Figure 2 . IoT Protection Mechanisms
Then , adopt a connect-and-protect methodology , which moves the trust demarcation point as close to the origin of the data as possible . To do so , layers of protective services are applied within and / or around IoT devices . ( See Figure 2 . IoT Protection Mechanisms )
Essentially , your objective is to create a defensive framework in which no device or user is trusted until proven otherwise . A best-practices connect-and-protect framework leverages contextual information from multiple sources to scrutinize user and device security posture before and after the device connects to your network . This methodology helps overcome the limitations of fixed security perimeters tied to physical boundaries , which break down in the face of IoT devices that can connect and work from practically anywhere . Using this layered model offers a practical way to secure , exchange , and utilize data from IoT without replacing your installed base of devices .
The following protective mechanisms are recommended for IoT security frameworks :
• Authenticating source / destination devices and monitoring traffic patterns .
• Encrypting data packets using commercial or government encryption standards
• Enveloping encrypted packets inside a secure tunnel to ensure data integrity
• Fingerprinting IoT devices to determine if they are trusted , untrusted , or unknown
• Applying appropriate roles and context-based IT policies to fingerprinted devices to control access
• Inspecting north-south traffic with application firewalls and malware detection systems
• Enforcing IT policies using all available assets in the network infrastructure
Effectively Enforcing IoT Security No matter how sophisticated the IT policies or how robust the protection methodology , attacks on your network will be attempted , as attackers are always outsmarting the security systems people devise . This makes denying attackers the time to carry out their activities your most effective defense .
But , in complex environments like higher education , applying policies , monitoring compliance , and detecting violations must happen swiftly to thwart attacks . So rapidly , in fact , that manual enforcement is simply not possible . Not only is it difficult for a human to detect many of today ’ s sophisticated attacks quickly enough , but doing so requires staffing levels far beyond what most lean higher-education IT departments can dedicate . Practically speaking , automating policy enforcement is the only effective way to safeguard your institution ’ s network . With a rules-based policy management solution for network access control ( NAC ), even the most budget-constrained organizations can meet suspicious activity with the needed millisecond responses .
In a nutshell , an advanced NAC solution uses the policies and rules you establish to automatically deny access , by quarantining or disconnecting a device while simultaneously alerting a cybersecurity staff member to take any required follow-up action .
Additionally , a full-featured NAC system enables communicating appropriately with the device ’ s owner . This minimizes , or eliminates , the surprises that otherwise lead to frustration and escalation in tensions between end users , systems managers and IT when a device is “ down ” without explanation and for no readily apparent reason .
For example , if a building door lock tries to masquerade as a Windows PC , a robust NAC solution can immediately deny network access while notifying both the appropriate IT staffer and facilities manager . An even more advanced solution provides clear , understandable feedback to anyone attempting to use their access card at that particular door — such as sending a text message to the access-card owner redirecting them to an operational entryway .
Of course , the foregoing scenario also illustrates a point about the comprehensiveness of the guidelines your institution will require . It ’ s not enough to set the rules for connecting devices ; establish requirements for their ongoing security posture ( e . g ., an updated OS ), and determine the circumstances for automatically denying access . You must also create guidelines around who is notified , how they are notified ( text , email , etc .), and
16 Winter 2017 ACUTA Journal