7 Proven Keys to Securing Your IoT Integrated Environment

In a recent study in 2016, Gartner estimates that 6.4 billion connected devices will be used by companies worldwide. By 2020, it will top 20 billion. The increasing use of IoT devices in our corporate networks brings the promise of unparalleled coordination and productivity. But it also brings the promise of multiplied threat vectors and vulnerabilities.

Companies must react to this changing environment. The old methods of data protection relied on defensible perimeters around large, corporate data centers. More companies, however, are adopting mobile, IoT, and cloud technologies that live outside the data center. The perimeter is now becoming a thing of the past.

Below are seven strategies to help equip the enterprise business meet the challenges of the current (and future) technology landscape. This, by no means, is exhaustive. Rather, they are stepping stones to create a defense-in-depth model as you secure your sensitive data.

The First Thing to Realize: There is No Perimeter

Back in 2014, Google laid the groundwork for looking at data protection in a whole new way with BeyondCorp, their internal data security initiative, co-authored by Rory Ward and Betsy Beyer. Here is part of their opening statement:

The perimeter security model works well enough when all employees work exclusively in buildings owned by an enterprise. However, with the advent of a mobile workforce, the surge in the variety of devices used by this workforce, and the growing use of cloud-based services, additional attack vectors have emerged that are stretching the traditional paradigm to the point of redundancy. … The perimeter is no longer just the physical location of the enterprise.

Here is the alarming reality: with every new device that becomes network enabled – a threat vector is added. And with every new threat vector, the tradition perimeter defense is weakened. The truth of the matter is, the perimeter was already porous. But with the advent of bring-your-own-device, IoT, and cloud infrastructure the perimeter has dissipated because, as BeyondCorp points out, either each device gets its own perimeter or you move to a model that acknowledges the new landscape.

Encryption as Your Cornerstone Defense

Encrypt all your sensitive data. Period. If we accept Googles premise that one should assume that an internal network is as fraught with danger as the public Internet and that allowing more devices access to the network only increases attack vectors, the logical conclusion is that the data must be rendered useless when compromised by fraud or attack.

Fortunately, strong encryption for data-at-rest that can withstand the best brute force attack has been readily available for years in the form of Advanced Encryption Standard (AES). In 2000 NIST formally adopted the AES encryption algorithm and published it as a federal standard under the designation FIPS-197. Since then, it has proven time and again to provide real-world protection from unwanted access to sensitive data.

Make Encryption Strong with Encryption Key Management

Hackers dont break your encryption, they steal your keys. That is why any encryption strategy that will defend the data against attack will include proper, centralized encryption key management. The first thing you must do is logically or physically separate the encryption keys from the sensitive data. This way, if the encrypted data is compromised, they will not be able to decipher it.

But once you separate the keys from the encrypted data, you must manage user access to the keys to the least amount of personnel possible, create clear separation of duties, and manage the full lifecycle of the keys. Since the keys are the only reasonable way someone can decipher your encrypted data, it is of vital importance that you fully implement physical security, logical security, user access controls, and full lifecycle management. A more definitive guide to encryption key management has been created to better explain the core concepts of the items given above.

Manage All Devices

All devices, including IoT devices, connecting to the network should be appropriately authenticated and authorized to access the requisite enterprise applications, according to BeyondCorp. Piyush Jain of SIMpalm agrees, we can replicate the [Mobile Device Management] approach for IoT so that we can manage and monitor the devices, which are connected to the IoT network. Each device should be granted access to the network by a controlling database of all devices. And authentication should be able to be revoked at a moments notice, effectively ending a session if the device is being improperly used.

Manage All Users

Similarly, all users should be given user and group privileges to the network, based on job function. They should also be given authority to use individual devices or groups of devices (up to and including all devices) based off of job function. This way, if a hacker gains access to a users login credentials but is trying to access the network from the wrong device, they will be locked out.

Use Multi-Factor Authentication

Login credentials are not enough. Passwords are hard to manage and can be compromised with keyloggers, malware, or any other of a variety of attacks. You need an exterior verification process. You need Multi-Factor Authentication (MFA).

When configuring MFA, users should be required to use multi-factor authentication at one of these following levels:

• Network Level – When they first access the network
• System Level When they access a server or any system
• Application Level Within your applications

Monitor All Threats in Real-Time

In a similar vein to BeyondCorp, Forrester is now promoting their concept of Zero Trust. In this model, there is no trusted internal network and an untrusted exterior. All users must not only be verified before logging into the network but it also calls for organizations to inspect all network traffic, from the outside and on the inside. This means all traffic must be inspected in real time.

The truth is, a large majority of data breaches occur on systems that have been compromised sometimes months before the data is lost. A recent Verizon Data Breach Investigations Report indicates that a full 84 percent of all breaches were detected in system logs. The indication, here, is that real-time log monitoring can be effective in searching out evidence of a security incident and stopping sensitive information being compromised before it is too late.

Final Thoughts

The landscape of our networks are changing. It is tempting to see the changes themselves as a threat to our sensitive information. The change is not the threat. The outdated model is the threat.

The truth is, this challenge gives us the opportunity to refashion our data security model and with it, the ability to open up a more dynamic and scalable networked environment. If we do away with the old model of the high wall with the trusted network inside, what we can build in its place is a network of users, devices, servers, and systems that are constantly authenticated, managed and monitored, bringing a higher degree of security.