The Internet of Things and its effect on Enterprise Security

Mike Campbell, IAM Consultant, SecureITsource, Inc.

Smart devices comprised a network of almost 23 billion devices in 2016. While internet-connected devices remain mostly in the consumer market now, the intersection of Internet of Things devices with the enterprise network has been approaching for a while now, with BYOD policies and cloud-based Software as a Service vendors being common in the enterprise environment today.

Intelligent hardware sensors will become vital parts of the business process of manufacturers, the supply chain of retailers, and logistics of airlines. These devices will allow companies to increase their efficiency, lower cost, and broaden their visibility. Smart coffee makers will know when to brew a fresh cup of coffee for the on-call engineer. And smart cars will be able to detect the car rounding a corner that the on-call engineer couldn’t see.

The positive effects of the Internet of Things on our lives is obvious. But managing and ensuring the safety and security of these devices is going to be a monumental task that will fall into the hands of many groups of people.

With Amazon Echo and Google Home selling millions of units in the previous year, products which can record and log voice and other data pose a concern to users as well as the employees managing that data.

HIPAA currently only covers healthcare entities, but what happens when protected healthcare information is discussed in a person’s home and a company is recording and indexing all the data it learns about that person? Will the company become subject to HIPAA? How about when the product develops a voice signature of that person in order to respond faster? Many financial companies are currently regulated against releasing personally identifiable information, among it voice signatures.

Smart and driverless cars, which are always connected, will completely change the shipping and hauling industry. Industrial control systems will be redesigned with smart capabilities or it will be added on via a sensor. By 2050, there are expected to be over 50 billion IoT devices. Many different IT teams will need to work together on these new platforms to keep things running, to troubleshoot them, and to secure them.

Hardware and data that employees use will no longer exist in an office, a datacenter or a cloud. The employee will be using different smart tools in day to day operations at home or in the field and the tool will be sending data in transit to the cloud. With many embedded devices, the smart features of a device are built directly into the operating system, which may be custom built. As these are unique and different than the platforms most system and network administrators use today, employees will need to adapt to managing an increasing number of types of devices, as well as an increase in overall number of connected devices.

There will be untraditional vendors creating IoT devices who will lack patching, support, or any sort of security features. As the market is still wide open, it will be a while before users settle on specific product vendors. Until then, there will be new technology, protocols, and management procedures being introduced with differing lifecycles.

How will companies manage these devices? Can these devices be used or tampered with through a cyber-attack? Will the devices contain credentials that need to be secured?

In October of 2016, the DNS provider Dyn was attacked by a botnet composed mostly of IoT devices. Dyn provides DNS services for many websites and the attack affected the availability of these websites worldwide. The botnet, named Mirai, is malware that turns machines running Linux (mostly tools such as IP cameras and routers) into remotely controlled bots that can be used in large scale attacks. Up to 100,000 malicious IoT devices spammed the DNS provider for over four hours, generating up to 1.2 Tbps of TCP packets and preventing Dyn from providing services to legitimate customers.

These computers were likely compromised because the tools utilized default or weak logon credentials. It is difficult to manage passwords for these types of devices because often, the user never logs in or interacts with the device, and if they do, they are not forced to change the default password. However, they are still connected to the internet.

One of the best solutions to securing IoT devices is securing access to the IoT devices. This means ensuring complex passwords are generated for accounts on smart devices before they are used and that the passwords are changed regularly. Access should be managed. The same rules that apply to password management of desktops and applications should apply to IoT devices, especially for companies that will or already do use IoT devices as part of the business process, such as manufacturing, logistics, or healthcare.

While the sheer scale of managed accounts will increase exponentially because of IoT devices being incorporated into the enterprise network, there are tools available that manage the access of identities to these devices. The access management tools that offer support for these new smart devices will excel beyond its competitors as IT teams scramble to find a way to scale to the new number of connected devices.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise.

www.secureitsource.com