IoT is one of the most pervasive changes in information technology to come along in decades, but the pace of deployments easily outstrips awareness of compliance issues. IT pros should expect to work hard to stay ahead of the curve, particularly if their organization's IoT plans are aggressive.
Security, compliance and governance requirements vary across industries, but every organization knows that at least some aspects of compliance apply to its operations. Introducing IoT into operations always adds a new dimension of complexity to existing compliance requirements, and it often adds regulations that IT pros have never even been aware of. It's no wonder that compliance tops user surveys of unresolved IoT issues.
Organizations must focus on three key aspects to maintain IoT compliance: device management, information management and regulatory compliance.
Accurate inventory is key to device management
device management in IoT compliance covers the physical, network and information security of IoT sensors, controllers, gateways and related devices. IoT device management compliance practices should be built on the concept of an accurate device inventory; a list of all IoT devices, their device type, serial number, hardware and software versions; location; and application and controller relationships.
Major cloud providers offer IoT device inventory packages -- products such as Zingbox IoT Guardian or Intrinsic ID's Broadkey and Spartan -- for cloud-connected IoT elements. Network scanning utilities catalog IoT devices on a local network, provided the devices are directly on the network and not connected through a controller. Organizations should pick a package that provides complete information about the device population and the status and setup of each device.
In IoT inventory analysis, administrators must know what's supposed to be there compared to what is actually found.
In IoT inventory analysis, administrators must know what's supposed to be there compared to what is actually found. An extra device could be a simple mistake in recording a device addition, or it could be something introduced to gain access to the IoT framework. A missing device might have failed, or it might have been taken over by another party. Many IoT devices have a local mechanism to put the device in setup mode to add it to a network. This can be used to create a breach in security.
In inventory analysis, ensure that all IoT devices have current versions of firmware and software and that any devices that have been recalled for security reasons are identified for replacement. Keep firmware and software up to date to close any identified security holes. Make sure to post notice of any firmware or software updates, and use the inventory to identify devices not yet updated.
Improper information management causes serious consequences
IoT information management is important in compliance reviews because IoT deployments may store information in a different location than usual -- such as in the cloud -- or may store information that has a special vulnerability. If an organization already deals with compliance reviews for cloud data storage, IoT compliance isn't likely to affect the information storage policies in place. If not, then it's almost certain the organization will establish cloud data compliance policies when launching IoT applications that run totally or partially in the cloud.
The issue of special vulnerability for IoT information arises because sensor information includes sensitive data, such as in the case of medical telemetry. Users often focus information security on applications, but it's the data that creates the risk. If sensors collect something, consider it to be available and at risk for misuse. When sensors are installed or derived sensor data is delivered from the cloud, take steps to secure the data according to the type of information involved.
The more insidious problem with information management is when sensors can be used to track movement of people and not just materials. This can arise when IoT sensors read employee or guest badges, or when sensors track packages that people are moving. Generally, employee and guest movement within a private facility can be tracked, but public IoT that can gather information from streets, sidewalks, parks and public facilities can generate a privacy problem if the data is not carefully managed.
For many current and prospective IoT users, the biggest compliance questions arise from the use of closed-loop or AI-based systems where sensor data is used to activate control functions without human intervention. IoT could expand the use of these systems, and even include autonomous vehicle control. This expansion creates both the risk of errors and the risk of hacking with serious consequences. The consequences include failure to detect intrusions, failure of fire and flood notifications and even risks to people's safety.
IT pros need new procedures for information management in IoT compliance because there are no tools and few practices related to governance on closed-loop automation of processes. The key is to start with controllers in the system and work backward, tracking the processes that generate controller commands and then the sensors that feed those processes. Assess all the steps that result in a controller command to ensure that nothing can happen that would risk life or property.
Stay up to date on shifting regulations
The final issue to consider in IoT compliance is the regulatory consequences of IoT. Generally, this affects public IoT most; IoT where sensors are placed in public areas rather than areas where facility access controls are in place. The broader the public IoT deployments -- in geographic and governmental terms -- the more regulatory risk IoT devices are exposed to. There are few reliable ways to obtain summary information on shifting IoT regulations, so assign someone or a team to monitor the regulatory jurisdictions and feed changes back to management.
