When moving to the Internet of Things (IoT), enterprises need to have renewed security plans in place. RTInsights expert blogger David Linthicum explains why.
A growing number of connected devices will add to an enterprise’s “attack surface” according to RAND Corporation in its latest study on cybersecurity, “The Defender’s Dilemma: Charting a Course Toward Cybersecurity.” With the growth of the Internet of Things (IoT), we’re going to get crazy with the number and types of devices that we connect to our networks—and typically talk to our data storage systems as well.
At issue are the ways in which hackers can gain access to internal systems. The number has gone way up, with connected factory robots, thermostats, MRIs and other sensors that are set up to gather data. If any one of those sensors is vulnerable to attack, they could allow access to other network-connected resources that could compromise sensitive data or take systems down.
When moving to the IoT, enterprises need to have renewed security plans in place. This means looking at all aspects of application, data and network security to ensure that added sensors and devices are working and playing well with the current security approaches and technologies. In many cases, the addition of these devices and sensors do not take into account overall security policies—and they actually make the enterprise less secure.
Ensuring Security in Devices and Sensors
Identity and Access Management (IAM), also known as Identity Management (IdM), is not new but is a preferred approach to securing IoT devices and sensors. With the emerging use of the IoT, I think IAM is clearly the best security model and best practice. Indeed, many cloud providers (including Amazon Web Services), provide IAM as a service right out of the cloud. Others (including Ping Identity) require you to select and deploy third-party IAM systems.
The concept is simple: provide a security approach and technology that enables the right individuals to access the right resources at the right times for the right reasons. The concept follows the principles that everything and everyone gets an identity—including humans, servers, sensors, devices, application programming interfaces (APIs), applications and data. Once verification occurs, it’s just a matter of defining which identities can access other identities and creating policies that define the limits of that relationship.
An example would be to define and store the identity of a set of device-based APIs that are only to be leveraged by a single set of smart phones that run a certain application. The APIs each have an identity as do the smart phones, the application and the humans using the smart phones. They have to authenticate each other’s identity before they are granted access, or grant access, using an IAM. Each checks with the IAM each time they interact with another resource (such as in the example of an application running on a smart phone, linking to and invoking a device API).
Security should be systemic to your IoT strategy. You need to include IoT as you consider security models and technology. IAM is a good place to start, but the reality is, each solution needs to be crafted to your exact requirements. Start your planning now.
Want more? Check out our most-read content:
Frontiers in Artificial Intelligence for the IoT: White Paper
Research from Gartner: Real-Time Analytics with the Internet of Things
How Real-Time Railroad Data Keeps Trains Running
Operational Analytics: Five Tips for Better Decisions
Why Gateways and Controllers Are Critical for IoT Architecture
Liked this article? Share it with your colleagues!