The typical trajectory for new technologies goes something like this:
- Initial developers make it just accessible enough for other techies to play with it.
- Development proceeds to a point where it can be marketed to businesses and consumers.
- Hackers figure out how to exploit the technology’s vulnerabilities to steal data or cause other mayhem.
- Manufacturers retrofit security measures onto the technology.
- Repeat steps 3 and 4.
Few new technologies are designed with security in mind from the ground up. The Internet of Things (IoT) is no exception: In their rush to get cool new devices out the door, manufacturers have cut corners on security, or failed to even consider it. As more IoT devices and applications make their way into the enterprise, this state of affairs will represent a major security risk—and a big headache for IT.
Security and Your IoT Projects
If you are involved in evaluating (or actively executing) a project involving IoT devices, here are some security-related aspects you should consider:
- Communication protocols: IoT devices are not limited to standard Web protocols (HTTP or HTTPS); there are myriad communication protocols in use by various IoT devices in the market. The more protocols involved in your system design, the more complex and difficult it will be to secure.
- Device constraints: IoT devices typically feature low power consumption, with limited processing power and data storage. This limits the sophistication of the security measures that can be implemented on the devices.
- Data capture: An effective security framework will have a way to capture data traffic information—what device communicated at a given time, what communication protocol was used, which entity initiated the communication, and so on. Without this data, and a solid, intuitive reporting tool, it’s extremely difficult to diagnose and fix security issues.
- Patching: Like traditional servers and workstations, IoT devices will need to be patched and updated from time to time. Many devices will need periodic firmware updates as well. How easily this can be accomplished for a given device should be an important factor in the buying decision.
- Environment: Don’t forget the other parts of the infrastructure—the servers, operating systems, network, and data storage—that make up an IoT deployment.
IoT devices and applications are expected to proliferate over the next few years, and some of them will come with compelling stories about increased business productivity, reduced costs, and enhanced process monitoring and control. It will be your job as an IT professional to make sure the benefits are not outweighed by the risks. It’s only a matter of time before your business starts making noises about implementing an IoT solution of some kind. Here are some things you can do now to get ahead of the curve:
- Establish standards and processes: Don’t wait until a pallet of IoT devices arrives on your loading dock to figure out how to manage them. Use the considerations described above, and others specific to your IT environment, to set up policies, standards, evaluation procedures, and configuration guidelines ahead of time.
- Guide the business in the right direction: Remind them that total cost of ownership and ROI are not the only metrics for evaluating a solution, especially one based on still-evolving technology such as IoT. Security, scalability, and ease of maintenance are just as important.
Whether you have the resources and skills in-house to manage these systems yourself, or decide to engage a managed security services team to help, being proactive will set you and your business on the path to IoT success.