Enforcing Security For IoT Devices In Enterprises
By R Venkateswaran
By R Venkateswaran
With the proliferation of IoT devices in enterprises and data collected by these devices, it has become imperative to ensure the security of the devices, data as well as the enterprises themselves. The onus of data security and privacy rests with the enterprise and are governed by the regulatory framework of the business domain and the General Data Protection Rights (GDPR) laws of the region.
Despite this, in many enterprises today, security has been an after-thought for the adoption of IoT devices. A recent survey covering 700+ electronics manufacturing companies has revealed that more than 80% of them are deploying IoT solutions in the enterprise without evaluating the security risks.
The survey further summarized that less than 10% of the companies conduct a periodic security assessment of their IoT deployments. These companies are exposing themselves to various kinds of security attacks including malware, denial of services and data leakage. While the above study focused on electronics manufacturing, in my opinion, the numbers are not likely to be very different across other enterprises.
One of the reasons why enterprise IT teams do not pay much attention to IoT devices could be the lower power and lesser computational capabilities of these devices, which make it difficult to enforce stringent security policies while deploying them. Further, in the business model of many IoT deployments today, the devices are owned and managed by the IoT solution providers and not the enterprises themselves, thereby, relinquishing some level of control of the devices.
Complete security can be enforced only if enterprises take an end-to-end view of IoT deployments – covering all aspects of security spanning the IoT devices, the infrastructure or network and the data flowing across these devices. Let us look at each aspect in detail.
Going forward, enterprise IT teams must start enforcing security policies on the IoT devices by classifying them as a standard enterprise endpoint and subjecting the same rigour as any other connected endpoint such as laptops, PCs, servers, mobile phones etc. Prior to any deployment, it is imperative to do a thorough security evaluation of the IoT devices covering firmware, operating system and intended data exchanges. Post deployment, periodic scanning of these devices, endpoint behaviour analysis and vulnerability assessments using security risk manager tools should become part of standard operating procedures (SOP) for enterprise IT teams. Such tools are today extending their coverage scope to include management of security risks of IoT devices as well. In addition, IT teams will have to re-negotiate the business models with IoT service providers and retain some ownership of the IoT devices to ensure enforcement of their security policies. With this disciplined approach, the overall security of the enterprise will increase even with IoT deployments.
The IoT Security Foundation (IoTSF) has been workingto identify the best practices for enterprise architecture considering secure adoption of IoT. Their key recommendation is a hub-based architecture, wherein the Hub (or the Gateway device) shields the rest of the IoT network from the external infrastructure. This architecture advocates the creation of a separate IoT network within the enterprise to protect the rest of the businesses from any potential security compromises of IoT devices.All communication amongst IoT devices is restricted within the IoT network, while communication with the rest of the systems is routed through the Hub. The Hub takes responsibility for the authentication, authorization and device management services of the IoT devices, thereby providing a layered security to the enterprises. Such architectures provide a secure way for businesses to explore IoT applications without compromising the security exposure of the rest of the business.
Security of the data transferred from the IoT devices to the IoT platform is governed by the well-advocated security principles of Confidentiality, Integrity and Availability. For now, adherence to the above principles ensures security of data in transit wherein the data is transferred overa secure transport layer (TLS) communication channels only. Security of data at rest is ensured by controlling the access privileges through enterprise-centric authorization and access control mechanisms.
While the centralized approach meets the data security requirements today, the scale and volume of data transactions are poised to increase exponentially in the coming years due to the wider adoption of IoT in enterprises. In my opinion, a centralized approach may not scale up to the challenges and alternate decentralized approaches have to be explored.
Decentralized Blockchain for IoT Security – A possible alternative
Blockchain has shown significant promise as a technology choice using distributed consensus for secure data transactions and ensuring authenticity, non-repudiation, and immutability of such transactions in a highly scalable decentralized manner with no central authority. Current blockchain implementations, however, have a potential drawback that they need high hardware and resource requirements, albeit in a distributed setup. The “proof-of-work” requirement of blockchain also slows down the latency of transactions as the length of the chain increases, thereby impacting the overall throughput.
These constraints are being addressed today. As an example, a non-profit crowd-source funded company called the IOTA Foundation in Germany has recently started working on a blockchain alternative called Tangle that focuses on bringingthe best aspects of blockchain to high transaction and intermittently connected systems such as enterprise IoT.
In conclusion, Security of enterprise IoT is the need of the hour for wider adoption to get the best value of any IoT implementation. Newer technologies may need to be explored to address some of the short-comings, however, that should not prevent IT teams to have an open mindset about IoT technologies. A cautious proactive approach, following some of the well-established best practices in security, will mitigate most of the risks in the near-term, while looking for better scalable solutions for the future.