Locking down the IoT

Security and risk (S&R) professionals are under increasing pressure to secure IoT deployments to minimize the risk of data breaches, disruptive cyberattacks, and even physical attacks. They anxiously seek IoT security solutions that can protect IoT devices and data in a cost-effective manner which does not hurt customer experience or digital business operations.

IoT device security is just one layer in an overall IoT security architecture. Successful IoT security requires a multilayered approach, which means S&R pros must implement various security technologies and vendors to protect their IoT deployments.  

Today’s digital businesses must balance the business benefits that IoT-connected products deliver with the reality that the IoT is an increasingly attractive attack plane for cybercriminals seeking to cause disruption and exfiltrate sensitive data.  

S&R pros and business executives must ensure that sufficient security controls are in place to maintain the integrity of existing IoT deployments. IoT security solutions help S&R pros provide encryption and device analytics they can use to protect IoT devices and data in a risk-appropriate manner.  

IoT security: top priority  

There’s growing awareness of IoT security threats, but many organizations still don’t give security priority. Too often, customer experience or time-to-market requirements take precedence over security requirements, leaving security functionality out of final production deployments. 

Forrester’s interactions with end-user clients over the past two years show four reasons that security pros struggle to deal with IoT security:

• Many IoT devices lack basic security requirements-some ship with a default password that cannot be easily changed. Many devices don’t support firmware updates, and if there is support, it happens on an unencrypted channel, increasing the risk of device compromise.
• Existing security approaches don’t always translate well to IoT devices. Security architectures such as PKI were designed for machines running Windows-it enabled management of tasks like key generation on the endpoint device with minimum impact on device performance. IoT devices often suffer more constrained hardware, with power/battery and storage limitations, which creates challenges carrying out effective cryptographic functions in a manner that does not compromise device or user performance.
• Competing IoT standards and protocols create security blind spots. The current IoT ecosystem uses a wide range of communications protocols that enable edge devices to connect with gateways or cloud services-as well as different data formats and software interfaces/APIs. This creates interoperability challenges to integrate multiple IoT-enabled devices into any existing enterprise architecture, making it almost impossible to apply consistent security policy across all devices and protocols.
• Scale and scope of IoT deployments hinder visibility into security incidents. An IoT deployment might have millions of active devices generating data. The organization will use that data to improve business outcomes but the same set of data can also compromise devices or attempt data exfiltration. The sheer volume of IoT-related data can make security detection extremely challenging. This drives demand for IoT analytics solutions that can process a high volume of data and use machine learning to identify IoT security threats in real time.

IoT security: top priority  

Managing the identity policies of IoT devices-how and when they can connect to what network, and which users are allowed access-is critical to IoT security. But whose responsibility is it to manage these policies? BYOD scenarios present unclear security responsibilities, so developers of mobile-connected devices must design appropriate privacy policies and data handling into the device-with explicit instructions on how users can opt out of data sharing as well as clear descriptions of data usage, storage, and sharing.  

S&R pros must also deal with a plethora of sensitive data regulations that vary from country to country, forcing them to develop a multifaceted approach for managing IoT data privacy that requires close collaboration with legal and business counterparts. 

Merritt Maxim is a senior analyst with Forrester Research. This report was written with Stephanie Balaouras, Salvatore Schiano, and Peggy Dostie

This article first appeared in Telecom Asia 5G Security Insights July/August 2017 Edition