YOU ARE AT:Internet of Things (IoT)Enterprise IoT security considerations

Enterprise IoT security considerations

Security concerns are regularly cited as the number one IoT deployment concern or barrier to adoption. “Security” covers a wide swath of considerations, both in terms of prevention and reaction. One of the first things that every expert acknowledges is that vulnerabilities and penetration will inevitably happen. So recognizing that IoT is a risk management exercise and putting the time and effort into thinking about how to respond to security issues is important.

James Kirkland, chief architect for IoT at Red Hat, said that security concerns are the number one reason that Red Hat has seen for why companies explore IoT but do not deploy it.

“I think that’s something you’ve got to design in from the start. If you design and then retrofit it doesn’t work well,” Kirkland said – and noted that design goes beyond the device itself, so how the application software is designed, the design of the API, and how everything interfaces.

“One of the things that we advise companies to really do is, if they’re not manufacturing their own devices, they need to talk to the device manufacturer themselves and make sure that they are putting in embedded security that would prevent tampering of the device itself,” said Teresa Bui, who heads up IoT product marketing, strategy and go-to-market at Cisco. “The applications developer who is building the app that sits on it, you would ask them a whole other set of questions around the application. Ask the network provider, whoever that is.” Carry those questions to cloud service providers and the companies that store enterprise data, she added – and a business also needs to check that its own IT department has adjusted its perimeter according if the devices are on the corporate network.

At a network level, Jonathan Nguyen-Duy, security company Fortinet’s VP of strategic programs, describes three basic steps for IoT security:

-Learn the identify of the devices within your system, the system itself, and the users. Know what is actually deployed in your system’s current state and whether they are up-to-date, configured properly. Understand who and what is on your network and who is actually accessing the devices.

-Once you understand the system and the users and the interactions between them, decide 1) what devices you will allow, 2) what devices you’ll tolerate and 3) what devices you will not allow to connect to the network. Businesses can segment their networks so that critical IoT devices are only accessed by users who are properly authenticated.

-The third step, Nguyen-Duy said, is then applying protections that support those parameters and allow visibility to enforce them. Those steps, he said, are “the same as in Internet 1.0, but now you have to do it on a much, much larger scale” and the ability to automate becomes important.

“What we find is that it is a very similar exercise to what we’ve already been trying to do [as an industry],” Nguyen-Duy said. “The irony of that is that up to this point, we haven’t successfully managed cybersecurity risks.

 

Looking for more information on enterprise IoT security, testing and design? Check out RCR Wireless News’ recent editorial special report and webinar.

Image copyright: bluebay / 123RF Stock Photo

ABOUT AUTHOR

Kelly Hill
Kelly Hill
Kelly reports on network test and measurement, as well as the use of big data and analytics. She first covered the wireless industry for RCR Wireless News in 2005, focusing on carriers and mobile virtual network operators, then took a few years’ hiatus and returned to RCR Wireless News to write about heterogeneous networks and network infrastructure. Kelly is an Ohio native with a masters degree in journalism from the University of California, Berkeley, where she focused on science writing and multimedia. She has written for the San Francisco Chronicle, The Oregonian and The Canton Repository. Follow her on Twitter: @khillrcr