MORE DATA IS BEING GATHERED today than ever before, potentially exposing private information to unintended viewers. Much of that exposure is due to the growing Internet of Things (IoT) ecosystem, where sensors and other nontraditional devices gather data that should be kept private, such as employee information, corporate data from resource management systems, and even data generated from a supply chain. Simply put, if an IoT device can provide enough information to associate an activity with an individual, then privacy can be compromised.
Protecting privacy is growing ever-more important, thanks particularly to new laws such as the EU’s General Data Protection Regulation (GDPR) and the forthcoming California Consumer Privacy Act. Increasingly, the task of ensuring data privacy and protecting associated metadata is becoming the job of IT security professionals. And proliferating IoT devices generating volumes of data are making that job more complicated.
“With IoT, security and privacy are intertwined. No one should expect to be able to preserve privacy unless they implement a secure environment,” says Raj Mehta, CEO of RAJ Technologies, a Plainville, N.Y.-based integrator and IT services provider. “Securing IoT means taking a layered approach, where access to the devices [is] controlled, the associated data is encrypted, and auditable logs are recorded.”
With IoT, security and privacy are intertwined. No one should expect to be able to preserve privacy unless they implement a secure environment.—Raj Mehta, CEO, RAJ Technologies
Lack of industry standards, however, makes securing IoT a challenge. Most IoT devices use proprietary management interfaces, rely on dissimilar access controls, and lack any type of unified management. According to Mehta, that “forces IT professionals to focus on the data payloads and not the actual devices, potentially creating a path to compromise those devices.”
Best Practices Will Be Key
Bringing security and privacy control to IoT will require the adoption of best practices, backed by the policies and controls to enforce those best practices. “Critical best practices include knowing and controlling who has access to the data, establishing control of where data exists and how it should be categorized, and implementing effective controls to ensure that only those who should have access to the data actually do,” says Morey J. Haber, chief technology officer and chief information security officer at security vendor BeyondTrust.
Haber says start by getting the basics right. “That means securing your privileged accounts, eliminating excessive user privileges, ensuring secure remote access to critical systems, prioritiz[ing] patching the vulnerabilities with known exploits, and reporting, reporting, reporting.”
Those basics are the foundation of trust. Building trust into the IoT ecosystem means adopting an approach of verifying access. Make sure that policies are in place to control access based upon need.
Haber further recommends incorporating privileged access and session management tools, which can provide an extensive layer to control who can gain access to consumer data. These tools also provide logs of activity should you need to review what was accessed.
When it comes to the burgeoning IoT ecosystem, Haber says, one thing is certain: “IoT devices will be those targeted most often, due to lax security standards built into many of these smart gadgets.”