By Stuart Reed, senior director market strategy, NTT Security
Despite its origins in machine to machine (M2M) communication back in the late 1990s, the Internet of Things (IoT) has fascinated people since its potential to replenish milk. The concept of a fridge sensor automatically reordering dairy products before they run out has become the poster child example for connected devices. Perhaps this is why, unless an enterprise drinks a lot of coffee, the exponential growth and associated risk of connected devices may not have registered with information security professionals; until now.
Move forward a decade and Costa Coffee has over 2,500 connected Costa Express machines in schools, hospitals, and offices. These aim to give users the sights, smells and sounds of the coffee shop, but also scan customers to predict and suggest what sort of products they would like, offer real time, comparative reporting on the popularity of items and reduce operational costs using sensors to trigger automatic product replenishment from central hubs.
As with most new innovations, the IoT creates great opportunity. But with this comes new risks; that the data, devices and systems we rely upon for new and innovative services will be compromised in ways that are increasingly difficult to detect or defend against.
Internet of Everything
As we move to the ‘Internet of Everything’, where we have the capacity to assign an IP address to everything on the planet, sectors like finance and energy are joining manufacturing and logistics in seeking ways to exploit its potential; the ability for connected devices to collect new data that can be turned into actionable insight.
Using techniques, such as deep machine learning, cognitive computing technologies, speech and image recognition and reasoning capabilities, means that industry analyst, IDC, predicts an explosion in devices, of 32 billion by 2020. It also predicts that IoT devices will generate 10% of the 44 zettabytes of data that will exist in the same timeframe.
Among all this excitement, security professionals are taking a hard look at the risks through the lens of data privacy, data sovereignty and security, but also in terms of the cloud and wireless infrastructure required to deliver connectivity and availability.
As we create network and communications infrastructures to support IoT globally, a vast number of different wireless technologies will be used to connect devices to the internet. As IoT services are distributed to more users and endpoints, often located in remote areas or subject to tough environmental conditions, enterprises must ensure their wireless LANs are bolstered by the right networking solutions to handle the additional number of clients sending and receiving data.
Whatever approach an organisation takes to IoT deployment, a robust, secure wireless network is essential, as is wireless connectivity management, controllers to manage traffic, a secure system to integrate wireless and wired networks – and the right appliances to maximise the value of data centre or cloud deployments.
Failure to establish best practice levels of protection in a wireless access point or to connected clients can result in a potential breach of an internal network. This includes IoT connected device policies, and many organisations are eager to learn from the experiences of BYOD, which demonstrates how devices can act as a pivot point to access corporate networks.
But for sectors like health, for example, policies around collecting, storing and accessing sensitive data will need to be carefully considered and integrated with an organisation’s security strategy and compliance standards. Patients and clinicians will need support from information security advisors to give them confidence that appropriate data protection and governance controls are in place.
As the IoT landscape evolves to exploit rapidly emerging opportunities, security is faced with re-examining the impact of these developments upon their risk exposure. Evaluating how this explosion of additional endpoints and data sits within an organisation’s core risk and security strategy and the active management of corporate policies, is necessary to ensure the long-term confidentiality, integrity and availability of IoT services.
Ironically, although the core of IoT is automatic data exchange, very few organisations have dynamic information security infrastructures that can deliver comprehensive visibility and control of every connected device.
For most organisations integrating 1,000 additional endpoints into their security processes, such as identity and access management, asset monitoring, device management, data loss prevention and incident response, would be a huge challenge. Many may not even be aware of how many connected devices are already in use within internal or external processes or services, in order to incorporate them into their enterprise security architecture.
Connected devices can help organisations offer new services and enter new markets. But with opportunities come risks that the data, devices and systems we need for new ways of doing business, will be compromised with consequences not seen before. As part of the digital transformation of business, there is an opportunity for security to be embedded into the fabric of IoT and beyond from the outset rather than reactively.
NTT Security is the specialised security company of NTT Group, using embedded security to enable group companies to deliver resilient business solutions for clients’ digital transformation needs.