Guest post by Rob MacDonald, Director, Solutions Marketing, Micro Focus
I can’t wait for the start of our Cybersecurity Summit September 25-27 in Washington, DC. We are less than a week away! Looking at the agenda, there are so many security topics, it’s hard to choose which to attend. I want to help you make that decision! I am presenting Wednesday afternoon: Improving the customer experience by understanding customer relationships. Joining me on stage will be Derek Gordon from PWC, and we are going to discuss how Identity among other technologies can improve the customer experience. IoT has a big part in that discussion both from a security and experience perspective.
Consider this about IoT:
From smart thermostats and HVAC systems to RFID tags, fleet maintenance sensors, security cameras, and employee smartwatches, the Internet of Things (IoT) is working its way into the enterprise. While it’s creating exciting new opportunities, it is also introducing a new set of security risks to be managed.
The IoT world is vast and varied. Though few people realize it, there have been more IoT devices than humans since 2008. By 2020, there will be 25 billion internet-connected things, creating $2 trillion of global economic benefits, according to Gartner.
We are just beginning to see the business benefits the IoT has to offer. Sensors that monitor energy usage are helping companies save money on utilities. Predictive maintenance for vehicles makes deliveries more reliable. Product tagging ensures that no inventory is lost. The IoT helps factories run more smoothly and hospitals keep better track of their patients. It will also have a profound effect on internal security practices within the organization as well
In a McKinsey survey, 98 percent of business leaders said that most companies in their industry have IoT initiatives on their strategic road maps. Some are creating new revenue streams with IoT devices, while others are using the technology to improve operations or gain insights into how customers use their products.
The possibilities seem infinite, but they come with a caveat. Anytime a thing connects to the internet, it introduces a new portal for hackers to exploit. From the Struxnet worm to the Mirai botnet, attacks on IoT devices are on the rise. If you believe these hacks are anomalies, think again. Nearly half of all U.S. companies using an IoT network have been hit by security breaches, a recent study shows.
To harness the power of IoT, businesses must learn how to manage it safely.
Managing Connected Things
If it’s used correctly, IoT can actually improve security. For example, hotel guests who use “digital keys” to enter their rooms via a smartphone app are less likely to lose their phones than they are a key in a wrapper with the room number written on it. And those devices have strong security protocols built in; long passwords and biometrics for example.
At the heart of all enterprise security is the concept of identity. Just like people, connected things need to be given an identity from day one. Connected things and the people who use them must follow rules that govern access to information.
That means asking questions whenever a device is introduced. What networks does it connect to? Who needs the information it collects? Do they need the information all the time, or can you arrange limited sessions? Does the device talk to other devices? Does it have any privileges? So, don’t forget to include IoT devices when you do periodic reviews of your network security policy.
Don’t Expect Built-In Security
Enterprise IoT devices today incorporate standard industry measures such as digital certificates, public key infrastructure, and digital boot to keep hackers out, but no device is ever fail-safe. Even encryption can fail if a hacker gains access to the decryption process.
Another problem is that chip makers aren’t always motivated to provide additional layers of security. In a McKinsey survey of semiconductor makers, 69 percent said their customers want products that greatly reduce or eliminate security risks, but 40 percent also said these customers were unwilling to pay the extra costs involved, putting manufacturers in a bind.
Set Your Own Controls
In any case, secure firmware isn’t enough. The information the devices carry or has access to needs to be managed.
“Smart” devices may know when to turn off the lights or order a new truck battery, but they don’t know how your organization is structured or how to contain the risks of information flows within it. To do that, you need a comprehensive identity and access management system that sets and enforces your security policy, no matter what a connected device says it allows you to do.
Granular access control not only does a better job of keeping hackers out, it keeps information safer within the organization by employing the principle of least privilege. That means users receive only as much information as they need, only during the times when they need it. Access control can also limit what users can do with the information.
For example, in a hospital, a connected device may send information about a patient’s insulin levels to doctors, nurses, respiratory therapists, and others. But that doesn’t mean they should all have equal ability to act on the information. With a good identity and access management system, you can provide read-only access to orderlies and nurses’ aides and more options for other users. Using a thumbprint or a badge, a respiratory therapist may be allowed to unlock the device and increase the patient’s insulin dose, but only up to 20 percent based on the current glucose level readings, whereas a physician or a nurse might be given full control.
The controls you set in your policy override the connected device’s protocols, adding many layers of security in the places where you need them most.
Dealing with Rogue Devices
Like smartphones and collaboration apps, IoT technology first gained a foothold in the consumer market. Consumers are also employees, and today, some are connecting smartwatches and other wearables to company networks. These devices often lack enterprise security features and may not be set for automatic updates, creating cracks for hackers to exploit.
All companies should perform regular scans looking for new devices. Policies should require employees, vendors, and contractors to register their devices with IT. If you find an unlisted device, your identity and access management system gives you options. It’s possible to control what it can and can’t do without the user’s knowledge. In other cases—if the user has given himself root-level access, for example—you may need to shut off access to company networks completely.
IoT has arrived at the enterprise, and its use is expanding exponentially. Companies need to develop the infrastructure to manage it, or their information is likely to get compromised.
So I hope that gives you thought. I have two other topics I will be covering this year at the Cybersecurity Summit as well. Identity is a foundational element to any security best practice. We look forward to welcoming you to our event and speaking to you about what areas of focus you are currently undertaking. See you soon!
Oh, if you haven’t registered don’t worry, there is still time!
Follow Micro Focus Security on Twitter and use the hashtag #MicroFocusCyberSummit to stay up to date on the Cybersecurity Summit.