One of the themes that I hear again and again from practitioners of the IoT is that their security story needs improvement in order to assure customers that their IoT solution can be utilized safely. There are a lot of people in the entertainment world and popular press talking about killer pacemakers and spam-sending-refrigerators. However, in reality, IoT Security is not fundamentally different from network security and there are a plethora of strong security practices that can be readily applied to the IoT.
Many who are deploying the IoT are frustrated by the resistance that some IT and security departments exert when an IoT solution can clearly help them solve business challenges for their deployed machines. Lack of connectivity is not the solution to a security problem, and that thinking should be turned on its head. If companies are concerned about security and compliance here are the questions that they should be asking. These questions are based on real-world experiences that our customers have observed and not based on theoretical thinking:
- How can you be certain that machines are being used for their appropriate business purposes and not for gaming or other (worse) personal activities?
- How can you ensure that the appropriate policies have been applied to the machine? Are policies applied in a consistent manner or does it depend on the technician and date of machine provisioning/servicing?
- What is your update strategy if a software vulnerability is found on thousands of your machines? Does your plan involve running around with a USB stick to every machine?
- How do you connect to the machine for remote service support? Do you use web meeting tools? Does that mean that the remote user has an elevated level of access? Are the changes audited?
If your answers to the questions above are unfavorable perhaps you should consider using an IoT platform to help you solve your security and compliance problems. Connectivity and diligent management is the key to successfully managing devices in your enterprise. PTC ThingWorx has helped many customers to examine and address the challenges listed above. For instance, the ability to log every significant action at the device level can help organizations to ensure compliance with regulations and protect against rogue employees utilizing remote desktop applications to perform non-authorized activities on business critical machines.
Once you have decided to pursue an IoT solution, there are a number of steps required to ensure that it is secure. The first and most important step is to get senior management buy-in. While this might not be the most obvious path for technically minded folks, it is the one that can help you to solve a number of problems long term. Senior management needs to be sold on the business value of an IoT project. If there is sufficient business value then they can help you get the appropriate resources to address security, other requirements that might be a part of the project, and help to move obstacles that may be in the way of a successful project.
Before getting the buy-in, however, management may ask for an assessment of a particular IoT solution. Since an IoT solution is comprised of so many parts, we break it down into seven key segments to more easily perform analysis for security purposes:
- Inside the firewall software and communications
- Outside the firewall communications
- Cloud operations
- Cloud platform
- Cloud development
- Cloud applications
Over the next several blog posts we’ll dig into key security topics utilizing the above framework and provide you with an understanding of what you can and should expect from an IoT vendor, and which challenges are better addressed from within your own organization.