Jai Vijayan’s recent Dark Reading article on the Internet of Things (IoT) highlighted five things we should to prepare for its use in the enterprise. Below are my thoughts on his recommendations.
Bake security into IoT applications from the start
Jai’s recommendation is well stated. Integrating security into any device during the design and development phase is best. However, designers and developers can only account for the threats they understand. Patch management technology will need to evolve to address the evolving threat landscape.
Jai’s article cites risks emerging from the technology itself; web interface authentication and authorization, lack of transport encryption security, insufficient security configurability, and poor physical controls. I anticipate that control vendors will provide solutions to tackle these challenges. My concern lies with the business process utilizing I0T devices. The risk of every human interaction increases when a device is used to mediate the exchange.
Network segmentation – well, what can I say? As a former QSA, I reviewed multiple environments that would reduce their PCI scope by using physical and logical segmentation. These retail concerns did not utilize IoT. Many of these concerns had flat, unsegmented networks. This was a business-driven choice to save costs. Security professionals must highlight the increased risk exposure introduced by IoT to justify the segmentation costs.
Have a layered security system
I anticipate IoT risks to vary depending on their utilization patterns. Each layer – internal network use, external network field use, wireless-enable IoT – will need controls designed to reduce risk exposure and deal with the inevitable incident.
Be prepared to share security responsibility
IoT is an opportunity for managed service providers! I expect RSA Conference 2015 to buzz with IoT risk management discussions. I agree with Jai in that we must have a risk management dialogue to decide what risks we will manage and which we will pay others to assume.