Vulnerabilities / Threats

4/24/2018
02:30 PM
Bill Kleyman
Bill Kleyman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Deconstructing the Possibilities and Realities of Enterprise IoT Security

Organizations are rushing to leverage Internet of Things solutions but struggle to design the information technology architectures that will lock down the data these devices create.

When we think of the Internet of Things, most people usually fall back to the kinds of devices they're familiar with, such as a Nest thermostat or a Philips Hue smart light. However, today IoT components are finding their way, at lightning speed, into places such as healthcare, the enterprise, and certainly the data center.

Let me give you a specific example. Raritan recently came out with a line of "smart racks" that take environmental monitoring to the next level. These data center–ready IoT technologies are tested to withstand billions of hours of runtime in the world's most data-intensive environments. One of those IoT components are environmental sensors located throughout the rack. From there, they help isolate hot spots, optimize cooling, prevent downtime, and even maintain security through integration with smart locks. Furthermore, these IoT devices gather data, which then feeds into a data center infrastructure management platform, allowing data center and business leaders to make better decisions.

At UPS, IoT sensors help protect the environment by monitoring delivery truck mileage, speed, and overall engine health. Coupled with big data solutions, UPS is also able to effectively monitor packages and optimize entire routes. And, fairly recently, Microsoft and Rolls-Royce collaborated on advanced operational intelligence to airlines. This is similar to what GE is doing with its jet engines. The benefit? Ground crew technicians can identify wear and tear on specific components before the airplane even lands. From there, they can have repair and parts teams ready to cut maintenance windows down dramatically.

[Hear Bill Kleyman speak about The 6 Core Components of IoT -- And How to Secure It All at Interop ITX on May 2 in Las Vegas. Register with Promo Code DR200 and save $200.]

By the numbers, according to IDC, the IoT market is showing absolutely no signs of slowing down, with an expected size of $1.4 trillion in 2021. However, when it comes to enterprise adoption of IoT devices, there are concerns. How do you design the right IoT use case? Can it mesh with your existing network and data center systems? Most of all, what about security: How do you process and protect data such as personal identifiable information or personal healthcare information? Organizations want to leverage IoT solutions but are struggling to understand how to design the right architectures and, most importantly, how to leverage and quantify the data that these devices create.

IoT Meet Edge Computing
There is no doubt that data center and business leaders are actively investing in IoT solutions. In the latest AFCOM (Association for Computer Operations Management) State of the Data Center Industry study, a report I helped co-author, we found that 81% of respondents view the primary purpose for expanding edge compute capacity is to support and enable IoT; four in 10 respondents already have either deployed or plan to deploy edge computing. Why this is important is because the goal of edge computing is to process data and services as close to the end user or source as possible. IoT pretty much fits this use case exactly.

In the modern enterprise organization, it's critical for leaders and IT professionals to both conceptualize IoT components and how they can apply these concepts to their own organization. This is an architectural and business exploratory process to really understand where connected devices can bring value to the business. Whether it's connected trucks or enhanced engines, your approach to connecting a part of your organization into the digital realm will be unique.

A lot of times, enterprises think that a connecting device has to be something new. However, in many situations, we're digitally transforming analog systems. For example, by fitting their massive cranes with IoT sensors, a construction company would be able find faults in seconds rather than troubleshooting for hours. To that extent, which analog systems do you have in your IT infrastructure that could be digitized? Where are the data points that you'd like to gather or learn more about? For many organizations, these are potentially big benefits and all part of the IoT revolution. But to really understand the possibilities of enterprise IoT, you will need to take a multifaceted approach:

  • Evolution of the edge. It's critical to understand that edge solutions help deliver and process data much close to the user. And, when it comes to IoT, edge is a major enabler.
  • IoT security based on context. IoT security is never linear. The best security models will always take a contextual approach to device access and interrogation.
  • The "smart" data center. Your data center is becoming much smarter. From bots to intelligent racks, these are all IoT devices that need security and efficiency.
  • Hacking as an economy. The bad guys have made an industry out of hacking and have economized the process. It's critical to know how much your data is worth on the Dark Web and why considerations around IoT are key to good security best practices.
  • Key factors in designing and IoT security strategy. Combining edge, the components of IoT, business use cases, and a good overall security strategy are the keys to designing a secure IoT architecture. Beyond that, ensuring data security will be a top priority.

Not only must we continue to educate around IoT, it will be up to the leaders and innovators to find good use cases and proper designs.

Related Content:

 

Bill is an enthusiastic technologist with experience in datacenter design, management, and deployment. His architecture work includes large virtualization and cloud deployments as well as business network design and implementation. Bill enjoys writing, blogging, and educating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QuadStack
50%
50%
QuadStack,
User Rank: Author
4/26/2018 | 1:34:23 PM
Re: Practical Security for IOT
Hey Jim - First of all, thank you for reading and commenting. Securing home IoT devies is actually not so bad. There are some good tips when it comes to making sure your home devices work. Here are a few thoughts:

1. Create a seperate network ONLY for IoT devices.

2. Only allow devices to join your network via known MAC addresses. This will prevent any unwanted devices from trying to get in. In fact, on your seperate network, you can restrict any device joining it unless you specifically entered in the MAC address yourself.

3. If you have a hub at home - like a Wink, for example - make sure that it remains up-to-date.

4. Keeping your devices firmware and software updated is key. It's not always easy, we have a lot of devices at home. However, look at your apps regularly to see if there are updates. 

5. Newer routers have some really cool 'fencing' solutions which prevent people from parking outside your house and spoofing your WiFi - look for networking gear which can provide a bit more security like that.

6. Passwords upkeep is important. Again, if you're connecting through a centralized hub - changing your password every now and again is a good idea. 

7. If you've got things like sensors, actuators, or something else that collects and then delivers data to a centralized aggregation engine - make sure that VM, server, or machine is locked down as well. Virtualization is a great way to centralize your VMs and ensure networks and data remain secure.

8. If you're working with a hub or some kind of centralized IoT platform, restrict access, ensure complex passwords, and make sure to check for updates regularly.

Of course, there are even more tips out there depending on the kind of devices you're using. But this is a good start.
jla56@sbcglobal.net
50%
50%
[email protected],
User Rank: Apprentice
4/26/2018 | 12:31:48 PM
Practical Security for IOT
As a homeowner with IOT and even more so as a security professional whose company has a lot of IOT, I am very concerned about security.  But I have yet to read an article that provides concrete suggestions other than to separate IOT devices from other devices (which ones? how?) and to change passwords (how?) and to block unused ports/services (how?) and keep software updated (big-time how?).  

I am not trying to be smart or critical and I realize this would be different for most devices.  But front line people (and that includes consumers) need a way to get actionable information, not just generic suggestions.  

Let me know if I can be part of the solution.  I'll be happy to do something, if someone can point me in the right direction.  

Regards,

Jim ANderson
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11321
PUBLISHED: 2018-05-22
An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
CVE-2018-11322
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
CVE-2018-11323
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
CVE-2018-11324
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. A long running background process, such as remote checks for core or extension updates, could create a race condition where a session that was expected to be destroyed would be recreated.
CVE-2018-11325
PUBLISHED: 2018-05-22
An issue was discovered in Joomla! Core before 3.8.8. The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and display the plaintext password for the administrator account at the confirmation screen.