The DNC, LinkedIn, MySpace (News - Alert), Yahoo! This is just a partial list of the companies that experienced data breaches last year. Such breaches mean big risks for a brand’s reputation and bottom line.
These breaches led many organizations to start double checking the methods by which they manage their user data storage, devices, and the networks on which those devices exchange critical information.
And with the Internet of Things upon us, not only are brands tasked with guarding against more breaches, but they must secure many more access points than ever before. Last year, GlobalWebIndex estimated that there are now 3.64 connected devices per person in the marketplace. According to Intel (News - Alert), there will be more than 200 billion connected devices and sensors by 2020. Given that the population is expected to grow to 7.58 billion, that’s more than 26 connected devices for every person living on Earth – more than seven times than what exists today.
Not only are we growing the number of per capita devices, we’re also letting those devices into our lives in ways that can make a breach more personal. Last year, a story in the San Francisco Globe outlined how a family found a stranger hacking into their connected baby monitor. The hacker obtained the login information for the baby monitor and used those credentials to access it through the associated web app. Terrifyingly, the stranger was speaking to their toddler through the monitor until the parents stumbled onto the hack themselves. More recently, hackers have found internet-connected teddy bears to be a gateway into a child’s world. In both cases, an effective security strategy could have prevented undesired access to the device.
While an effective security strategy can be established in-house, managed security could be an appealing option for organizations that lack the expertise, given the potential risk and scale of these IoT vulnerabilities. So, what goes into an effective managed security strategy?
Firewalls, Monitoring & Penetration Testing
Although they might be considered table stakes, organizations must have industry-standard firewalls for data ingress and virus protection programs, as well as robust performance monitoring to proactively detect and avoid brute force and denial of service attacks. In addition, vulnerability scans, penetration testing, and intrusion detection are critical to reducing the risk of breach for an IoT platform, and part and parcel of any good managed security strategy.
At the heart of an effective connected device strategy is a database of devices that keeps track of:
- device attributes,
- entitlements for each device, and
- users or other devices associated with that device.
In a managed security infrastructure, this information should reside independently of the device itself to ensure that the device metadata and access is stored in a secure environment in the event it is damaged or compromised.
One thing that differentiates the IoT from a standard user model is the need to represent the relationship between the device and its users. A full IoT security strategy will include a structure for supporting access permissions for users tied to each device.
For example, is there a single administrator? How is user access granted and rescinded? An effective IoT device security strategy should support multiple levels of access and manage both the relationship of the user to the device and the relationship between users.
Standards-Based Device Authentication and Scoped Access
Finally, authentication and scoped access are the primary components of gating connected devices. An IoT solution needs to generate, store, manage, and deploy a high volume of access credentials. Each of those credentials needs to permit access at a feature level. In addition, credentials need to be properly scoped to ensure that a device can only access the features and data it is entitled to manage, in the same way that a service provider is scoped to access specific data and functions on behalf of an authenticated user. While a standard for managing IoT devices is not prescriptive, vetted and tried identity and access protocols will help secure the device authentication and authorization process.
IoT is increasing the scale and complexity of IT security beyond the capabilities of a single organization. Whether managed in house or in tandem with one or more external agencies, an IoT device security strategy that considers the safety and security needs of the users, devices, and network holistically will produce an IoT platform that promotes a secure, efficient ecosystem for increased user connectivity.Marla Hay is director of product management at Janrain (www.janrain.com).
Edited by Erik Linask