FEATURE: IOT
//////////////////////////////////////////////////////////////////////////
What security and authentication
steps would you recommend taking
to prepare for IoT deployment?
Extending systems to connect to the physical
world is a great opportunity for organisations
to assess security stance. They should first
question whether their application network
is well understood, segmented into sub-
networks with well-defined security postures
and governed at the connections between
these sub-networks as well as within them,
with well-defined need-to-know policies and
enforcement mechanisms in place.
Uri Sarid, CTO at MuleSoft
is really important to plan for breech. Doing
so does not mean you need to prevent new
technologies from being introduced, it simply
means adding additional layers of security
around it.
Use network and device compartmentalisation
to prevent propagation of potential
breach and make sure to include some
technologies that can monitor for attacks
and vulnerabilities, and alert in such a case.
Most importantly, with all that in place, make
sure you have a great incident response plan
to deal with such a potential breach quickly
and efficiently.
Intelligent CIO Europe also spoke to Uri
Sarid, CTO at MuleSoft, who gave us his
opinion on how best to utilise IoT and the
security risks it may pose.
Since the answer to that is often ‘no’,
organisations should start by focusing
on the connections between the IoT
deployment and their other systems. They
should treat the APIs exposed by, or to, the
IoT deployment architecture as products
that need well-defined and appropriate
security measures in place, that depend on
the sensitivity of the data transferred via
the APIs, the capabilities exposed through
the APIs, and the technologies used to
implement them. Written and deployed
correctly, APIs act like fortified, monitored
gates by only allowing traffic through that
meets strict criteria. They also ensure users
can only gain access to the applications
and data for which they have been
pre-approved.
Organisations can then extend an
API-layered approach into the IoT
deployment as well as back into their
systems, to offer defence in depth.
How important is it to instigate IoT
security measures from the beginning?
It’s vital to instigate IoT security measures
from the beginning, given that the
IT’S VITAL TO INSTIGATE IOT SECURITY
MEASURES FROM THE BEGINNING,
GIVEN THAT THE PROLIFERATION
OF NEW ENDPOINTS MAKES
ORGANISATIONS MORE VULNERABLE
TO HACKERS.
48
INTELLIGENTCIO
proliferation of new endpoints makes
organisations more vulnerable to hackers.
However, new threat vectors are constantly
arising and the pace at which they
continue to do so will only accelerate as the
IoT expands.
Organisations also need to ensure the security
measures they’re using to defend their IoT
deployments have the flexibility built-in
to allow them to continually adapt to the
dynamic threat landscape. External data
sources, cloud platforms and mobile devices all
provide valuable services, but they also create
new potential avenues for intrusion. Each
and every endpoint is a potential door into
an organisation’s IT systems and data and
hackers only need to open one to wreak havoc.
Is it common that companies would
underestimate the security risks of
IoT, or do you believe they have a wide
understanding of the potential risks?
Just as IoT deployments vary tremendously,
so does their security risk and so does the
appreciation of companies of that risk. While
breaches, often massive and destructive, of
software-only deployments still occur and
in fact are rising in frequency and breadth,
there is a relatively good understanding of
the technology stacks involved by many
IT professionals. On the other hand, IoT
involves many layers and players that are
much less familiar to most IT teams: some
use low bandwidth and power wireless
networks, many use proprietary specialised
hardware and firmware, various head-ends
and hubs may be in the middle vs other
deployments that have devices connecting
directly to traditional computer networks
and various authentication and encryption
methods may be in play.
In fact, in some cases, even the vendors
of these systems may not be as expert
regarding security risks as the buyer may
presume. So, while in general there is a
healthy perception that IoT introduces
potentially significant security risks, not all
companies will translate that to appropriate
security evaluations and precautions – and
vice versa, some may react with paranoia to
the point where they fail to reap the benefits
of IoT. On the positive side, the general
perception is leading to rapidly rising spend
and a rapid education of the realities of
modern IoT.
www.intelligentcio.com