Intelligent CIO Europe Issue 9 - Page 48

FEATURE: IOT ////////////////////////////////////////////////////////////////////////// What security and authentication steps would you recommend taking to prepare for IoT deployment? Extending systems to connect to the physical world is a great opportunity for organisations to assess security stance. They should first question whether their application network is well understood, segmented into sub- networks with well-defined security postures and governed at the connections between these sub-networks as well as within them, with well-defined need-to-know policies and enforcement mechanisms in place. Uri Sarid, CTO at MuleSoft is really important to plan for breech. Doing so does not mean you need to prevent new technologies from being introduced, it simply means adding additional layers of security around it. Use network and device compartmentalisation to prevent propagation of potential breach and make sure to include some technologies that can monitor for attacks and vulnerabilities, and alert in such a case. Most importantly, with all that in place, make sure you have a great incident response plan to deal with such a potential breach quickly and efficiently. Intelligent CIO Europe also spoke to Uri Sarid, CTO at MuleSoft, who gave us his opinion on how best to utilise IoT and the security risks it may pose. Since the answer to that is often ‘no’, organisations should start by focusing on the connections between the IoT deployment and their other systems. They should treat the APIs exposed by, or to, the IoT deployment architecture as products that need well-defined and appropriate security measures in place, that depend on the sensitivity of the data transferred via the APIs, the capabilities exposed through the APIs, and the technologies used to implement them. Written and deployed correctly, APIs act like fortified, monitored gates by only allowing traffic through that meets strict criteria. They also ensure users can only gain access to the applications and data for which they have been pre-approved. Organisations can then extend an API-layered approach into the IoT deployment as well as back into their systems, to offer defence in depth. How important is it to instigate IoT security measures from the beginning? It’s vital to instigate IoT security measures from the beginning, given that the IT’S VITAL TO INSTIGATE IOT SECURITY MEASURES FROM THE BEGINNING, GIVEN THAT THE PROLIFERATION OF NEW ENDPOINTS MAKES ORGANISATIONS MORE VULNERABLE TO HACKERS. 48 INTELLIGENTCIO proliferation of new endpoints makes organisations more vulnerable to hackers. However, new threat vectors are constantly arising and the pace at which they continue to do so will only accelerate as the IoT expands. Organisations also need to ensure the security measures they’re using to defend their IoT deployments have the flexibility built-in to allow them to continually adapt to the dynamic threat landscape. External data sources, cloud platforms and mobile devices all provide valuable services, but they also create new potential avenues for intrusion. Each and every endpoint is a potential door into an organisation’s IT systems and data and hackers only need to open one to wreak havoc. Is it common that companies would underestimate the security risks of IoT, or do you believe they have a wide understanding of the potential risks? Just as IoT deployments vary tremendously, so does their security risk and so does the appreciation of companies of that risk. While breaches, often massive and destructive, of software-only deployments still occur and in fact are rising in frequency and breadth, there is a relatively good understanding of the technology stacks involved by many IT professionals. On the other hand, IoT involves many layers and players that are much less familiar to most IT teams: some use low bandwidth and power wireless networks, many use proprietary specialised hardware and firmware, various head-ends and hubs may be in the middle vs other deployments that have devices connecting directly to traditional computer networks and various authentication and encryption methods may be in play. In fact, in some cases, even the vendors of these systems may not be as expert regarding security risks as the buyer may presume. So, while in general there is a healthy perception that IoT introduces potentially significant security risks, not all companies will translate that to appropriate security evaluations and precautions – and vice versa, some may react with paranoia to the point where they fail to reap the benefits of IoT. On the positive side, the general perception is leading to rapidly rising spend and a rapid education of the realities of modern IoT.