The internet of shadowy things sounds like a shady place to be, and it is.
In the past, shadow IT was a nightmare for most enterprises — it was known for being outside of IT’s control with a plethora of security issues. However, with the influx of mobile within the enterprise, this mindset has shifted. Now, it is seen as an indicator on how to help with productivity or, in other words, it’s all about tapping into innovation, securely.
It’s still tempting to go back to the traditional IT playbook, fear the technology entirely and to “just say no.” This happened with Wi-Fi in the late ’90s and with iPhones in the late ’00s. But, new IoT devices could be the source of real business value. Connected refrigerators seem silly until they potentially help drive both revenue and productivity in a market like pharmaceuticals. IP cameras can help coordinate first responders in case of emergencies by providing real-time video to coordinators that improves situational awareness. Digital media players can provide immersive experiences for consumers in retail by ensuring that relevant content is displayed to them in any store, anywhere in world. These are just a few real-world IoT examples that are in use today.
A recent report shared, “Our IoT world is growing at a breathtaking pace, from 2 billion objects in 2006 to a projected 200 billion by 2020 — that will be around 26 smart objects for every human being on Earth.” There is no doubt that IT organizations will be quickly overwhelmed.
The answer here is to develop the building blocks that let organization’s say “yes” to the internet of shadowy things.
There are five tips for tackling the internet of shadowy things:
- Segment the network: Users will bring new devices onto the network that organizations likely don’t want to connect to critical infrastructure. It’s time to add a couple of new SSIDs and VLANs to the network. Some might already have a guest network in place that provides internet connectivity while blocking access to enterprise resources and that’s a start, but IoT devices may need access to some enterprise resources whereas guests need none. IT can decide over time what resources are accessible on the IoT network. Ultimately, an IoT network fits somewhere between the outright-trusted enterprise network and what organizations use for guests.
- Think seriously about PKI and NAC: Organizations don’t want users taking their credentials and putting them into the refrigerator to get it online because, if it is compromised, the refrigerator is acting on the network as an employee. Public key infrastructure (PKI) can help by ensuring only authorized endpoints enrolled by the user and trusted by IT can connect. Layering in network access control (NAC) ensures that devices are actually trusted and meet minimum-security criteria. Less trusted IoT devices are kept segmented to the correct network.
- Block Telnet: If it’s feasible, block Telnet connections from networks entirely. At a minimum, block connections made over Telnet from the outside world. Unsecured connections like Telnet, combined with devices with default passwords, allow worms to spread.
- Think about traffic shaping: Traffic shaping, particularly around suspicious traffic flows can help mitigate the effect of attacks launched from the network and provide improved connectivity for mission critical services.
- Manage what’s possible: Employees can bring some connected devices under enterprise mobility management and other security frameworks. If an organization is prototyping the development of its own IoT devices, look to platforms like Windows 10 and Android because their security toolsets are more mature than consumer development platforms. If devices can’t be configured through a central platform, work with employees to set them up in order to disable the types of default configurations that have led to exploitations.
These security best practices are needed for an enterprise IoT foundation. By applying these recommendations, enterprises can lay the security groundwork for future connected devices and make their organizations more secure today.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.