This is a guest article written by Stuart Winter-Tear. The author’s views are entirely his own and may not reflect the views of IT Governance.
People talk of the coming Internet of Things (IoT) but what is it and when is it coming?
The Oxford English Dictionary defines it thusly:
The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.
Okay, so when is it coming?
The truth is, it’s already here. Gartner estimates that there will be 4.9 billion connected devices this year, up 30% on last year, rising to 25 billion in 2020.
With the plethora of news relating to IoT application vulnerabilities, coupled with IoT applications’ increasing demand for user-device information, which is surreptitiously funnelled to unknown Cloud services, it’s no wonder the Oxford dictionary has this as its IoT example sentence:
if one thing can prevent the Internet of things from transforming the way we live and work, it will be a breakdown in security
Modern businesses are adopting BYOD (bring your own device) at an incredible pace, but the security and privacy implications of the IoT should be a grave concern.
The decentralisation of security control, the consequences of bolting IoT devices on to legacy infrastructure, the issue over business control of employee-owned devices, and the enlargement of the attack surface are all cause for concern.
In view of this, it’s no surprise that Gartner goes on to estimate that, by the end of 2017, 20% of businesses will have personnel dedicated to securing IoT devices and services.
OWASP has released an IoT project covering attack surfaces, security guides, vulnerabilities, testing guides, and so on, but in truth it can all be a little dizzying and overwhelming.
So, let’s get down to brass tacks; where can we start?
Encryption. Encrypt your data in transit; encrypt your data at rest; encrypt the entire device.
Ensure employees do not upload unencrypted data to any storage facility and only transfer data via secure, encrypted methods. Ensure they are trained, educated, informed and aware of the necessity of encryption.
It’s not sufficient for devices to be simply password protected.
Obviously, this is only one mechanism of IoT security, and Neira Jones talks of developing an application security strategy in her excellent article.
I’m not saying even this will be straightforward, but it is a solid and essential start to securing the IoT.
With the complexity of IoT business security, let’s begin with the more manageable premise that if/when your data/device falls into the wrong hands it needs to be encrypted; through encryption, it is indecipherable and it is useless to them.