By Andrew Hay, CISO, DataGravity
“What are the security implications of consumer Internet of Things (IoT) devices being introduced into modern business environments and how to you protect your organization as a result?”
At RSA 2016 I was able to pose this question to a full room of business executives, IT architects, and security analysts who were responsible for dealing with this very real concern. Several participants in this Peer2Peer session shared that their primary concern when it comes to employee-owned IoT devices was not discovering that they were present, but rather gaining visibility into what was being transferred. As most IoT devices employ industry-standard SSL or TLS encapsulated communication sessions back to cloud-hosted management infrastructure, the participants were concerned that business data might be surreptitiously leaving the building without their knowledge.
Another conversation topic among most of the participants was the lack of security policies that specifically called out IoT devices—in fact, most organizations relied on existing (and often outdated) Bring Your Own Device (BYOD) policies to enforce some semblance of control. Unfortunately, those relying on BYOD policies admitted that the policies were behind the times (often citing first-generation mobile devices and Blackberry mobile phones) and really couldn’t encompass the growing capabilities of IoT devices.
Participants agreed that the best course of action in dealing with employee owned, BYOD-IoT devices was to:
- Monitor your network traffic to identify new or unexpected communications from network connected devices
- Relegate these devices to an untrusted and non-business connected network (such as a Guest WiFi network)
- Update existing, or create new, policies aimed at BYOD-IoT devices—and expect to update them frequently
- If possible, invest in Deep Packet Inspection (DPI) technology that has the ability to man-in-the-middle (MITM) encrypted network traffic
- Explicitly block unknown traffic at the perimeter and require certificate-based authentication for devices authorized to connect to your network
I wish we had been able to devote more time to exploring concerns and mitigation strategies for consumer IoT devices in the enterprise and even rotate additional participants into the discussion. This is certainly not a problem that will disappear anytime soon so expect to see continued discussions, research, and exploitation surrounding IoT devices as time goes forward.
Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Hay was the Director of Research at OpenDNS (acquired by Cisco) and was the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc. Hay previously served as a Senior Security Analyst for 451 Research’s Enterprise Security Practice (ESP).