The recent cyberattacks targeting enterprise-owned connected devices have cast a spotlight on the inherent security risks the internet of things can bring to an organization. While there have been a number of IoT exploits in recent years, such as hacking into a connected car and IoT-related security breaches, what’s alarming is that this might only be the beginning as enterprises look to deploy thousands of IoT sensors and devices across their networks. According to Gartner, more than half of major new business processes and systems will incorporate some element of the Internet of Things by 2020. While IoT can provide major benefits in optimizing processes and garnering valuable insights, these connected devices also present a number of security challenges as they create a deluge of data, and new entry points for attackers.
If the latest incidents have proven anything, it’s that security cannot be an afterthought when it comes to IoT. Companies that use connected devices must build security in from the onset, and it is no longer enough to simply secure the network or back-end servers. Organizations must take a holistic approach that protects the connected devices’ applications and data, as well as incorporates detection and response for quick risk mitigation.
Understanding the risks of IoT
Nearly a decade ago, bring your own device turned traditional network security on its head by dissolving the enterprise perimeter and expanding the traditional attack surface to uncharted mobile territory. Today, the influx of IoT devices in the enterprise is bringing similar disruption — but with significantly more risk — as employees connect almost everything to the internet, including office door locks, thermostats, trash cans, light bulbs and more. Protecting the sheer number of connected devices is a daunting task in itself, but the ever-increasing volume of data driven by IoT introduces an entirely new ball game.
As organizations figure out how to manage and protect all of this new data, a critical step will be to identify what devices are collecting data, the type of data they are collecting, how they are consolidating that data and whether the data might be valuable to attackers. It’s important to note that not all data is meaningful to attackers on its own, but when combined with other information can become highly sensitive. This is where companies often fail to deliver adequate data protection.
Take healthcare data, for example. A connected blood pressure monitor’s readings alone have no value to an attacker, but when paired with a patient’s name, it becomes personally identifiable information (PII) that is extremely sensitive. A potential breach of both the patient’s name and healthcare records could lead to identity theft, in addition to being in violation of HIPAA regulations. To secure this information, companies should encrypt sensitive data as close to where it’s generated as possible, rendering it useless to attackers in the event of a breach. Furthermore, the blood pressure monitor itself needs to be protected to prevent attackers from tampering with it and subsequently impacting clinical care, which could potentially harm patients.
Data protection: Sharing on a need-to-know basis
Another pitfall that companies stumble upon is allowing excessive access to sensitive data. This will likely become an even bigger issue with IoT as organizations manage and analyze volumes of new data that will often exchange hands multiple times. For instance, in the blood pressure monitor example, the machine does not need to know the patient information, it simply needs to collect and transmit the data securely to the doctor so that she can make a diagnosis and communicate to the patient. Format-preserving encryption (FPE) will play an important role in securing this information because it enables organizations to derive value from the data while protecting it as it moves across the organization instead of requiring the information to be decrypted at every point in the process.
FPE is a form of advanced encryption standard (AES), which has been in use for some time, mainly to encrypt disc drives and communications between end points such as SSL/TLS and VPNs. However, unlike AES, which encrypts data into a large block of random numbers and letters, FPE encrypts the data into something that looks exactly like the original format. For example, a credit card number still appears in the traditional format of a 16-digit credit card number, versus a long string of characters or numbers. Preserving the data format during the encryption process allows organizations to securely perform analytics and process the data, without needing to make major changes to their applications or back-end infrastructure.
Applying end-to-end encryption is essential in ensuring that sensitive information captured by IoT devices is protected throughout its lifecycle, while still allowing companies to leverage that data for business purposes.
Securely adopting IoT
IoT has the potential to optimize efficiencies, create new revenue streams and enable organizations to leverage big data for smarter business decisions. However, as enterprises embrace IoT, security must be a top priority to ensure the sensitive information captured by these connected devices does not fall into the wrong hands. While IoT security will require a multipronged approach and collaboration between device manufacturers, enterprises and end-users, enterprises that implement data protection and security solutions, such as FPE, will be able to secure their high value, sensitive data assets end-to-end — whether it’s corporate intellectual property, customer PII, payment card information or sensitive employee information — making it useless for attackers.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.