The Internet of Things (IoT) is the linchpin of many future innovations in both wireless and mobile technologies. However, the connected universe brings with it some heavy baggage to enterprises.
There are a multitude of security and privacy challenges to address when considering a foray into IoT, but a good place to start is in defining what your company means by Internet of Things.
Despite all the talk about IoT, there is still quite a bit of confusion around what, exactly, constitutes the Internet of Things. "The first big problem that many enterprises face is having their own definition of what they mean by the Internet of Things," said Gartner analyst Earl Perkins. "So that they can then actually define how they want to approach it from a cyber security perspective." As you plan your IoT deployment, consider the goals you have for introducing it into your business. How you define the IoT for your organization will depend largely on what you want to get done and what tools it will take to make that happen.
However, there are some common threads when it comes to the moving parts of the system. Brian Partridge of 451 Research, said that it usually takes a device, a network, and some sort of cloud service. "At each of those layers, there is a potential for security challenges or issues if they aren't architected right from the beginning," Partridge said. At the base level, IoT is about interconnectivity, which often breeds complexity. According to Ondrej Krehel, founder and principal of cybersecurity firm LIFARS, LLC, that often leads to problems for IT security.
"Complexity – in its nature – it's the biggest enemy of security," Krehel said. In moving towards the Internet of Things, keep in mind that each piece you add to the system is multi-faceted, requiring other pieces to keep it secure and running efficiently. And, all of these pieces for a system designed with one thing in mind – data.
Protecting the data
Data is the lifeblood of IoT. As such, your security implementation for IoT should center around protecting it. Device-level security and application-level security are worth investing in, but the data layer remains the top value proposition.
Regarding the collection and transmission of IoT data, Partridge said there are three main challenges facing security professionals in IT:
- Confidentiality challenge – Keep data from people who shouldn't have access to it
- Integrity challenge – Ensure that data being generated is passing along a network without being modified, detected, or spoofed in the middle; the integrity of data on the move
- Authentication challenge – Making sure the data you're getting is coming from a known source; that it is authentic
IoT is still a novel concept to many knowledge workers, and it will be for quite some time. Perkins said employees need to understand that it breaks up the traditional form factors of collecting, processing, storing, and distributing data. Because of that, many traditional forms of IT security will not be effective in IoT.
Perkins also mentioned that we need to be aware of the sheer volume of data that will be collected by connected devices and management systems. "With the Internet of Things now, the whole concept of big data just got bigger," Perkins said. "Because, now, you're going to be literally flooding networks with information, with data, that wasn't on those networks before."
Guarding the gateways
Consider the terms "data" and "database." If you're like me, that doesn't invoke the image of something in constant motion. Most IT folks know better, but a database is often equated with a bank, and protecting money in a bank is different than protecting it while it's moving in an armored car.
The reality is that data is constantly moving, and the pathways along which it moves are drastically altered by the Internet of Things. This is where the interconnectivity really comes into play in IoT security. In a deployment of connected things, there are contact points where data is exchanged among the various pieces of the network. It is at those checkpoints that Krehel believes you should focus.
"There are various checkpoints where you need to scrutinize that connectivity," Krehel said. "It's not, now, just about the device that's connected securely, it's about that interaction. Interaction is the key here." Typical IoT devices don't have much processing capacity to be able to handle, perhaps, security code, Perkins said. When you're talking about IoT, Partridge said, you're talking about chips that fit in the dimple of a golf ball.
So, the discussion has to altered to find the correct way to protect these devices and the data they create and transmit. One example is a gateway, also called a proxy or broker, to manage data security on behalf of many types of devices. These are a part of the checkpoints earlier referred to by Krehel.
The reason it is absolutely necessary to protect these checkpoints and gateways is because they will become the prime targets for cyber crime in the enterprise. "You can be sure that people who want to hack into the systems, or cause problems, they're going to go after network gateways, network points where these different types of Internet of Things networks feed data or receive commands," Perkins said.
Understanding the opportunities
Partridge is often asked if IoT should be avoided due to the security challenges it presents, and his answer is no. There are plenty of options to help you navigate the process and they are growing. The focus is shifting from security implemented alone on devices and software to security of interaction and flow. According to Krehel, security is becoming a matter of both technology and services.
The opportunity is presenting itself for security providers to step in and offer security as a service for those checkpoints, for those interactions, so the company can continue to focus on gleaning data. You might not be able to do it on your own, designing the full set of protocols and integrations, Krehel said. It's becoming more acceptable to forgo designing the process wholistically, instead relying on a third-party to provide some of the security for you.
"The companies that come in and audit, and consult, and build a plan of attack for how to mitigate security risk in these new environments – big checks are going to written for that," Partridge said. Another opportunity presented by IoT, according to Perkins, is understanding The Internet of Things as a revolution in security in and of itself. We can begin to apply security technology and security capability with the connected things.
A consumer example would be your connected home telling you if someone broke in, or there is a carbon monoxide leak. Or a retailer could use it to track stolen goods with internet-connected security tags. Ultimately, the Internet of Things presents new technological opportunities across the board. And, if properly implemented, could present a host of new opportunities for your business as well.
