As it develops and gains more and more use cases, the Internet of Things (IoT) continues to generate unprecedented amounts of data, making control of access to it increasingly important for companies.
According to the International Data Corporation (IDC), there is set to be over 41.6 billion IoT devices generating almost 80 zettabytes of data by 2025. With this in mind, we explore how companies can effectively and securely control access to this kind of data.
Firstly, organisations must ensure that IoT devices are configured properly, and that connections to company networks are secure.
According to Gary Richardson, managing director, emerging technology at 6point6, this can be aided by a certain dynamic authorisation process, which guards data from being accessed by unauthorised personnel.
“Many companies are seeking ways to prevent unauthorised access to data to reduce the chance of data breaches,” he explained. “Badly configured IoT devices can easily expose businesses to hackers or allow data to be leaked. The advantage of some of the IoT frameworks is that they’ve been designed with security in mind, including their basic communications protocols, network architecture and hierarchy.”
Hewlett-Packard Enterprise, IBM Watson, SAP and Cisco are among companies that currently have their own IoT frameworks in place.
“Businesses, therefore, need finer-grained access control to protect the data flowing from IoT devices,” said Richardson. “One way of doing this is through dynamic authorisation, delivered with attribute-based access control (ABAC). This model enables companies to safely share IoT data across the whole organisation through only permitting authorised users to access sensitive data in the correct conditions.
“Businesses must ensure that the networks IoT devices are connected to are isolated and protected, with data encryption in transit and at rest including security of sensors and gateways.”
Keep an eye on device behaviours
Richardson went on to explain how possible anomalies within IoT activity can show signs that action needs to be taken.
“Companies must also identify the behaviours and activities that are permitted by connected devices within the environment, and then implement controls that account for this, but simultaneously allow processes to continue,” he said.
“Virtual LANs or network segments can be restrictive and debilitating for IoT devices, so context-aware access controls throughout the network are a better way to permit appropriate actions and behaviours at the connection level as well as the command and data transfer levels. Anomalies and activities falling outside of the expected behaviours will then be identified and appropriate actions can be taken.”
In addition to monitoring activity and access, it may also be worth establishing a plan of action for eradicating excess of data.
“Organisations should try to ensure data is obtained, collected and sent at one time to boost the efficiency of data transmission,” said Andy Simpson-Pirie, CTO at Cyberfort Group. “By implementing a data minimisation strategy it is easier to maintain information security.
“You can more accurately predict what’s being retrieved, where it’s going, and know what to look out for if something goes wrong. It’s like spinning three plates instead of six; while still not easy, it’s much more manageable.
“Building defensive depth across your IoT network will also strengthen access control. This is a strategy where you encrypt and protect your data at every stage of the network, whether it’s on the device itself, in transit or at the recipient system.
“The idea is to use different encryption mechanisms for each stage, turning the data into a moving target.”
The three A’s of security
Companies also shouldn’t forget to consider security measures that they have in place for other areas of the business, and think twice before relying on settings already applied to devices without checking.
“IT teams cannot forget to apply basic IT security policies when it comes to controlling access to IoT generated data,” Simpson-Pirie continued.
“The triple A process of access, authentication and authorisation should be applied to every IoT device. It’s imperative that each solution maintains a stringent security framework around it so there is no weak link in the chain.
“Security has long been a second thought with IoT, but the stakes are too high in the GDPR era to simply rely on default passwords and settings.”
Visibility and segmentation
Security is, by no means, the only important aspect to consider when controlling access to IoT data; there are also the matters of visibility, and having a backup plan for when security becomes weakened.
For Rob McNutt, CTO at Forescout, the latter can come to fruition by segmenting the network.
“Organisations need to have full visibility and control over all devices on their networks, and they need to segment their network appropriately,” he said.
“Firstly, you can’t protect your data from devices you cannot see. Without full visibility of all devices and their activities on a network, it is impossible to ensure that only authorised users and devices access your data.
“In the event a device is indeed compromised, network segmentation can stop bad actors from potentially moving laterally through the network and, in the process, access data that they shouldn’t.”