Even though the IoT market is nascent, the use of unmanaged and insecure devices in enterprises are growing every day across every industry. As per numerous reports, these unmanaged IoT devices outnumber managed devices on the network by three to one. While there are common devices like smart appliances, HVACs, smart lighting, surveillance cameras in most industries, there are industry specific Operational Technology (OT) devices getting on to the IT network e.g. in the case of manufacturing the OT devices; in healthcare, patient monitoring and healthcare devices. While unmanaged IoT devices bring promise of productivity, efficiency, and collaboration, the correct security posture wasn’t incorporated in these devices, thereby creating new security threats to organizations.
Enterprise security professionals have so far failed to understand and address the security risks introduced by these unmanaged devices, and thereby suffer from security incidents (in some cases there are safety and compliance implications as well). We experienced the impact of the famous Mirai botnet back in 2016, which had its fair share of press coverage, followed by many more advanced flavors of the same malware. This is just the beginning and the impact of these security issues could be disastrous if we don’t address this growing security problem the right way.
Enterprises need to adopt an aggressive cybersecurity posture provided by multi-vendor solutions to defend against the myriad of threats that these devices introduce. Many vendors and analysts have published their recommendations. At present most of the vendor driven solutions are addressing the Identify, Detect, Respond of the NIST framework by focusing on the network traffic based analysis but fail to provide an adequate Protect layer at the devices to mitigate the risks for good. Many NAC (Network Access Control) and SIEM (Security Information and Event Management) oriented products, including Microsoft with the recent acquisition of CyberX, are gearing up to address Enterprise IoT security for unmanaged devices on the networks. The agent-less, network traffic analysis based approaches will provide the comfort and value immediately to customers but don’t provide the complete solution to actual problems at the source/devices. The recommended steps are:
Most of the enterprises are deploying IoT security products like CyberX that are based on the fundamental NAC principles. As mentioned above in step 3, the gaps need to be addressed for effective Enterprise IoT security. Device Authority’s KeyScaler provides an easy integration framework with current generation IoT security products like CyberX to address the protect and prevent gaps outlined in step 3.
Of course, true IoT security methodologies require a Secure by Design and a Privacy by Design approach. There is lot of activity in this direction at present. Meanwhile specialized network monitoring products are addressing the Enterprise IoT Security for legacy unmanaged devices. Multi-vendor integrated solutions are required for true protect/prevent layer of the NIST framework to address the security for these legacy unmanaged devices. Device Authority KeyScaler IoT IAM platform is great companion to existing products for addressing Enterprise IoT security the right way.
Learn more about Enterprise IoT security in our blueprint here, or contact us to discuss your requirements.