How safe is your IoT business?
Brian Foster, Neustar
2015 brought with it much conversation around the Internet of Things, writes Brian Foster the senior vice president of information services at Neustar. The mainstream conversation around mass connectivity developed from being a personal fad to a genuinely credible approach to effective business management – but for many the idea of IoT for the enterprise is old hat.
IoT is and has been a core driver for IT facilities for a number of years and has been key to advancing IT applications and integrating legacy devices. However, today’s conversations are changing the perceptions of IoT and the reality of creating a truly connected business.
Although IoT is nothing new, the scaling to include millions of devices per organisation is. A recent Quocirca report, commissioned by Neustar, found that the scaling to many thousands of devices per organisation clearly represents a wealth of new opportunities but highlighted that the same security rigor and vigilance applied to traditional IT devices needs to be extended to all connected things.
The concern
The research found that 37% of people have already noted the impact of IoT on their organisation and 45% are planning to integrate this approach. This will mean that a huge number of new devices will be connected to networks all over the globe with the overall average per individual UK organisation expected to develop into the thousands over the next year. All of these devices will be attached to a variety of networks not only resulting in increased stress on both existing and new networks but, more importantly, increased risk.
According to the Neustar/Quocirca report, major IoT users worry even more than the average about privacy. A close second is the expanded attack surface that will be exposed as more IoT applications are deployed. Quocirca defines the four key security concerns as:
- Data protection: many devices gather sensitive data, so its transmission, storage and processing needs to be secure, for both business purposes and regulatory reasons.
- Expanded attack surface: more IoT deployments mean more devices on networks for attackers to probe as possible entry points to an organisation’s broader IT infrastructure. Older devices with pre-IoT firmware are likely to be some of the most vulnerable.
- Attacks on IoT enabled processes: hacktivists wanting to disrupt a given business’s activities for some reason will have more infrastructure, devices and applications to target, for example, via denial-of-service (DoS) attacks on networks or by compromising and/or disabling individual devices.
- Botnet recruitment: Poorly protected devices may be recruited to botnets. Incidents of this have been reported, for example malware turned CCTV cameras into a botnet network in October 2015.
Where do we go from here?
Effective management and security is only possible through great design. 66% of respondents view IoT deployment as a series of hubs that interoperate with spokes on closed networks, making network configuration and security more manageable. However, security starts with identity and organisations are beginning to make headway in authenticating users with 47% of respondents already scanning IoT devices for vulnerabilities, with another 29% planning to do so.
IoT security issues such as data protection, botnet recruitment and DDoS-style attacks on IoT enabled processes can be addressed through adapting and scaling measures that are already in place for existing IT infrastructure. For instance, 39% of respondents were found to have DDoS protection in place, with another 31% planning a deployment.
The adoption of a decentralised security and management model where a gateway needing a unique IP address controls communications with the outside world which in turn communicates onwards with remote devices which do not need unique IP addresses, avoids the need for each device to have a unique IP address. This approach can work at scale, making the selective, effective and cost efficient deployment of IoT security more straightforward as scanning can be carried out using the same processes in place for existing IT endpoints. 35% of experienced IoT users already recognise the value of such an approach.
Throughout 2016, the proliferation of IoT connected devices will continue to put pressure on the manufacturers of these devices to implement IoT security controls – if it isn’t secure it shouldn’t be purchased no matter how amazing the connectivity is – the Jeep Cherokee hack is a good example of connectivity overtaking security without a positive outcome.
As more and more devices become tied to the Internet, the security threat will continue to expand to new industries and areas. If the IoT is to be secure for the future there is much work to be done. A key component of this is being able to confidently recognise millions of things, which for many requires upgraded device identity management capabilities. As such, there needs to be a core focus on security practices before any other.