The Internet of Things is more than a buzzword. It represents a significant challenge to IT managers. Instead of building networks for thousands of endpoints, we can add at least one order of magnitude to that. How we manage network traffic, security, data volumes and skills will all be impacted.
Much of the hoopla around the IoT has centred on two main areas - the volume of data these devices can collect and security. But I think there's a little more to it. And even those issues are often dealt with only superficially.
The security issues around IoT are myriad. But I think we need to start with the basics - do you trust the company making the device?
A good example of this is the recent discovery of a directory traversal flaw in commercial Miele dishwashers. That a significant bug was found is significant. But while Miele might be a trusted brand when it comes to appliances, they have no reputation, good or bad, and seemingly limited experience in producing networked devices.
And when that flaw was and discovered last year, the company had no mechanism in place for reporting the issue.
There's no way to install end-point protection software on many IoT devices. That means you need to take a radically different approach to security based on device behaviour, mainly through network traffic analytics. The only way to detect a breached device will be to carefully monitor and curate all inbound and outbound traffic from a device.
IoT devices will find their way into your business just as unauthorised applications have.
For example, a large high-definition display may be installed into your boardroom. Or a staff member might bring a desk-lamp to their workstation with a smart lightbulb installed. Or security company working with the facilities team installs some security cameras and a PVR but neglects to tell you that they have enabled remote access.
IT managers will need to regularly sweep the office for devices that have been unexpectedly connected to the network. That will mean looking for devices as well as network scanning for unexpected traffic.
While whitelisting might have been effective in the past, in large organisations where there is a steady turnover of devices, this can be challenging to manage unless you employ automation.
Network Traffic Management
One of my main concerns stems from the inexperience of many device makers and their lack of understanding of what impact a device can make to network traffic.
The volume of devices - adding IP-connected cameras, connected devices in a boardroom, as well as smart screens in meeting spaces, intelligent lighting systems, climate management and even connected kitchen appliances - will be a management challenge. and if all those devices start sending traffic across your network and to external services your pipes are going to fill faster than you expected - particularly if the makers made the devices very chatty.
Whenever a new device is being considered for addition to the network, it should be tested to see what traffic it will add. In my discussions with device makers, they rarely consider what will happen when a thousand of their devices are installed together.
You may need to reconsider how you segment your network, how you define trusted and untrusted devices, and change your traffic monitoring and alerting rules.
Consumer vs Enterprise
This isn't a new problem for IT management but I think it's one that will be exacerbated by IoT.
For the last 20 years, we've heard users tell us that the computers they buy for home are faster and cheaper than what we supply. However, when we take the time to explain the cost of supporting a fleet, software licensing and the infrastructure it takes to manage hundreds or thousands of devices they start to understand (hopefully) why the $400 PC might not be a good fit for the office.
I think we will have the same challenges with IoT. We will need to educate the business as to why an internet-connected smart TV might not be a good fit for the boardroom.
Don't be the department of "No"
Running robust and resilient infrastructure is not easy. And IT managers are rightly concerned about the impact of devices with no security pedigree can have on the operation of a business.
But rather that automatically saying "No" to requests to connect these new types of hardware, I think it's important to establish a set of rules for connected devices to the network. For example, you might tell the business that the connection of devices to the network needs to
- Come from a reputable vendor of network-connected devices
- Be tested before connection
- Not impact the company's data risk policy
- Be configurable so the flow of network traffic to and from the device can be controlled
This will help them understand your priorities and give them some guidance before they bring a device to you for connection to the network.