web APIs or sync. While these mobile-friendly APIs use database authentication to connect, the services they expose must be secured by an enterprise directory. This pattern provides identity management to mobile apps. Furthermore, cloud-based enterprise directories must be kept in sync with existing on-premises directories to keep the login procedures seamless for employees. Add multi-factor authentication to boost security and avoid consumer auth providers like Facebook or Twitter.

Reduce risk to your organization by decoupling app security from database authentication and make the move to company-wide directory services. Has your employer switched all its enterprise apps to modern authentication methods yet?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

12 Steps to Stop the Next IoT Attack in its Tracks

IoT Attack

The recent distributed denial-of-service (DDoS) IoT attack against DNS is a wake up call to how fragile the Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

  1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
  2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
  3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
  4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
  5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
  6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
  7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
  8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
  9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
  10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
  11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
  12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

Keep your Mobile Data Safe when Apps Talk to Each Other

Miami

Convert Win32 applications using local interprocess communications (IPC) to mobile apps that securely send data to each other via contracts.

In the 90s, platforms and programming languages allowed developers to call functions that were increasingly farther away from the calling code. Calling into subroutines gave way to instantiating classes to call functions. Calling exported functions in separate C DLLs gave way to using Object Linking and Embedding (OLE) to call functions in separate programs. You could even embed the UI of a different program like Excel inside your app.

Developers went nuts with this stuff and started calling functions or passing messages to other local apps using Named Pipes, Mailslots, shared databases, TCP, UDP, message queues and shared files. On Windows Mobile, point-to-point queues were used with multiple executables to get around app memory limits. The problem with IPC is that security took a back seat and apps were just asking to be hacked as they listened for incoming connections like little web servers.

Today’s modern mobile platforms don’t allow this. Platforms require things like contracts, intents and extensions. They declare API interactions and what information can be shared between two apps as well as the files they can open. Users are prompted to give their permission to this type of interaction between apps which prevents data leakage at the device edge.

Reduce risk to your business by migrating your apps to a more secure method of data sharing between app sandboxes. What is your organization doing to secure app data sharing?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Reduce Corporate Risk by Updating your Win32 Apps to Run on Secure Sandboxed Platforms

Migrate those Visual Basic, Delphi, VisualAge, PowerBuilder, SQL Windows, JBuilder and Visual Cafe Win32 applications to secure sandboxed mobile apps.

Hope I didn’t leave out your favorite development tools from the 90s. The Mac stagnated, OS/2 didn’t capture market share and the inexpensive, developer-friendly Windows platform benefited. Companies all over the world deployed Windows 3.1 and then Windows 95 and NT. Easy to use, drag and drop development tools meant you didn’t have to have a computer science degree to build powerful apps. Desktop apps of varying quality spread like wildfire.

Apps back then could manipulate the operating system, talk directly to other apps and perform all kinds of insecure, destabilizing functions that gave rise to viruses, trojans and spyware that created chaos for IT and security professionals. Billions of dollars were lost over the decades due to this free-for-all model where apps could access any resource the user could. Modern mobile platforms don’t support this type of nonsense. The modern operating systems used by mobile professionals employ a sandboxing scheme for apps. This protects systems and users by limiting app privileges to their intended functionality and increases the difficulty for malicious software to compromise the platform. Apple and Microsoft go a step further by vetting all the apps that appear in their public stores. Apps can’t launch in memory unless they’re digitally signed.

Reduce risk to your organization by rewriting your apps for sandboxed platforms. What actions is your company taking to secure its apps, platforms and data?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Reduce Business Risk by Migrating your Legacy Software to Modern, Secure Platforms and Programming Languages

St Louis

Businesses drag their feet when mobilizing line of business apps via legacy software migration thinking it’s cheaper to maintain a codebase than to rewrite.

I get it. Migrating all those apps to mobile seems like eating the proverbial elephant. They cost a lot of money to build, the highly-skilled developers needed to rewrite the code are harder to find than ever, the code isn’t commented and there aren’t any docs. This often leads to IT decision makers putting off these projects, perhaps until it’s not their problem anymore. So why do it?

For starters, your employees will be significantly more productive running your apps on the mobile devices they actually use. Since work is not a place to go but a thing to do, employees can get their jobs done from anywhere. Millennials won’t be chained to a desk and they’re going to use the devices they like best. Face it, those Win32 apps are never going to run on someone’s iPhone and your new generation of employees haven’t ever heard of Windows 95. Not changing is a non-starter as you’ll just miss out on younger talent entirely.

Another good reason migrate all these apps and systems is because they’re running on outdated hardware and software. It goes without saying that this infrastructure has far surpassed its end of life (EOL) and there is absolutely no support coming from the original vendors of the computers, operating systems, software and development tools. I’m actually not 100% correct on this point. There are some giant technology vendors that charge tens of millions of dollars per year to support old systems that reached EOL without migrating. In the end, migrating is significantly cheaper and it rescues your valuable intellectual property from fragile, unsupported, failing systems.

There’s a more ominous reason to migrate your apps. Most data breaches are due to running unpatched, out-of-date, and therefore unprotected software. This includes:

  • Software written before PCs were pervasively open to Internet attacks.
  • Apps that don’t require authentication.
  • Apps that don’t encrypt data at-rest or data in-transit.
  • Apps written before established secure development lifecycle procedures.
  • Un-patched software.
  • Software oblivious to buffer overflows or SQL injection attacks.
  • Software and services built with the assumption that they would always be “inside the firewall” and therefore protected.
  • Apps that don’t follow “least privilege” principles.
  • Apps that don’t work with modern sandboxed operating systems.

This older and often unattended software is putting your company at risk. Individual and state-sponsored hackers are attacking the software of companies all over the world. Valuable intellectual property and sensitive customer data is being stolen daily. Company executives are getting fired. You absolutely don’t want this to be your priceless intellectual property or your customer data. This is a fast ticket to losing your competitive advantage as well as the trust of your customers. Oh, and you might be looking for a new CEO and CIO.

So what’s the game plan?

  • Catalog all your Win32 and Web 1.0 apps and assemble a v-team to take ownership of them.
  • Send out surveys to all your employees to find out who’s still using which apps.
  • Utilize asset management discovery software that scans the company network searching for apps running on Windows, Macs and servers.
  • Pull the plug on apps that don’t show up in a survey or via asset management scanning.
  • Listen carefully for screaming employees and turn those apps back on. I expect you’ll find a good percentage of those apps aren’t used anymore.
  • Eliminate the next chunk of apps by seeing if employees can use a new or different process to accomplish certain tasks. Your business and processes may have changed so much over the years that some of these apps aren’t relevant.

When rewriting the remaining apps, focus less on the code and more on data sources, workflows, user interfaces, performance and latency. I’ll talk later about new ways to connect to data and build new apps. It’s more important to reverse-engineer the way employees perceive these apps to work than how the existing code actually makes them work. This provides a good opportunity to stealthily update business cases.

Reduce risk to your company by migrating unsafe, unsupported, end of life software to modern, secure platforms and programming languages. How rapidly is your company de-risking its exposure to legacy business applications?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany

Improve Employee Productivity at your Company by Implementing a Hybrid Identity Strategy

Detroit

Identity and Access Management is key to facilitating employee access to corporate and 3rd party resources from any device on any network.

Most of you are well-versed at entering user names and passwords to access social media and banking sites from your desktop browser. Based on the identity you provide; you’re given access to those sites. Some of you in the corporate world might know what it means to join your computer to a Domain. Your company has you do this so you only have to enter your credentials once, while getting access to multiple servers. This is called single sign-on (SSO) and it uses a directory service.

With people moving to myriad mobile devices and enterprise workloads moving to the cloud, the SSO technologies of the past require retooling. To make this work in a heterogeneous world, security tokens using Security Assertion Markup Language (SAML) that work with any operating system are needed. A Secure Token Service (STS) is employed to issue tokens to clients on behalf of a secure software service.

Today, you need a cloud-based directory service to manage users, groups and roles. It must provide hybrid identity by synchronizing with on-premises directories so users can seamlessly authenticate whether they’re inside the corporate WLAN or roaming on mobile data networks. Additionally, it must provide users with SSO to apps and services residing in other clouds. Finally, this service must support multi-factor authentication (MFA) which requires something a user has (a phone), something they know (a PIN) or something they are (biometrics) to secure corporate resources.

Reduce risk and improve user productivity by restricting corporate access to those employees with credentials found in cloud and on-premises directories. What is your company doing to provide secure access to its business systems from any device?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click to purchase a copy of my book today and start transforming your business!

Sharing my knowledge and helping others never stops, so connect with me on my blog at http://robtiffany.com , follow me on Twitter at https://twitter.com/RobTiffany and on LinkedIn at https://www.linkedin.com/in/robtiffany