Logo Header Menu

IoT governance: how to deal with the compliance and security challenges

As the IoT becomes more prevalent across an organisation's network, the question of effective IoT governance becomes increasingly relevant IoT governance: how to deal with the compliance and security challenges image

Enterprises and organisations are increasingly using IoT devices to drive operational success by tapping into more data — but IoT governance is falling behind.

When implemented correctly there are many benefits of utilising a growing network of IoT devices, including improved revenue and operational efficiency, lower costs and even the creation of new business models.

However, as more and more IoT and edge devices proliferate an organisation’s network, the greater the need for a stringent and effective IoT governance model.

Alan Grau, vice president of IoT/Embedded Solutions at Sectigo, explains: “From a governance standpoint, flooding enterprise networks with often insecure, non-authenticated devices raises serious concerns regarding compliance, and the security of the network

“The rapid growth of IoT has not been paralleled with a growth in device security, and insecure devices risk businesses being both insecure and non-compliant.”

This lack of visibility and resulting insecurity is backed up by a recent Panaseer study, where security leaders cited IoT devices as the assets that they have least visibility over.

“An IP address can rarely be found on an IoT device and even if it is, it’s difficult to tell what the device’s function is and what it’s connected to. With multiple networks in different locations containing multiple devices, visibility naturally decreases. This leaves security teams completely in the dark for the risk individual devices pose and what vulnerabilities can be exploited by malicious actors,” says Grant Duxbury, pre-sales engineering at Aptum Technologies.

To ensure these devices are secure and that a business remains compliant, leaders can follow the below steps to ensure IoT governance.

1. Checks and security review

When first enrolling IoT devices into an ecosystem, Duxbury suggests that rigorous checks need to be undertaken and that the manufacturer’s guidelines on the best ways to securely configure a device should always be reviewed.

“A full inventory mapping out each device and its function to increase visibility will help pinpoint each function at specific locations. End-to-end device management tools with monitoring, maintenance and automatic update capabilities should also be deployed to ensure each device is governed as efficiently as possibly throughout its lifecycle,” he adds.

What do the new UK IoT security regulations mean for companies?

The UK government have established new regulations for security of connected IoT devices, but what does this mean for companies? Read here

2. Authenticate each device

Grau believes that the most important way of dealing with IoT governance across networks is to authenticate every single device.

“A vulnerable IoT device equates to a vulnerable network. Security needs to be comprehensive and total and start with device authentication,” he says.

Businesses taking advantage of an IoT network need to move beyond weak identity solutions, such as passwords.

Instead, to ensure correct IoT governance, Grau insists on “a management system that has insight into every device on the network and can ensure that these devices have the correctly implemented security protocols” as the way forward.

“An IoT management portal effectively governs the network by ensuring that all devices are authenticated, with the correct PKI solutions built in,” he adds.

3. A governance structure

According to Ted Wagner, CISO at SAP NS2, the topics that should be included in any IoT governance program are “software and hardware vulnerabilities, and compliance with security requirements — whether they be regulatory or policy based.”

He refers to a typical use case of when a software flaw is discovered within an IoT device. In this instance, it is important to determine the severity of the flaw. Could it lead to a security incident? How quickly does it need to be addressed? If there is no way to patch the software, is there another way to protect the device or mitigate the risk?

“A good way to deal with IoT governance is to have a board as a governance structure. Proposals are presented to the board, which is normally made up of 6-12 individuals who discuss the merits of any new proposal or change. They may monitor ongoing risks like software vulnerabilities by receiving periodic vulnerability reports that include trends or metrics on vulnerabilities. Some boards have a lot of authority, while others may act as an advisory function to an executive or a decision maker,” Wagner advises.

“For optimal IoT governance you need transparency or visibility to risk, an efficient workflow to identify specific risks and a mechanism to act upon it to reduce risk to the organisation” — Ted Wagner

4. Data privacy

Janet Liao, principle product marketing manager at Talend, warns that businesses might be making a “knee-jerk reaction” when it comes to IoT governance.

Instead of focusing on “beefing up” data security, organisation’s should prioritise data privacy in any governance program.

She explains that at “the heart of IoT is the concept of the always-connected customer. Organisations are looking to capture, share and use the large volumes of customer data generated to drive a competitive edge.

“The problem is that under GDPR the definition of data privacy is broad, which may find many in hot water as they come to adopt IoT. This is because the regulation places far-reaching responsibilities on organisation’s to impose a specific ‘privacy by design’ requirement. What this means is that organisations must have in place the appropriate technical and organisational measures to ensure that data privacy is not an afterthought. Sadly, for most organisations, this is yet to be addressed properly and so will become ever-more complex as the data generated from IoT is introduced.”

Understanding the convergence of IoT and data analytics

As the number of internet connected devices continue to explode, organisations need to understand the convergence of IoT and data analytics. Read here

5. IoT governance depends on the data produced

Martin Garner, COO at CCS Insight, explains that “IoT governance should not be separated from the product or process that the IoT is being used in. Governance issues around using an autonomous vehicle or a factory robot will determine what’s required from the IoT system.

“The scope of governance ranges from the strength of the machine’s connection, the software stack, the quality of any machine learning and AI.”

He continues: “The key areas affecting IoT governance are whether IoT is built into a machine to make industrial processes more efficient or to help staff work better and keep them safe. It can include enabling a product that you sell to work better or allowing it to use a different business model. Each of these approaches has different governance requirements.

“The governance of IoT systems is strongly related to the data those systems produce — how critical and confidential it is for the user or organisation, and whether it handles personally identifiable information.”

This article is tagged with: GDPR, IoT devices

Latest news

divider
Research
Technology purchasing activity rises 16% in Q4 2020

Technology purchasing activity rises 16% in Q4 2020

21 January 2021 / This global rise in technology purchasing activity in Q4 2020 followed a fall of 9% [...]

divider
People Moves
Lisa Arrowsmith joins OpSec as new chief product officer

Lisa Arrowsmith joins OpSec as new chief product officer

21 January 2021 / As new chief product officer at OpSec, Arrowsmith will oversee delivery of products and services [...]

divider
People Moves
Grafton Capital appoints Tom Morrell as chief financial officer

Grafton Capital appoints Tom Morrell as chief financial officer

21 January 2021 / New chief financial officer Morrell, who brings over a decade’s experience in financial operations, will [...]

divider
Government & Public Sector
Digital overhaul of UK government recommended for ‘greener’ future

Digital overhaul of UK government recommended for ‘greener’ future

21 January 2021 / The ‘Connected Citizens‘ study from PPP was conducted in partnership with Anderson Strategy, as well [...]

divider
People Moves
Santander UK appoints Rakshit Kapoor as chief data officer

Santander UK appoints Rakshit Kapoor as chief data officer

20 January 2021 / Kapoor brings over 20 years’ experience in senior IT and data roles to Santander UK, [...]

divider
People Moves
Emma Davies appointed co-CEO of Octopus Ventures

Emma Davies appointed co-CEO of Octopus Ventures

20 January 2021 / Davies, who joins from Marylebone Partners, will be responsible for product, operations and corporate development [...]

divider
Diversity
Human-centric innovation: how to drive a trusted D&I future

Human-centric innovation: how to drive a trusted D&I future

19 January 2021 / In January 2020, human resource (HR) departments were preparing for another year of pay gap [...]

divider
Research
Half of chief digital officers should become de facto chief data officers — Gartner

Half of chief digital officers should become de facto chief data officers — Gartner

19 January 2021 / Digital business moments, together with the use of data and analytics assets to maximise value, [...]

divider
Digital Transformation
Moving forward from 2020’s rapid-fire digital transformation acceleration

Moving forward from 2020’s rapid-fire digital transformation acceleration

19 January 2021 / When it comes to digital transformation, it’s never been a question of if for business [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest