Follow these best practices to avoid security pitfalls with your Internet of Things deployment.
One of the top issues regarding the viability of the Internet of Things in the enterprise is how IoT data and devices will be secured. Indeed, IoT introduces several new architecture dynamics that traditional IT security administrators may not be accustomed to on such a large scale. And if security is not properly addressed in the early development stages of an IoT project, you run the risk of data loss and the possibility of introducing weak points on your network that can be used by hackers to infiltrate your entire infrastructure.
The good news is that there are some relatively simple steps for securing the Internet of Things that can largely reduce the risk level of data loss and data breaches in your organization. These best practices can be easily forgotten or ignored. Physical security of IoT devices that are deployed in public areas may not seem like a big deal, but can come back to haunt you later on if overlooked.
Following the steps described in this slideshow can help you avoid problems due to the lack of inherent security of IoT devices. Studies have shown that IoT device vendors are not taking security all that seriously. For example, a 2014 HP study found that 70% of IoT devices deployed are vulnerable to some type of attack. Our best practice measures will help you better protect and isolate IoT devices and reduce your attack surface in the event that your IoT deployment becomes compromised.
Enterprise organizations should in no way curb their IoT aspirations out of fear that it will become a headache in terms of device and data security. In reality, all it takes is some common sense security practices that can be easily implemented on day one, and maintained with little effort throughout the lifecycle of the system.
(Image: Modified Weedezign/iStockphoto)
Protecting an IoT architecture must start with physical security. Make sure that end devices cannot be tampered with or stolen by either securing them so they cannot be accessed, or at least making them more difficult to reach. End devices are likely to be the weak spot for any IoT deployment, so it’s critical to keep them safe.
Even the simplest IoT embedded devices possess firmware of some sort. Once devices are rolled out, be sure to deploy firmware updates that contain any security patches that might help protect yourself from unauthorized access. The ideal method would be to automate embedded device updates instead of manually updating each individual unit. Be sure to have an update plan in place before you start your deployment.
Another weakness of some IoT devices is the fact that they can be easily accessed using default usernames and passwords that aren't changed before deployment. It is vital to the security of your IoT project that you understand all the ways that IoT devices can be accessed, and then properly secure that access with complex, random passwords or disabling that access altogether, if it's not needed.
Isolate IoT devices
Another best-practice to keep your IoT architecture safe is to isolate it from a network perspective. There are multiple ways of achieving this, depending on your architecture. Some methods include separating your IoT devices using VLANs, routing, or by creating a completely separate network from a logical perspective using techniques like virtual routing and forwarding (VRF).
Limiting who can access the IoT network and IoT devices is yet another layer of IT security that can be added. Access lists or firewalls can be used to permit access only from certain segments of a network, such as a centralized, out-of-band management network that is only accessible by IT administrators.
It’s difficult to secure any IoT device when you don’t know its current status. Network monitoring and alerting tools such as ICMP, SNMP and syslog should be used to monitor the health of IoT infrastructure and to ensure a device is not stolen or tampered with.
IoT is all about data collection and data analysis. The collection of data is likely be in the form of a distributed architecture with a centralized repository. Data is collected by one or more IoT devices and then sent across a network of some type where it is stored in a data center or within cloud provider’s network. End-to-end encryption must be deployed not only to protect data as it crosses the network, but also while it’s stored on a back-end server. If the embedded IoT devices cannot perform encryption natively, you should leverage infrastructure techniques such as encrypted tunnels to properly secure data.
IoT security breach plan
One final step -- one that’s likely to be ignored by many -- is to have a plan in place as to what processes need to be performed in the event that an IoT security breach occurs. Make sure you know exactly what data you are collecting and how to mitigate any problems if that data is stolen or leaked to the public.