Ready or not, the IoT wave is already breaking on enterprise shores. While smart, connected devices mean increased automation and digitisation, they also translate into new challenges that will require companies to shift their approach to security. Already, malware infecting common consumer IoT devices has led to a botnet of nearly half a million endpoints, with millions of devices still vulnerable to attack. Existing mobile security strategies can be extended to prepare for the new challenges presented by IoT. This approach not only addresses immediate concerns but can also provide a security blueprint to protect companies as they look to scale IoT adoption in the future.
Mobile provides a roadmap to IoT
While smartphones and tablets are well understood within organisations, it has been proven that employees with anytime, anywhere access to corporate data and applications are more productive. The Internet of Things takes this to the extreme, allowing small, inexpensive computers to automatically gather data from the physical world and, in some cases, take actions into the physical world as well. Many of the lessons learned about securing mobile can be brought forward into IoT deployments as well.
Trust is critical for any mobile deployment. In the mobile world, trust centres around ensuring that only an authorised user, running an authorised application, working on an authorised device can interact with enterprise data stores whether they’re on premises or in the cloud. With IoT, the “user” and “application” often becomes the device itself – the key common bond here is trust. Only devices provisioned by IT should be able to get access to enterprise data to protect both the integrity of the devices as well as the resources that devices connect to.
A common mechanism for establishing this trust is through the use of digital certificates, which can easily identify embedded devices both to a mobile management platform as well as the networks and enterprise resources the devices connect to. Certificates also ensure end-to-end session trust between the device and enterprise resources, so if a network session is compromised, the attacker cannot use it to infiltrate enterprise systems.
Of course, OS trust is also critical. Enterprises must ensure that security patches are in place (if such updates can be applied) and common attack vectors like default usernames and passwords are disabled or at a minimum, changed. Monitoring for suspicious behaviour such as sharp increases in network traffic can also help understand whether a compromise has occurred. If compromised devices are found, they should be quarantined from enterprise resources immediately to limit the scope of an attack.
Leverage existing platforms for trials
Of course, the use of IoT devices in enterprises is both widespread and yet still nascent. It’s widespread in the sense that many systems such as building management or industrial automation are already network connected and vertically integrated. However, more customised applications built by IT on the back of IoT platforms are new. Luckily, there are several enterprise-class platforms that IT can build from, such as Windows 10 or Android, which can scale down from smartphone form factors to more IoT appropriate form factors. The advantage is that these platforms come with many tools for management security built in, which eases prototyping, rather than having to start from scratch.
Network segmentation is a must
Enterprises need to understand that IoT devices will sit outside the corporate network and then reach into corporate datastores. With unfettered access to the corporate network, this can pose a serious risk to sensitive systems inside the organisation. Enterprises need to examine exactly which data and application stores IoT devices will access and ensure that the network is segmented to prevent IoT devices from compromising other systems.
IoT extends IT security into the physical world
Another aspect of IoT that’s different is that often devices can take action into the physical world the live in, such as adjusting temperatures, closing doors, or other actions. Enterprises will need to consider the liability of their devices interacting with the physical world and develop compensating controls accordingly.
Beware the consumer devices
Many end users may want to bring their own IoT devices, such as wearables, into the enterprise. However, the enterprise management capabilities for wearable devices are nascent and thus they may not be appropriate for corporate applications. If wearables are required to handle sensitive data for the enterprise, organisations will need to evaluate the embedded security features of their applications until broader security and management frameworks are developed.
Ready or not, IoT is here. How enterprises choose to approach these technologies today will determine whether the next five years’ of IoT headlines are stories of transformation or destruction. The good news is many enterprises already have the mobile foundation in place to start heading in the right direction.