In recent years, as employees have increasingly brought smart phones and tablets and even their own laptops to work, hoping to connect them to their employers' networks, a raft of challenges have ensued. Chief among these have been the numerous security concerns raised by having to allow unverified devices to access the network, as well as the potential for sensitive business data to leave the network on those devices.
But as vexing as the BYOD phenomenon has been for IT leaders, it has been a mere appetizer to the main course: The widespread adoption of the Internet of Things.
In a recent report entitled "Beyond BYOD to IoT, Your Enterprise Network Access Policy Must Change," Gartner estimates that by 2020 there will be 21 billion IoT-connected devices trying to access corporate networks, a number that dwarfs the volume of BYOD devices by a large margin. And here's the real complication: The lion's share of these devices do not have any user associated with them. Providing secure access to a device associated with a user profile is hard enough; doing so for a device that has no access rights or policies to draw on is downright daunting.
In particular, IT departments are struggling with how to identify and apply network access policies to building automation and industrial IoT devices, which Gartner believes will make up 6 percent of those 21 billion devices.
IoT Device Security: Weak or Nonexistent
Add in the fact that most IoT devices have weak security, if they have any security built in at all, and the challenges mount. (Which is why a hacked IoT device recently caused a massive Web outage, and also why Tesla Motors had to address the recent revelation that white-hat hackers were able to access a Model S's breaking system from 12 miles away.)
Worse, many IoT devices are too simple to possess the capacity to add security capabilities, meaning that networks need to be tweaked to address this emerging reality.
Some companies attempt to address this by partitioning certain IoT devices, such as surveillance cameras, onto a separate network. It's a strategy that reflects widespread thinking, as more than 50 percent of respondents to a recent Gartner survey said they consider it important to separate IoT devices from applications.
While separation is wise, it can be better achieved by other means. Routing device traffic onto a separate network not only adds the cost of additional equipment and cabling, it also foists additional management, procurement and support responsibilities onto IT's already bursting workload. And what makes it even more short-sighted is the fact that there are current technologies and strategies that can enable IoT devices to share the same network infrastructure used by employees, guests and applications.
Five Steps to Ensuring a Secure IoT Foundation
That said, securing IoT traffic and devices is a challenge that can't be solved by any single piece of software or burst of creative thinking. It requires a strategic approach, and there are several steps an organization should take if it wants to meaningfully address the complexity and ensure that IoT traffic flows as needed without bringing any surprises along with it:
- Understand what devices are or will be connected by every part of the business. Facilities management will want control of LED lighting and HVAC sensors and controllers, manufacturing will want to monitor sensors and actuators, and security will want easy access to surveillance systems. Take stock of every way the IoT could possibly benefit the company.
- Establish profiles that group devices functionally, and create rules that define which applications those devices can access, and which users can then use those applications to control them. For example, LED lights, HVAC sensors and door locks could be grouped together, with access to only the application that controls them, and then facilities management staff should be the only people with access to that application.
- Make it easy for IoT devices to get on the network. That may sound obvious, but it can be the difference between IT being appreciated or cursed. Networks with well-designed automated device detection and profile association make things simple for users, and in turn IT is not seen as a road blocker.
- Create virtual segments or containers in the network where IoT devices and the applications that control them can be isolated from other devices and applications. Doing this with simple technologies like VLANs or more sophisticated ones like shortest path bridging bring distinct advantages, such as control of bandwidth, QoS, and prioritization; better enforcement of security policies; and the ability to limit damage in the event of a breach.
- Tighten security with fine-tuned policies that go beyond device authorization and authentication. A mechanism such as data packet inspection, for instance, can provide additional security by identifying suspicious traffic coming from an IoT device, and then triggering a policy that blocks and quarantines that traffic in a security container.
Taking steps such as these won't guarantee a 100-percent secure IoT environment, but then, nothing will. As with any technology asset, securing IoT traffic requires diligence and constant monitoring. Even if organizations aren't ready to implement IoT solutions, it is still critical to build the foundation required to securely support what's coming.
And make no mistake, regardless of what industry a company is in, the IoT is coming, and it will arrive with the force of a Tsunami. Those organizations that aren't prepared will find themselves overwhelmed, and left behind by thriving, better-prepared rivals. If you need a sanity check or want to bounce some ideas off us, reach out at contactus@al-enterprise.com