IoT security is your business

Why leaders need to carefully evaluate the cost of keeping IoT networks safe.

By Matthew J. Perry
May 10, 2016
Medieval padlock in a Hindu temple in Kathmandu, Nepal. Medieval padlock in a Hindu temple in Kathmandu, Nepal. (source: Sigismund von Dobschütz on Wikimedia Commons)

One of the most frequently expressed concerns of companies considering an expansion into IoT capability is security. Companies want the benefits of IoT, but they fear that the consequence of increased connectivity will be critical vulnerabilities.

Security fears, like other growing pains, can be mitigated by focusing on enterprise problems that need immediate answers. There are actions and assessments that can help determine what the first step into IoT functionality might be, and what safety impediments might exist. The steps outlined below can both help a company prepare for the adoption of an IoT platform and refine opening dialogue with service providers who will help create the critical security components.

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

A comprehensive security approach?

The best IoT platform and security vendors are committing resources to comprehensive safety solutions. Companies interested in IoT upgrades, however, shouldn’t wait for the service providers to solve the problem. Because each system of networks is distinct, the most practical approach is to isolate an existing business case that needs attention immediately. A company’s networks and IT components should be reviewed in the context of an existing business need and their IoT strategy established before any vendor is approached.

As the IoT platform expands, users will need the right mix of alerts and prompts to detect unusual behavior around edge assets, applications, and networks. Change is also afoot in the vendor landscape. Security solutions for a pre-IoT landscape may not apply as businesses make platform upgrades. Existing service contracts may be adaptable, but niche players also are presenting suites of products and services that may fit better with a company’s needs.

Security products such as firewalls, unified threat management (UTM), anti-virus and anti-malware devices, and API controls are all established in the marketplace. To increase the likelihood that IoT upgrades are worth the investment, and secure enough for the company’s risk tolerance, the strategic analysis must be thorough.

For most enterprises, a bright future will depend on their ability to utilize the growing network of digitized things and people. Decision-makers will have to determine A) how safe their networks are and B) if the security they are purchasing is worth the cost. For those who are focused on the details of the IoT business case, the following points are worth consideration:

Action 1: Pinpoint the operations where an IoT connectivity component makes sense, right now. IoT and its security are outsized concepts. Companies must bring their problems to the technology, not the other way around. By targeting a select group of functions to deliver on a finite goal, both the IoT investment and the threat of exposure are minimized, at least at the crucial outset.

Action 2: Be prepared to look beyond the current provider contracts. Network service providers with a track record may have earned it, but let’s remember that the Internet of Things represents a process, rather than a static set of new protocols and tools. Companies should make sure the service contracts provide the necessary upgrades on terms that benefit them. Any lock-in provisions also need to be evaluated; if there are unforeseen security problems that require new services or products, it may be disadvantageous if contractual details don’t make the required changes easy to deliver.

Action 3: Rigorously evaluate the security capabilities of vendors for signs of flexibility. IoT security features and protocols are still in their infancy. Decision-makers need to look hard at service providers’ approaches to security and how their suite of products and services adapts.

As IoT protocols and tools change, along with a company’s security needs, it can be beneficial for companies to take a look at providers and service contracts they haven’t considered before.

Action 4: Use test cases to phase in implementation. IoT implementation may well begin on the edge of the enterprise. Rather than an upgrade that extends up the value chain, IoT security features can be implemented on a “refresh and replace” schedule, where new protections are phased in only when it is time for old ones to be retired. If a company operates sites or employs assets on the edge, isolated test cases can be outfitted with new protocols on a test-case basis.

IoT will deliver surprises, and a few may be unpleasant. But with a sensible phase-in approach, and a critical approach to vendor relationships, the security dilemma can be resolved, and breach threats minimized.

This post is a collaboration between O’Reilly and ThingWorx. See our statement of editorial independence

Post topics: Security