IoT – The new security headache for the enterprise IT department?

2015 could prove to be the year that enterprise adoption of BYOD takes a step further, and evolves into BYOIoT. Several reports ⁽ⁱ⁾ have already predicted the rise, spurred on by the popularity and proliferation of wearable devices in the workplace. What’s essential is that IT departments are aware of how to manage the resulting security and ecosystem challenges this will bring.

The great benefit of IoT is that connected devices are able to interpret and interact seamlessly with the networked environment around them – proving seamless usability and convenience for the end user. The issue for the IT department is that any connected device can theoretically collect and access sensitive information purely because they’re located on the company’s premises. Similarly, since they are usually connected to the corporate network, they can not only exchange data with internal systems but also with external servers.
In many cases internal data must be protected, and IT departments will want to control what sensitive information is accessed beyond its network. There is no doubt that connected devices allow employees to be more efficient in their daily operations but are companies fully aware about the security risks that their use also involves?

The potential for security breaches increases with the uptake of IoT polices in the workplace. What is disconcerting is that IT departments often have little or no control over new devices connecting to the network. This has been backed up by a recent study ⁽ⁱⁱ⁾ published by OpenDNS which found that IT professionals are often completely unaware of the presence and prevalence of IoT devices on their corporate networks.

This apparent lack of control contrasts with a 2013 Forrester ⁽ⁱⁱⁱ⁾ study which stated that security concerns are the main reason businesses are slowing down the incorporation of workplace IoT technologies. This surely begs the question, if security is considered such an important element, why aren’t special measures being put into place? Perhaps the answer lies in the ambiguity in defining what an IoT device is.

To get a hand on the solution IT departments must first identify the risks, which are as follows:

• IoT devices are a new remote attack vector for security exploits. Devices are not designed in line with individual business security requirements and cannot be updated easily to conform with corporate network policies.
• They often use external clouds beyond the control of IT departments. Without the implementation of traffic control measures, internal data risks being compromised.
• Users tend to consider these devices as toys and are not aware of the security implications that their use has on a corporate network.

The solution for IT departments can be neatly surmised in one word… visibility.

The infiltration of IoT devices in the enterprise is clearly underway, as such companies should review their current policies to mitigate potential risks, and once identified put new policies into action where necessary. Most security experts surveyed in the OpenDNS report rely on measures relating to network design and deployment to contain threats, but is it enough? In our point of view, these measures are simply necessary but not wholly sufficient.

We propose two approaches.

Firstly, we consider focusing on the terminal absolutely necessary. This approach not only identifies all the devices that are within the company premise, but also catalogues and monitors them in order to meet corporate security guidelines. It’s a similar approach to that already undertaken in Mobile Device Management solutions and BYOD policies.

It is no coincidence that MDM vendors consider IoT as the next big challenge for their organisations ^(iv). MDM platforms have grown from a core set of rules associated to the use of smart phones at work to the complete management of any device, including tablets, laptops and even electronic ink readers. With the introduction of IoT and wearable devices, the next logical step is to implement new functionalities to manage all these devices remotely. There is no doubt that a promotion of industry standards will make the collaboration among different device providers easier to manage. In addition, it is important that these assets are included within the scope of security audits performed internally by company’s IT department.

Secondly, the approach from the network side should relate to traffic behavior and subsequent analysis. Think of like this, when facing an unknown illness, the best way for a doctor to work out a medication is to identify the symptoms. Everything that is outside normal patterns is likely to be harmful and should be investigated. By examining network traffic using big data matching tools it becomes possible for the IT department to construct behavior models capable of discerning anomalous situations. In this way they can identify new devices, connections to unknown IP addresses, suspicious traffic or strange commands.

IoT is already within the enterprise environment, and the only option for companies is to evolve and adapt their security practices accordingly. Ignoring the threat will not make it go away, and IT departments need to be on the front foot when it comes to identifying and mitigating against risk. After all, what is not known cannot be secured.

ⁱ ‘Bring Your Own Internet of Things’ coming to businesses in 2015
ⁱⁱ The 2015 Internet of Things in the Enterprise Report
ⁱⁱⁱ ‘Mapping The Connected World’ by Christopher Mines
^iv IoT in the E: How the Internet of Things Will Transform the Enterprise

^v Also it can interest you:
BANDS: Detección proactiva de amenazas en infraestructuras críticas
Qué hemos presentado en el Security Day 2015 (III): un combinado de Tacyt y Sinfonier