As your Internet of Things (IoT) device population grows, managing it becomes increasingly difficult. More devices means more potentially vulnerable endpoints, more identities to verify and more software to keep up to date.
Four Keys to Effective IoT Population Management
To effectively manage your IoT population, it’s important to know your users, devices and their functions, and understand how they connect to each other and your network. Build security into your management strategy by considering these four areas of concern.
The beauty of IoT devices is their simplicity: They’re designed to be unboxed and plugged in. Once connected to your network, the unit authenticates itself to its manufacturer’s site, where it announces its presence and asks for any updates that may be available. Once that’s done, the device does whatever it is designed to do.
Authentication is only part of the provisioning process that adds the device as a known entity on your network. But because setup is so simple, many IoT devices are connected without this standard part of validation and configuration protocols for network connected devices. Network intruders know they can find vulnerable access points in unvetted IoT devices and have already used seemingly benign items such as security cameras to invade enterprise networks.
Chief information security officers (CISOs) must perform network scans to detect all IoT products in their domain and take measures to validate and secure them.
2. Absolute Control
IoT products are often installed in remote locations, mobile environments and places that are just difficult to get to. A connection to the network is generally made via cellular services, which enable remote configuration and management so that updates and changes can be done as needed.
Make certain that the control functions include methods to update firmware, roll back configuration changes to previously known good states, and complete data and credential wipes so that units can be decommissioned easily prior to physical retrieval when necessary.
3. Status Checks
IoT populations can grow to thousands of devices spread across wide areas. When all is working well, there’s no action to take, but there can still be processing anomalies that don’t rise to the level of failure and aren’t reported as problems. Even so, small performance variables can cause issues that ripple across your network. Just a few nodes operating below standards can create problems that result in low customer satisfaction.
Ensure that the developers of your IoT devices have built in functions to deliver performance metrics and periodically send system logs for analysis. The most proactive suppliers will not only deliver those data sets, but also provide the necessary analytics and send alerts.
4. Keeping Software Up to Date
Updating the software that makes IoT products smart is a fact of life. No software is ever complete, particularly if you are deploying relatively new products. For devices that you develop within your own network, assume that the code is incomplete and that there are security flaws, even if you’ve gone to exceptional lengths to test and validate them.
At some point along the way, you will need to perform updates on various software components ranging from bootloaders to the main application. Build the update processes into your plans, consider how and where the devices are used, plan for the least convenient problems to happen and build your plan to recover from those problems.
If you deploy commercial devices, work with the supplier to ensure that all the safeguards and update protocols you would design into your own implementations are available and functioning in the units you purchase. The manufacturer may be responsible for their products, but they live on your network and connect to your enterprise, so the intrusions will ultimately land at your doorstep. Make sure you have the tools in place to maintain your own security.
A New Security Challenge
The IoT is a current reality of enterprise technology, but security is and will always be a challenge as thousands of intelligent nodes are added to distributed networks. Know the internals of the products you deploy and keep them up to date to protect your network and the data that runs your business.