We know that today, the Internet of Things (IoT) trend will add billions of devices to our already connected world. I previously wrote a blog series on highlighting what IoT really is and means practically.
So let’s assume highly sophisticated computing devices become increasingly prevalent in our workplace infrastructures and our own personal spaces. As this happens, the long-term implications for security cannot be ignored. The risks are very real. Pioneering consumer-grade IoT products have shipped with glaring security holes that provide tempting targets to sophisticated attackers.
Some of the typical enterprise security comforts do not apply in the Internet of Things. By design, IoT devices are rarely locked up in hardened data centers or buried several layers deep in the corporate firewall. They are meant to be installed in everyday locations, often in plain sight and physically accessible to all. That’s why it’s important to adopt the recommendation of the US Federal Trade Commission—a “defense-in-depth” approach to IoT security, with protections at the network and platform layer, as well as embedded in the device itself.
Controlling cybersecurity threats in the Internet of Things requires a combination of new skills and a restatement of basic security principles. Here’s how leaders can get started.
Understand today’s limitations
In the early days of Wi-Fi adoption, security practices were weak and ill-defined. Even protected networks were easily exploited by interested attackers. Over time, the industry developed advanced protocols, which both tightened security and improved user convenience, with push-button wireless pairing and stronger encryption.
IoT cybersecurity is similarly a work in progress. In the short term, expect missteps on both extremes of the spectrum: devices too promiscuous to be safely deployed in the enterprise, and those so tightly locked down that the deployment headaches outweigh the gains. Keep in mind, as we explore connectivity and cybersecurity for networks, an IoT strategy should differentiate on types of devices and direct connectivity to devices vs gateways. For a more detailed view on device vs gateways, see this blog.
Today, IoT network communication is either Wi-Fi based or now using Bluetooth Low Energy (LE). The benefits to Bluetooth LE involve less power consumption for devices that operate on batteries. Apple HomeKit pushed early security standards for IoT, but as you can see from this forbes article, there’s still a ways to go to make this real and easy such that IoT can take off.
Know what you own
As more devices are onboarded, we all know device management is important. For details on device management, see my previous blog. However, addition to the monitoring and management capabilities of device management, we also need the financial capabilities to manage devices, including detailed accounting and usage metrics and this is key to any enterprise IoT strategy. Last year, the financial industry struggled with the problem of maintaining and upgrading 200,000 ATMs still running the end-of-life Windows XP operating system. Imagine that problem multiplied by a factor of 10,000. By 2019, the Internet of Things will add over 20 billion new devices to the market.
The ATM problem highlighted the risks of aging infrastructure, and that drama will repeat in the Internet of Things. IT leaders must keep command of the IoT devices deployed on their networks and understand the risks as each ages. More importantly, they must be vigilant about the implications when manufacturers inevitably slow and eventually terminate the firmware updates that reinforce devices against emerging security threats.
Look to trusted platforms
As new devices enter the Internet of Things, they bring with them unique security challenges, some of which have not been addressed by trade groups and standards bodies. But, industry-specific vertical platforms are helping to provide more rigid security frameworks. Solutions such as Cloud for Industry, developed by Siemens and based on SAP HANA Cloud Platform, represent secure ecosystems for network connectivity, data collection, and device-to-device integration.
Tennant Company took an IoT platform approach to connect the smart sensors on its industrial and commercial cleaning equipment to its central SAP HANA database. This made it easier for Tennant to confidently scale up its IoT proof of concept to full scale and enable thousands of machines with the sensors and data reporting devices that will help the company reach its $1 billion revenue target in 2017.
Stick with basic principles
The security adage of “least privilege”— limiting access and rights of outside users to the bare minimum — must be applied in the Internet of Things. This means not only carefully restricting user rights, but also constraining the device’s privileges and access as well. Smart thermostats should not be turned into Intranet Web servers, even though they have processing power to spare.
This principle also extends to on-device data collection, which should be curtailed to the bare minimum. Particularly for IoT devices, which are installed in plain sight or are otherwise difficult to physically protect, the less that can be stored on the device, the better. That way, if the device is stolen or otherwise physically compromised, it yields very little of value.
Consumer and enterprise IoT priorities are different
The IoT is growing in both the consumer and enterprise realms. Although some developments will aid both sectors, enterprise IoT strategists must take ownership of their priorities, rather than relying on consumer tech leaders and advocates to sort out the finer details.
For example, a great deal of attention in consumer IoT security today focuses on matters of privacy. Some privacy considerations, such as preventing an attacker from activating a device’s microphone and relaying the digital recording to an outside repository, are equally relevant for enterprise. Others, such as the push to anonymize data whenever possible, are less applicable. Industrial users want and need very specific monitoring data about the inventory, equipment, personnel, and facilities they track with IoT gadgets, which would be valueless if anonymized or restricted.
Into a more secure future
IoT devices will eventually blend into the digital landscape and become a seamless part of an ever-growing digital infrastructure. Today, however, is not the time to deploy and disregard. With identity management, platform-level security, and a vigilant eye on the fast-growing range of IoT devices in the workplace and in the field, enterprises can overcome the cybersecurity threats and focus on productivity gains.
Learn more how SAP’s IoT platform can help you connect, transform and reimage your business.
Please share your thoughts in the comment space below or tweet to me: @prakashdarji
VN:F [1.9.22_1171]Trusted Platforms Are Key to Internet of Things Success,