As the world gets more connected, threat actors look for ways to take advantage of new technologies and exploit overlooked vulnerabilities.
While controlling your refrigerator or a coffee machine through an app on your phone is surely convenient, experts warn that it takes a single unprotected device for a hacker to compromise the whole network, and even allow criminals into the building. Our guest today believes that the best way to combat these threats is to use IoT software that is built from the ground up with security in mind.
To talk about the challenges of securing the IoT landscape the team at Cybernews invited Eric Simone, the Founder and CEO of ClearBlade – a company creating software with a security-first approach.
How did ClearBlade originate? What has your journey been like?
ClearBlade originated in 2007 with a mission to modernize enterprise software with integrity and honesty, as I was tired of the false promises of the industry. It was a very interesting time to start a technology because as I look back now, we were just entering the era of smartphones and cloud computing which significantly changed the technology landscape. So, our journey changed significantly as well. I quickly switched from professional services to creating software because I saw an opportunity in the market to build something special.
I launched a startup in San Francisco way back in 1994 called Compete, Inc. which was a very successful services company acquired by Perficient, Inc. in 2000, and I always felt like I missed an opportunity to build something more special because I originally wanted to build software but instead took the “safer” path. So, when the opportunity to build Internet of Things (IoT), Edge Computing, and Artificial Intelligence (AI) software emerged, I jumped on the chance to create something amazing.
The journey has been long but boy has it been exciting. ClearBlade was early, extremely early, to address the need to build software to connect, monitor, and control any asset (or “thing”) in any business. To utilize cloud technologies in a way that leverages just their compute and storage (not their custom-built services) which allows ClearBlade to be completely cloud-agnostic, meaning we run on any cloud, all we require is Linux. To recognize that Edge computing was going to be a major movement, ClearBlade was the first company to use the term Edge and the first to release an Edge product. To be hardware agnostic and completely flexible, allowing our customers to decide what hardware they want to run on.
Can you tell us a little bit about what you do? What are the main issues you help solve?
ClearBlade provides software for IoT, Edge, and AI that is business-ready. Simply put, we allow any business to connect, monitor, and control any asset in their business. We put the power of IoT, Edge, and AI into the hands of the business people that need to modernize their operations without the need to involve their IT department. Our technology that does this is called Intelligent Assets – a no-code platform that allows businesses to connect their equipment “out of the box” by customizing our software with needing to know how to program.
Over the years, we used our technology to help many companies build their solutions and quickly realized that all of these solutions across rail, industrial products, oil & gas, etc. were mostly identical. Today, the overwhelming majority of money being spent on IoT is going towards the building of custom solutions with hundreds of “Lego bricks” in the cloud, and the majority of these solutions have failed. They fail because no matter how skilled your development team is, building on these cloud foundations is too time-consuming, costly, and inefficient when it comes to scaling. The industry needs a consistent, repeatable, software distribution that is flexible and open. This is what ClearBlade provides.
What are the most common vulnerabilities associated with enterprise IoT devices?
The key to securing IoT devices is to use software that is built from the ground up with security in mind. This goes back to having a consistent, repeatable software package that is deployed consistently across your devices. At ClearBlade, we have spent over a decade building, perfecting our software to be secure, and it all started with security in mind at the beginning.
My background in mainframe computing taught me at a very early age that security was of the utmost importance. I feel like we lost some of that discipline over the years in mobile and cloud technologies by “bolting on” security as an afterthought. This is why there are so many issues with vulnerabilities these days. That built-in security on the mainframe is why so many critical financial institutions still use them as their backbones today. So we embedded this security-first approach into the ClearBlade software. This is why we are trusted by some of the biggest and most security-conscious companies in the world.
How do you think the current global events will affect the IoT landscape? Which industries do you think should be especially vigilant nowadays?
The current global events are very concerning. The need to remotely monitor equipment is even more pressing, but so is securing that equipment. We work across many verticals that control critical infrastructure across the world, this includes transportation, energy, water infrastructure, facilities, water, public services, and healthcare. All of these industries need to be especially vigilant. This is what makes IoT so important and also why we have to roll out new solutions especially carefully. IoT is the convergence of operational technologies (OT) and information technologies (IT) and it’s important that we respect the critical nature of existing OT systems without compromising their security. Having software that understands both sides of this delicate equation is absolutely essential. This is also why we cannot keep building bespoke solutions for every need – it’s too risky because it introduces too many variables that compromise security.
What would you consider to be the most difficult challenges that companies face on their digital transformation journey?
By far, the most difficult challenge is how to cut through all of the noise out there with respect to IoT. When I read about the thousands of technologies and solution providers out there I get vertigo. It is absolutely impossible to make sense of it, even for me, and I’m an expert that has been doing this for well over 30 years! So, how does a leader of digital transformation make the right decisions for his or her organization? It’s a real challenge.
My advice is to focus on finding solutions that are proven at scale, that are repeatable across industries, and that can guarantee a significant return on your investment in 3 months or less. That should weed out most of the pretenders that know how to tell a good story but really haven’t proven they can execute securely at scale. Also, do not pay by the hour for services to build your IoT solution. Pay by the deliverable and make sure the technology partner you choose delivers a measurable ROI within the first 3 months.
Even though the market is full of security solutions and tools available, why do you think certain companies and individuals are still hesitant when it comes to upgrading their cybersecurity posture?
I believe it’s laziness. If it ain’t broke, don’t fix it. It’s also what slows down innovation in IoT, fear of connecting operational equipment that is currently air-gapped. If you cannot connect to the asset remotely it is harder to hack. It takes time, money, and risk to modernize these systems and the companies that are delaying are falling farther and farther behind. The other thing I am seeing is the security questions vendors are being asked are extremely outdated or irrelevant. So, we are implementing IoT systems in 2022 with security questions from 2005. Again, it comes down to understanding the fast-paced world of IoT, Edge, and AI to find out who you can trust with respect to security. Trust vendors that are used by many large-scale customers and can prove it. Do not trust the hype and marketing or the “follow the crowd” mentality… because the crowd is wrong. I would also question any technology that is using a third party to add to their security stack. All that indicates to me is that they lacked the discipline to build in security from the ground up and therefore their solution is insecure.
Besides IoT security, what other safety practices do you think are crucial for companies of all sizes?
When I think of IoT security, I think of authentication, authorization, and encryption, with lots of engineering going into enforcing those best practices, embedding them into our software. If we look beyond those core components we see other areas where development and evaluation practices can make a big difference.
To start, testing, testing, and more testing. I’m amazed at how little security and scalability testing goes on in IoT projects. Instead of relying on your legal and/or security department to lock down vendors on liability if a security breach happens, make the vendors prove their software is secure and make them prove it can scale to a multiple of your current workload or what you expect your fully deployed workload to be. This is also where you will separate the “haves” from the “have nots” with respect to technology.
Another area that greatly affects security is keeping your software updated. A big reason why devices and software become vulnerable is the lack of discipline in keeping them updated. Over the air (OTA) updates are absolutely critical and the best software/hardware company will enforce these updates to make sure your devices are secure.
In addition, it’s critical to keep an audit trail of everything that happens on a device and within your software systems. These audit trails or logs are very important for monitoring and recording what is normal and abnormal behavior. Since ClearBlade is deployed in a lot of critical systems, it is a requirement that our software adheres to our customers’ industry audit trail and logging standards.
Finally, every company needs a mature, documented process to respond to security threats. The biggest risk to any company, especially a software company in the IoT space, is to have an incident and not know how to effectively address that incident immediately. I am proud of the discipline we have here at ClearBlade. Our team was way ahead of all of the recent public vulnerability threats because our engineering and discipline made sure they were never a threat to our software or our customers.
And for individual users, what security measures do you think everyone should take to protect their devices?
As individual users, you are often at the mercy of vendors that make really interesting services that you can build with. It’s easy to recommend a security framework that is so complex and convoluted that it’s difficult to understand, maintain, and therefore adds very little value. It’s a bolt-on. I recommend that you use all of the tools that are best practices, such as two-factor authentication, secure passwords, and personal data monitoring. It’s smart to understand what data is being captured about you, and overall be aware and have an appreciation for the risks you are assuming as you use any of these services.
Share with us, what does the future hold for ClearBlade?
I have never been more excited about our future. We have recently added many customers across multiple verticals, who are using our technology and basing their products on ClearBlade software. From connected industrial equipment, to AI-directed remote oil drilling, to protected water infrastructure, to optimized agriculture, even video AI for retail. ClearBlade is simplifying the deployment of IoT, Edge computing, and AI today. Our software running on Linux or Windows provides our customers with a secure, consistent, repeatable IoT operating system that is trusted by some of the world’s largest companies. What’s next is already in motion, you will start seeing companies promoting their solutions as “powered by ClearBlade” to represent how they are differentiating their product capabilities. It has been my vision for over 10 years for ClearBlade to be recognized as a trusted brand and we did it the right way, by building the very best software before going big and marketing our capabilities to the world.
Original article can be viewed on cybernews.