IoT governance: how to deal with the compliance and security challengesAs the IoT becomes more prevalent across an organisation's network, the question of effective IoT governance becomes increasingly relevant
Enterprises and organisations are increasingly using IoT devices to drive operational success by tapping into more data — but IoT governance is falling behind.
When implemented correctly there are many benefits of utilising a growing network of IoT devices, including improved revenue and operational efficiency, lower costs and even the creation of new business models.
However, as more and more IoT and edge devices proliferate an organisation’s network, the greater the need for a stringent and effective IoT governance model.
Alan Grau, vice president of IoT/Embedded Solutions at Sectigo, explains: “From a governance standpoint, flooding enterprise networks with often insecure, non-authenticated devices raises serious concerns regarding compliance, and the security of the network
“The rapid growth of IoT has not been paralleled with a growth in device security, and insecure devices risk businesses being both insecure and non-compliant.”
This lack of visibility and resulting insecurity is backed up by a recent Panaseer study, where security leaders cited IoT devices as the assets that they have least visibility over.
“An IP address can rarely be found on an IoT device and even if it is, it’s difficult to tell what the device’s function is and what it’s connected to. With multiple networks in different locations containing multiple devices, visibility naturally decreases. This leaves security teams completely in the dark for the risk individual devices pose and what vulnerabilities can be exploited by malicious actors,” says Grant Duxbury, pre-sales engineering at Aptum Technologies.
To ensure these devices are secure and that a business remains compliant, leaders can follow the below steps to ensure IoT governance.
1. Checks and security review
When first enrolling IoT devices into an ecosystem, Duxbury suggests that rigorous checks need to be undertaken and that the manufacturer’s guidelines on the best ways to securely configure a device should always be reviewed.
“A full inventory mapping out each device and its function to increase visibility will help pinpoint each function at specific locations. End-to-end device management tools with monitoring, maintenance and automatic update capabilities should also be deployed to ensure each device is governed as efficiently as possibly throughout its lifecycle,” he adds.
What do the new UK IoT security regulations mean for companies?
2. Authenticate each device
Grau believes that the most important way of dealing with IoT governance across networks is to authenticate every single device.
“A vulnerable IoT device equates to a vulnerable network. Security needs to be comprehensive and total and start with device authentication,” he says.
Businesses taking advantage of an IoT network need to move beyond weak identity solutions, such as passwords.
Instead, to ensure correct IoT governance, Grau insists on “a management system that has insight into every device on the network and can ensure that these devices have the correctly implemented security protocols” as the way forward.
“An IoT management portal effectively governs the network by ensuring that all devices are authenticated, with the correct PKI solutions built in,” he adds.
3. A governance structure
According to Ted Wagner, CISO at SAP NS2, the topics that should be included in any IoT governance program are “software and hardware vulnerabilities, and compliance with security requirements — whether they be regulatory or policy based.”
He refers to a typical use case of when a software flaw is discovered within an IoT device. In this instance, it is important to determine the severity of the flaw. Could it lead to a security incident? How quickly does it need to be addressed? If there is no way to patch the software, is there another way to protect the device or mitigate the risk?
“A good way to deal with IoT governance is to have a board as a governance structure. Proposals are presented to the board, which is normally made up of 6-12 individuals who discuss the merits of any new proposal or change. They may monitor ongoing risks like software vulnerabilities by receiving periodic vulnerability reports that include trends or metrics on vulnerabilities. Some boards have a lot of authority, while others may act as an advisory function to an executive or a decision maker,” Wagner advises.
“For optimal IoT governance you need transparency or visibility to risk, an efficient workflow to identify specific risks and a mechanism to act upon it to reduce risk to the organisation” — Ted Wagner
4. Data privacy
Instead of focusing on “beefing up” data security, organisation’s should prioritise data privacy in any governance program.
She explains that at “the heart of IoT is the concept of the always-connected customer. Organisations are looking to capture, share and use the large volumes of customer data generated to drive a competitive edge.
“The problem is that under GDPR the definition of data privacy is broad, which may find many in hot water as they come to adopt IoT. This is because the regulation places far-reaching responsibilities on organisation’s to impose a specific ‘privacy by design’ requirement. What this means is that organisations must have in place the appropriate technical and organisational measures to ensure that data privacy is not an afterthought. Sadly, for most organisations, this is yet to be addressed properly and so will become ever-more complex as the data generated from IoT is introduced.”
Understanding the convergence of IoT and data analytics
5. IoT governance depends on the data produced
Martin Garner, COO at CCS Insight, explains that “IoT governance should not be separated from the product or process that the IoT is being used in. Governance issues around using an autonomous vehicle or a factory robot will determine what’s required from the IoT system.
“The scope of governance ranges from the strength of the machine’s connection, the software stack, the quality of any machine learning and AI.”
He continues: “The key areas affecting IoT governance are whether IoT is built into a machine to make industrial processes more efficient or to help staff work better and keep them safe. It can include enabling a product that you sell to work better or allowing it to use a different business model. Each of these approaches has different governance requirements.
“The governance of IoT systems is strongly related to the data those systems produce — how critical and confidential it is for the user or organisation, and whether it handles personally identifiable information.”