Nmedia - Fotolia
The Internet of Things is more than just cars, clocks and coffeemakers. It's about an entirely new frontier of networked devices that affect enterprise security both directly and indirectly. One recent discussion point has been around whether or not the average corporate network can even handle the Internet of Things' bandwidth requirements. It's certainly something to be thinking about, but it seems moot when you consider the potential for the inevitable security headaches.
Enterprises have enough trouble keeping up with the security of their traditional network systems. Many people struggle with knowing where their systems, and especially their sensitive data, are located. Others have no clear picture of their current security posture or what's taking place on the network at any given moment. No doubt, the largest group consists of IT and security staff who struggle to get -- and keep -- management and their general user base on board with security. With securing the Internet of Things, these issues become even more of a challenge. I suspect we're going to experience a side of security we never anticipated.
Since the beginning of my career in information security, I've worked by the mantra that if a system has an IP address or a URL and it touches the business network or processes sensitive information in any way, then it's fair game for attack. It should also be fair game that it fall within the scope of existing security management programs. Similar to mobile devices, instant messaging, social media usage and the like, we're not going to stop the Internet of Things from growing. It has to be front and center in your security discussions.
Playing by the rules
One of the core principles for minimizing information risks is to lay out a set of rules to play by in the form of well-written security policies. If proper expectations are not set, then it's a free-for-all, not unlike what we see with bring your own device (BYOD). The good news is that securing the Internet of Things -- or protecting your enterprise against it -- is not going to be much different from securing any other aspect of the network. It's about perspective and priorities. Here are some security policy-centric items you must consider with Internet of Things in the enterprise:
- What role will your existing security policies play? You won't have to start from scratch. Your existing policies around passwords, patching and system monitoring will likely suffice. The important thing is to ensure that the Internet of Things falls within the scope of each of these policies where necessary.
- Will new security policies be required? You might find that new (or updated) policies around network segmentation and access control are needed to ensure these devices are kept in their place -- similar to the way you might handle wireless access points and guest Internet connections. Be sure to consider the Internet of Things implications for business partners, suppliers and customers with network connections into your environment as well. What additional risks will each of your employees' Internet of Things devices at home introduce to your network via VPN connections?
- Who's going to ensure that your policies are both enforceable and actually enforced to minimize your Internet-of-Things risks? Management and users may buy into policies around core business applications, but how are they going to perceive your desire to secure seemingly harmless devices that have minimal business purpose? You need to be able to quantify the risk by performing a risk analysis and determining the likelihood that threats will exploit Internet of Things vulnerabilities, and the impact if they do. A good BYOD security program now cannot serve only as an indication of things to come; it must also lay the groundwork for your Internet of Things policy enforcement.
- Who's going to be monitoring the Internet of Things? You could ultimately be looking at double the number of hosts (or more) on your network at some point in the near future. Will you need additional staff to ensure everything is kept in check? Will your managed security services provider be able to accommodate these systems?
I don't typically buy into the marketing hype associated with emerging areas of IT, such as the cloud and big data, but there is something to be said about the Internet of Things. The term has a hint of jargon to it, but the business consequences are real. Cisco estimates that the Internet of Things will grow to 50 billion devices by 2020. That represents a significant number of systems that will somehow need your attention. These devices could open up backdoors into your network. They can facilitate malware propagation. They can end up storing sensitive business information. They can lead to denial-of-service conditions. Is your business prepared? Are you going to be able to justify taking time away from the things you're currently doing to tend to this new realm of systems invading your network?
Complexity is one of the largest barriers to effective security, and securing the Internet of Things is no doubt going to increase that complexity exponentially in organizations both large and small. You're going to have to up your security game by doing more of it -- better, faster and cheaper than ever before. Now's the time to be thinking about keeping the Internet of Things in check on your network and any other networks that are associated with your business. Get the right people on board and at least start with a policy update that outlines what you're doing and not doing -- allowing and not allowing -- with all of these connected devices. Policies aren't the magic solution to security. In fact, they often do more harm than good by creating a false sense of security and "compliance." But do it anyway -- any positive action toward a better, more secure Internet of Things will provide many long-term payoffs for the business as a whole.
About the Author:
Kevin Beaver is an information security consultant, writer, professional, speaker and expert witness with Atlanta-based Principle Logic LLC. With more than 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems, as well as Web and mobile applications. He has authored or co-authored 11 books on information security, including the best-selling Hacking For Dummies. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.