The internet of things has huge promise in the upcoming years to improve efficiencies in decade old industries and provide insight for predictive analytics software companies to help shape the way people interact with the physical environment. Gartner projects the hype of total connected devices to be as high as 20.4B globally by 2020 and reaching a total spend on hardware close to $3 trillion.
Usually as an after thought to new technology, security will come into play. Six areas to be addressed are as follows:
- IoT Network Security: Protecting and securing the network connecting IoT devices to back-end systems on the internet.
- IoT Authentication: Providing the ability for users to authenticate an IoT device.
- IoT encryption: Encrypting data at rest and in transit between IoT edge devices and back-end systems using standard cryptographic algorithms.
- IoT PKI: Providing complete X.509 digital certiﬁcate and cryptographic key and life-cycle capabilities
- IoT security analytics: Collecting, aggregating, monitoring, and normalizing data from IoT devices and providing actionable reporting and alerting on speciﬁc activities or when activities fall outside established policies.
- IoT API security: Providing the ability to authenticate and authorize data movement between IoT devices, back-end systems, and applications using documented REST-based APIs.
Who Will be in charge of auditing and assessing connected devices?
There has always been a push to shift data breach liability to other parties in the value chain, especially when a vendor is involved. But at the end of the day, the companies brand whose customer information is stolen is impacted. For example, in the case where hackers were able to kill a Jeep engine with people inside of it, Chrysler recalled 1.4M cars. Last time I checked, Chrysler develops cars, not wireless communication protocols.
Enterprises using a vendor for connected devices, whether it be hardware, connectivity or additional services, need to ensure they have the proper assessments and checks in place for real-time, actionable insights.
The good thing is enterprises have started allocating people, budgets and new policies to IoT audit assessments and processes as they engage with vendors. Every enterprise, in some way or another, will be impacted by a connected device and having a framework to follow is, simply, a must.
NIST has a Cybersecurity Program for IoT outlined and that's a great place to start. And we will see how the New York DFS Cybersecuirty regulation will come into play on IoT Security in the very near future.
Ultimately, how will enterprises audit IoT security for potentially thousands of devices carrying healthcare data, payment information or access to the protocols connected to a home or a car?