Enterprise IoT adoption is trending up globally. In February 2017, Aruba published IoT adoption stats surveying 3,100 enterprise decision-makers from 20 different countries across industrial, government, retail, healthcare, education, construction, finance, and IT/technology/telecommunications sectors.
Fifty-six percent of participants said they have already adopted IoT, and another 32% plan to deploy it by 2019. This is huge and reminds me of how fast enterprise mobility and BYOD penetrated organizations not too long ago.
Connecting enterprise mobility and IoT
While IoT is way more pervasive than mobile, can we make IoT adoption smoother based on lessons learned from enterprise mobility?
What’s pricking enterprises as they embrace IoT solutions (and their associated business benefits) is increased exposure to cyberthreats. And also the inability to adequately counter this “insecurity.”
Again referring to Aruba’s study, 84% of enterprises that already adopted IoT had faced security breaches. Forty-nine percent dealt with malware, 38% had been the target of spyware, 30% experienced phishing and 26% suffered from a DDoS attack.
As in case with any emerging tech, security parameters and security education is lagging in enterprise IoT’s initial adoption curve. But if we consider how enterprise mobility management (EMM) helped organizations overcome data privacy hurdles, it may not hurt to ask how much of that approach can benefit enterprise IoT adopters.
Mobile technology, be it wireless connectivity, devices (smartphone, tablets) or apps, is already at the center stage of IoT deployments. But that’s not the only reason to consider EMM. The complexity, threat vectors of mobile deployments, how it exposes internal resources and critical assets, etc. are all relevant to IoT as well. Only to a greater degree.
Now the question is: can EMM suites be extended to secure enterprise IoT? Alternatively, would it help for IoT security solutions to learn or take a similar approach as EMM?
One may argue that unlike mobility, enterprise IoT pushes the envelope from just IT resources to operational assets and critical infrastructure. Especially in case of industrial. After all, IoT is about monitoring and predicting asset health, temperature, pressure, etc.
That’s why in IT security, confidentiality, integrity and availability are prioritized in that order (CIA). But in the case of OT security, control and availability are most important; then comes integrity and confidentiality (CAIC).
IoT also introduces new organizational roles such as the chief digital transformation officer.
These are all valid facts. Yet in reality, much of the onus of securing IoT deployments continues to rest on CIOs, CISOs and IT security managers.
So let’s explore few ways CIOs can utilize EMM principles to centrally manage enterprise IoT security.
Identifying key components and assets to protect
EMM technologies most commonly support management of mobile devices (MDM), application (MAM), identity (MI), content (MCM) and containment. However, a recent survey by U.S.-based research firm J. Gold Associates found large enterprises deploy only a subset of these EMM functions.
EMM functions which directly affect day-to-day mobility operations and user experience — such as managing and securing mobile assets, emails, file/data sharing, secured browsing, etc. — are most commonly deployed and used by enterprise IT departments, while other nice-to-have functions like geofencing, private app stores, etc., are scarcely implemented.
This gives an idea which capabilities should be prioritized to design IoT security management solutions to channel resources accordingly.
Restrictions in architecture, software and supply chain
Cloud infrastructure, whether private, public or hybrid, is integral to an enterprise IoT architecture.
In AlienVault’s February 2017 survey of 1,000 RSA attendees, 62% said they expected cloud security to worsen as more IoT devices and services get added to enterprise clouds.
EMM’s MAM capability to whitelist or blacklist applications or to mark those as mandatory can help secure cloud-based deployments. Similar to EMM’s MDM capabilities, IoT device management can also publish policies and trust that the users can follow in addition to password and on-device encryption policies.
Secure containers or “sandboxes” can provide isolation and encryption of enterprise IoT data, and securely run authorized applications in the devices.
Best practices in enterprise mobile app development are equally applicable to IoT apps. To serve industrial IoT markets mobile apps, it is critical to follow newer app restrictions as well.
Malware and DDoS attacks are the latest tactics targeting enterprises. These attacks exploit IoT devices (like smart cameras, DVRs, etc., available in retail with very little security built in) to form botnets and bombard cloud servers with terabytes of traffic.
Supply chain restrictions requiring security compliance for these retail IoT device vendors seems to be the only viable option to manage such threats.
Open guidelines and certifications
In 2013, NIST published EMM guidelines for managing the security of mobile devices in the enterprise. Targeted towards CIO, CISO and IT management teams, these guidelines laid a framework to “help organizations centrally manage and secure mobile devices.”
Addressing the four main pillars of EMM to securely manage mobile assets (devices), applications, identity and content, NIST laid out standards and recommended practices for organizations involving deployment architecture, user and device authentication, cryptography, configuration, device provisioning, data communication and storage.
NIST’s guidelines recommend organizations have a documented security policy and develop system threat models for mobile devices and the resources that are accessed through the mobile devices.
In principle, the same EMM standards approach can be adapted in an enterprise IoT framework as well.
Would open guidelines from central authorities like NIST help enterprises to better manage IoT Security? Share your thoughts.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.