It’s impossible to pass through an airport without hearing a familiar, pre-recorded message: “Security is everyone’s responsibility.”
While that adage might fall flat to frequent flyers, it’s a sentiment Boston technology companies have taken to heart. Despite a growing cybersecurity scene, many local tech companies have decided to address threats from hackers head-on by developing their own protocols and tools. While there will always be a need for cybersecurity experts and technology, an assessment of the strategies employed by these Boston companies reveals how some security challenges can be addressed in-house.
The security challenge: Global spending on industrial IoT is expected to reach $1 trillion by 2022, creating an enormous opportunity for MachineMetrics. The company has developed a device that brings manufacturing equipment online and software to crunch the data it creates. By connecting equipment to the internet, manufacturers can monitor the health of their machines and visualize the production process using MachineMetrics’ analytics dashboards.
While the industrial IoT field is growing, MachineMetrics CTO and co-founder Jacob Lauzier believes security technology hasn’t managed to keep pace.
“Because of the speed at which the industry has grown, this complicates security solutions as there is no end-to-end out of the box security solution,” Lauzier wrote on the company’s blog. “But there are steps that can be taken by providers and companies in the interim as end-to-end solutions are developed.”
MachineMetrics’ security strategy: In the blog post, Lauzier outlines a few steps manufacturers can take to secure their newly intelligent machines. His first recommendation is to run smart equipment on a separate, standalone network. This process is known as “segmenting,” and it’s designed to ensure there’s no single access point hackers can exploit. Lauzier also wrote that companies must think carefully about bringing older machines online that may not be compatible with the latest security.
For industrial IoT hardware and software developers, Lauzier’s recommendation is to follow best practices established in other industries, like mandating strong passwords, two-factor authentication and credential lockouts after a certain number of failed log-in attempts. However, Lauzier acknowledges that these are all stopgap measures, and believes that the industry needs to work together to address the issue of security.
“Perhaps the biggest step that could be undertaken to get ahead of security concerns would be for the industry to collaborate toward self-regulation in the development of industry standards and protocols,” Lauzier said. “The setting of basic standards would put a minimum security ‘floor’ under all systems to protect both the companies that purchase the services as well as the providers when deploying systems.”
The security challenge: The more a company grows, the more vulnerable it becomes to cyberattack. More employees means there are more opportunities for mistakes to be made, like opening an email attachment containing malware. With more than 800 employees in Boston and 8,500 around the world, Nuance knows about all about security challenges associated with scaling.
Leslie Nielsen is the chief information security officer at the conversational AI software company. In a company blog post, he addresses how his team keeps Nuance’s thousands of employees safe from bad actors online.
“One of the unique aspects to manage is our human operating system — the thousands of people who work here,” Nielsen writes. “You can’t patch the human OS or take it offline, but you can put protective measures to help prevent innocent mistakes.”
Nuance’s security strategy: To ensure employees have fewer opportunities to make those innocent mistakes, Nielsen’s team has blocked access to certain websites, along with cloud storage providers that aren’t secured and managed in-house. The company also implemented two-factor authentication for all users trying to access its systems, network and data centers.
Nielsen’s team has also built a button into Outlook that lets employees forward suspicious emails to the company’s security team with a single click. To drive home the importance of inbox security, Nielsen’s team launches simulated phishing attacks via email and provides instruction for those who fall for the attack.
“Here at Nuance, the global security team’s mission is to ensure employees and customers are safe and secure,” Nielsen wrote. “From the ILOVEYOU phishing attack 20 years ago, to those that continue today, we work hard to keep cybercriminals away from our networks and the sensitive information contained within.”
The security challenge: The security and engineering teams at Unity Technologies have spent a lot of time thinking about managing credentials — specifically, how to avoid the “Russian nesting doll” problem. The issue, Unity says, is how to store and manage access to credentials like API tokens or the private keys used to access external servers. One way to store a credential is to require a separate credential to access it. But to safely store that new credential, another new one must be generated — and so on.
Unity’s development platform is language agnostic and used by companies like Facebook, Google and Microsoft to create 2D, 3D, VR and AR apps. According to Unity, apps developed on its platforms have been downloaded more than 24 billion times.
That’s a lot of credentials to manage. And while Unity couldn’t find a credential management solution that met all of its needs, it did find an open-source tool that came close.
Unity’s security strategy: Vault is an open-source credential management system created by HashiCorp. The Unity team originally planned to use HashiCorp’s tool as its credential management system, but didn’t like how Vault’s libraries had to be manually integrated into projects. So, the team built Vault Secret Fetcher — or VSF — a tool that automatically fetches secrets stored in Vault.
With VSF, authentication is handled automatically at the service’s infrastructure level. Once VSF gains access to Vault, the entry credential is swapped for the stored credential, which the tool then delivers to the requesting service. In addition to simplifying the process for users, Unity says this automation of the credential retrieval process also helps to cut down on compromising security practices like writing credentials directly into code. VSF was released in 2017 and, like Vault, is open-source.