IoT: Get Security Right The First Time

Let’s start building security into the Internet of Things now, before everything becomes connected — and hackable. The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion. While there’s excitement about IoT’s potential to create new business and boost productivity and convenience, the technology community can’t forget about security. If there’s one thing IT professionals know, it’s that if something is connected to the Internet, someone will try to hack it. Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We’ve already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors. In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit. [All work and no play make the IoT boring. See Playing Games With The Internet Of Things.] Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity. However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys. A...

Why a User-Centric Approach is Required for Network Security

Is your enterprise one of the many that are “subject to the whims of fickle consumer-business users” when it comes to adopting new technology? That’s how Clorox CIO and vice president Ralph Loura framed the current state of enterprise tech and the Bring Your Own Device (BYOD) trend when he appeared earlier this month among a panel of other CIOs at the Westin St. Francis Hotel in San Francisco. He couched his message by saying that even though enterprises may try to be user-centric, employees constantly make new technology demands—and change them often—making it difficult for enterprises to fulfill their every request, even if it would make life easier for users. With employees demanding network access for many different types of devices, operating systems and applications, a CIO’s job has never been harder. But do employees always know what’s best for network security? According to Loura, “User-led is not the same as user-centric … User-centric is about looking at and understanding the need, not the ask.” A user-led approach gives power to employees and requires the enterprise to adopt most or all user suggestions – a clear risk. And risk is not something Loura, like many CIOs, has ever been comfortable with. During a panel hosted by Okta Inc. back in April, he said that he is careful about innovation spend. He stays risk averse, yet searches for those investments that will yield the highest return. In the case of enterprise tech, he said that when users ask him to support a new enterprise technology, i.e. hardware or application, he doesn’t automatically accept their request. Instead, he adds that...

New Ways to Secure Mobile Devices for BYOD

The discussion on BYOD centers on whether employees working more efficiently on their personal devices is worth whatever network security vulnerabilities are sown when enterprises allow numerous devices and operating systems to access their networks. As a compromise between employees and employers that brings everyone onto the same page, a BYOD policy helps. But, it doesn’t completely reconcile the interests of both employees and employers, as work efficiency and enhanced network security are far too often seen as mutually exclusive concepts. That’s why new technologies that could help employers to secure mobile devices are so appealing. So, what are these technologies, and do they really provide any greater benefit than existing BYOD policies and approaches? A ‘Kill Switch’ Could Give New Life to BYOD A new bill working its way through the California legislature would require mobile device manufacturers to equip their products with a “kill switch” that would allow users to remotely disable phones should they get lost or stolen. The thinking is that if potential thieves knew there was a chance a stolen phone could be rendered useless by a kill switch, they would have less incentive to steal one. If that bill, SB 962, becomes law and begins a national trend, could it also make BYOD more appealing to enterprises? No, according to FierceCIO contributor Jeff Rubin. The problem with kill switches, as a supplement, or even a full-fledged alternative, to BYOD policies, is that they don’t really place any power back in the hands of the enterprise. The device is still the employee’s, as is the decision to disable it. Legally, the employer cannot compel...

Will Network Security Concerns Sink Government BYOD?

The Department of Homeland Security (DHS) issued a warning last week that the computer network of a public utility company had been compromised by a “sophisticated threat actor,” likely through a brute force password attack. Although the utility company repelled the attack, and there is no evidence that operations were affected, the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released news of the incident in its January-April 2014 report to highlight “the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.” This attack illustrates why the infiltration of government infrastructure is such a serious national security concern. Just a few months ago, the Federal Energy Regulatory Commission reported that a coordinated attack on even just nine of the country’s 55,000 electrical-transmission substations could cause a “coast-to-coast blackout.” Given these stakes, government agencies have a responsibility to provide the highest level of security to all endpoints, from legacy ICS terminals to employees’ personal mobile devices, especially in an era where Advanced Persistent Threats (APTs) are becoming commonplace. Every endpoint must now be secured, because hackers are constantly searching for new vectors they can exploit. At the same time, the government has to secure more endpoints than ever, as employees are increasingly connecting to government networks remotely due to the growing Bring Your Own Device (BYOD) and telecommuting trends. These converging sea changes require the government to rethink its network security approach. In August 2012, the Digital Services Advisory Group and Federal Chief Information Officers Council laid the groundwork for...

BYOD and Its Risks to Network Security

In the not-so-distant past, when enterprises lacked ubiquitous high-speed Internet connections and the means to provide employees with remote access, organizations were far more likely to enforce strict working hours than they are today. After all, work wouldn’t get done if employees weren’t present. Mobile technology has since enabled the growing trend of remote work, allowing employees to work from anywhere at any time. As a result, many employers have become more flexible in their expectations of employees and in their definition of “the workday.” But, where they shouldn’t be more flexible, and where many are actually falling behind, is in the governing of how employees use personal mobile devices for work purposes and their remote access to the corporate network. Are Employees Bringing Their Own Security Problems, Too? Bring-your-own-device (BYOD) is now more of the norm than a new, disruptive trend. According to a new study by Gartner, more than half of the 995 employees it surveyed said they use their personal devices for work purposes for more than an hour each day. For companies, every second that sensitive information is leaving the corporate network, it could be exposed. In a perfect world, employees would never experience security problems with their personal mobile devices while using them for work purposes, and 100 percent of those few who did would report incidents to the appropriate personnel at their company. The reality is vastly different. Gartner found that about one-quarter of users have had a security issue with their personal mobile device at work, and only 27 percent of these victims have reported the incident. These numbers suggest that organizations...