Kickstarting a new IoT project? You know already, of course, that comprehensive security is a must, for everything from the individual connected ‘things’ on your network, to the data being generated, transmitted and analysed. But how best to go about procuring and implementing that security?
Here’s a handy checklist of ten elements to consider.
Security by design
Begin at the beginning. Security by design has become a requisite of the GDPR for a reason; it ensures a comprehensive and uncompromising approach to securing devices and data, as opposed to layering it on afterwards. Your new IoT deployment should begin with questions around how you are going to handle security, and every procurement and intervention made as part of the project should put security first.
Any IT security project should reduce the potential attack surface as far as possible, and an IoT deployment is no different. Do you really need every connected ‘thing’ that you are proposing? Fewer endpoints means fewer potential routes into your organisation.
That takes us neatly to each individual endpoint device. Every single one needs to be authenticated and verified, which normally requires an IoT management platform and a certificate-based system.
Who has access to which device? Who has access to which areas of the IoT infrastructure? Permissions should be as restrictive as they can reasonably be in order to support day-to-day operations; delegate access only where absolutely necessary. Don’t forget about physical access either; you need to consider how your premises are protected, and ensure that getting inside your premises doesn’t allow for interventions like all password resets or easy access to vulnerable hardware.
Back to basics here – every password, both local and remote, should be both strong in itself and part of a multifactor authentication process. Devices with hard-coded or default passwords are an open invitation to malicious hackers.
If incoming traffic is not automatically being blocked, then the software ports which allow remote configurations need to be properly restricted. You can also consider deploying a VPN.
Data encryption and privacy
All data generated as part of your IoT deployment needs to be encrypted, from the point of creation, in storage both on the connected device and on any further databases, and while it is in transit. You also need to think carefully about the privacy policies and protocols attached to all of the data that you collect and harness, particularly in light of the GDPR.
All IT security programmes should be ongoing processes, not one-off interventions. Security testing for the IoT should take a number of different forms. You need to implement both digital and physical testing of your IoT devices, to identify any vulnerabilities and potential targets for malicious hackers, and you also need third-party testing, performed by external security professionals. It is not enough to merely rely on your own staff – third parties regularly spot things that internal employees do not.
Consider how both your hardware and software will be updated on an ongoing basis. How are you going to install patches and fixes? Software upgrades should happen automatically, but you will also need to process in place for establishing when elements of your IoT infrastructure have reached end of life or are no longer required. They need to be properly decommissioned and removed from the network immediately.
As always, technology is just one part of the overall security picture. The majority of corporate IT security incidents are due to human error, whether a system misconfiguration or accidental access of malicious material. Whilst these errors cannot be prevented entirely, they can be significantly reduced with a proper programme of ongoing security training and awareness, regularly updated to take into account the latest threats.