The Internet brings us lots of awesome capabilities that consumers and businesses alike naturally want to take advantage of. But every time you connect a device – any device – to the Internet, you should be thinking about how the device is protected against unwanted access.
Similarly, you need to think about how any data that’s flowing to or from the device is secured from potentially prying eyes, both while in transit and when it’s eventually stored on some faraway system.
These issues came to mind when I was at the TechAdvantage event in the Schneider Electric booth getting educated on the new North American Wiser Air thermostat and related technologies. As discussed in another post from the event, Wiser Air is an Internet-capable thermostat that gives users the ability to control it from wherever they are in the world. It is also the conduit through which lots of electrical usage data can be shared with the utility that provides power to the home, if the user and the utility both agree, of course.
It’s clear the thermostat provides consumers with lots of useful capabilities. But given that it’s connected to the Internet I wondered how Schneider Electric was ensuring its security and the integrity of the data that utilities collect. To find out, I talked with Jason Lien, Director of Offer Development for Wiser Air at Schneider Electric.
“The first step in security is industry standards,” Lien says. “We do everything to top level industry standards.”
That certainly makes sense but his second point was even better. “Since we run on top of Microsoft Azure, we take advantage of Microsoft’s technology and expertise in cyber security,” Lien says.
Being a public cloud platform, Microsoft has naturally pulled out all the stops to ensure security in Azure. A post on the Microsoft Technet site, called “10 Things to Know about Azure Security,” goes a good job in outlining some of the security steps Microsoft has taken.
Some of them are more about following security best practices than they are about technology, which is a good thing because the best security technology on the planet won’t protect a site whose operators don’t follow best practices.
One example is number 3 on the list:
Least Privilege Customer Software
Running applications with least privilege is widely regarded as an information security best practice. To align with the principle of least privilege, customers are not granted administrative access to their VMs, and customer software in Azure is restricted to running under a low-privilege account by default (in future versions, customers may select different privilege models at their option). This reduces the potential impact and increases the necessary sophistication of any attack, requiring privilege elevation in addition to other exploits. It also protects the customer’s service from attack by its own end users.
That makes good security sense, as does number 5: isolating hypervisor, root operating system and guest virtual machines. Isolation is another critical best practice in security. It ensures that even if an intruder does get into some portion of the system, he’s essentially stuck there.
Lien also points out that Wiser North America has the weight of Schneider Electric behind it, itself a “massive organization” with lots of resources dedicated to tackling security issues – and many customers giving the company a vested interest in doing so.
I also asked Lien what happens to the data once it gets handed off to the utility from the consumer, in terms of who has access to it and what can be done with it.
“Basically nothing happens to it that the utility or their customer doesn’t want to happen to it,” he said. “We’re not doing anything with the data, we’re not in the business of selling internet advertisements or anything like that.”
Another good answer.
The technology is a good example of the power of the Internet of Things. But with such powerful technologies also come security risks that consumers and businesses need to consider – and take steps to mitigate. It’s good to know that Schneider Electric is doing just that when it comes to its North American Wiser residential energy management systems.