The big research firms, like Gartner, IDC, and others, are forecasting that within the next decade, there will be billions of Internet of Things (IoT) devices out there in the market.
As these devices are integrated into products across all industries, there is a growing concern about security, not only for IoT devices, but also IoT in the cloud. And rightly so.
For some industries, IoT security is more of an issue than for others. For instance, medical devices may access and highly confidential patient information where as an engine sensor in a car that captures emissions data is theoretically less of a concern. However, in either case, there are inherent risks that should not be taken lightly. The reality is, as the technology advances and the sophistication of attackers increases, the question isn’t necessarily going to be if an attack happens, but more of when.
With enterprise-wide applications, security is focused on the data center and the users of the applications that are on a network. If there is a potential vulnerability, there are sophisticated security tools in place that protects an organization from significant exposure and risk.
Now imagine the same potential security risk, but this time, there are also thousands or millions of IoT devices, none of which are secure within that organization’s network. They’re all over the place – perhaps in a customer’s network, in a home, or built into a tractor that’s out in a field. No matter where the devices are – whether on a factory floor or in a home heating solution – they can be compromised by malicious attackers.
Take that one step farther and think on IoT cloud security. There are a lot of everyday security concerns in an IT environment, as well as in the cloud – and when you add in the IoT perspective, these are all super-sized. So it’s best to take a few added measures to ensure the best control possible for devices that live outside your organization.
The most appropriate tactic is to combine the best of all security measures and ensure that you have all the bases covered. Here are some recommended best practices for organizations who are concerned about securing IoT in the cloud.
- Verify cloud provider processes. Just like any cloud deployment, with IoT in the cloud, it’s best to ensure that there are mature security practices and controls at the service provider. Just like with any cloud implementation, this will ensure that changes in someone else’s deployment won’t adversely affect yours downstream.
- Ensure 24/7 monitoring. As with any application, IoT solutions require the constant monitoring of activity by an experienced security operations team that has up-to-date tools. These experts can look out for potential intrusions or attacks on your cloud infrastructure. A good cloud provider will also have capabilities to limit any malicious activity at aggregation points, including those that involve IoT devices.
- Be prepared for the worst. If your provider is protecting thousands or hundreds of thousands of endpoints, it’s unrealistic to think you can secure every single one of your IoT devices, especially because they’re often in someone else’s environment. However, you can ensure that you and your cloud provider have a plan to contain any security incident that might occur. You want to move quickly to prevent bad things from happening so you can minimize any damage from an incident.
- Update devices – and all systems – regularly. When talking about security, updatability is extremely important, especially for IoT devices. Generally, there is a distribution solution for updating operating systems, firmware, and application software, whether on-premise or in the cloud. Likewise, it’s important to have a general purpose way to send updates all your IoT devices. Ideally this will be an automated process, because of course, there is no human on the other end of the devices. These updates must be planned well at appropriate times, however. For instance, if a machine is performing a critical task, such as monitoring a medical operation during surgery, it would not be a good time to perform a software update.
Good cloud security is always necessary but it is simply not sufficient on its own when IoT devices are involved. Enterprises must add in solutions into their existing security that are designed specifically to protect and manage those devices.
- Develop strong device policies and procedures. While your IoT devices may be out of your control for the most part, there are policies and procedures that will ensure a certain degree of security. For instance, it is key to consider what permissions there are associated with your devices. As an example, you can extend permission to service personnel to access to certain parts of a machine or device, but not to the proprietary parts of a customer’s network.
Image by Will Taylor on Flickr (CC by 2.0)