Recently I started a blog series on the Internet of Things (IoT) and the Software Defined Workplace. The first entry in the series looked at how the Software Defined Workplace could be impacted in an IoT enabled Enterprise, and most of the impacts discussed were listed as potential benefits. However, these benefits hinted at potential serious concerns around privacy and security. As the Enterprise gains more and more information about employees and the workplace, how does this change the approach to security? How do they manage and secure all of these new and interesting devices, sensors and things? As more information leads to clearer contextual information about employee activities, how does an organization secure and take advantage of this to enhance the employee experience without opening concerns about privacy? These are legitimate concerns that all organizations will be grappling with as the IoT enabled enterprise becomes a reality.
So let’s look at security within the context of the IoT enabled enterprise. Within an enterprise IoT deployment there will be three basic layers.
- First you have the device layer, the intersection of people, places and things that will facilitate the collection of contextual information.
- Second you have the data exchange layer. Think of this as the orchestration of connectivity, context and collaboration between users, devices, things and the cloud.
- Third you have the broader IoT ecosystem, consisting of services living locally or in the cloud providing guidance to the IoT enabled enterprise based on policies and rules, analytics and perhaps machine learning.
Having devices connect to services through a gateway facilitating data exchanges does not sound that different from a traditional network connectivity model. So does that mean that traditional network/internet security models (like TLS/SSL encryption) can apply? The answer here really depends on how the enterprise embraces IoT, but there is no doubt that there will be new challenges that the enterprise will face. Let’s take a look at a few of these challenges.
New Challenges in Securing IoT Devices
Securing devices in the IoT enabled Enterprise will share some similarities to how networked and user devices are secured and managed. Examples here include ensuring that physical access to sensors/things/devices/gateways are secure, ensuring that devices are properly updated/patched and ensuring that devices are provisioned and managed in a controlled fashion. Differences here relate to scale as the sheer number of devices that organizations need to be cognizant of could dwarf what they are accustomed to, and managing this scale will add complexity. Here are just a few examples:
- New types of devices to manage/monitor: With the Internet of Things, automation and intelligence will work its way into many parts of the office (think a smarter meeting room or traditional devices like printers that add intelligence, perhaps allowing you to automatically print to the nearest printer without having to do anything.). Many devices that are dumb today will become much smarter, either with intelligence built in or with added sensors that will monitor different devices and tasks.
- New BYOD (Bring-Your-Own-Device) challenges: Users will bring in new devices that will enhance their productivity. Wearables are already starting to appear, and there may be new devices that we are not even familiar with yet.
- Challenges in gaining access: Many of these new types of devices may not have a traditional user interface, making it difficult to configure security settings in a familiar way. Unlike a PC or a mobile device, it will be difficult to layer on 3rd party security to an IoT device like a sensor if it was not included by the manufacturer.
- Longevity of Devices: Some sensors and things are being designed to be easily thrown away, others are designed to last years and only connect sporadically.
All of these examples point to challenges in updating and accessing devices as well as keeping track of them all. These demands could easily flood IT unless a new trust model is embraced, and the importance of this will be reinforced as new threats from traditionally non-threatening devices emerge (see the key-logger hidden in a wall charger). What does this trust model look like? That is something we will take a look at as we continue this series.
New Challenges in Securing IoT Data Exchanges
More devices, sensors and things will lead to more data in motion, perhaps massively more as data flows between devices, gateways and the IoT services running on premise or in the cloud. Making sure these data flows are secure represents new challenges. Many of you will point out that securing data flows is a known problem, and that is true. The challenge here again will be the scale of information in motion, and how standards evolve for data exchanges from new devices, and if all of these new devices, sensors and things will follow standard encryption protocols.
Also, discreet instances of sensor data may not represent a breach of security and privacy. However when this data is aggregated at a gateway or with an analytics service, the data can be much more revealing. Just knowing that your thermostat lowered the temperature in your house may not be that interesting, but it becomes more interesting when a home controller shows data from thermostats, lights, doors and motion detectors that could lead someone to conclude you are on vacation. So how and where data is aggregated matters, and who is permitted access to the different data input and output layers will be very important as part of a comprehensive security strategy.
Another challenge relates to the decentralization of data exchanges. As the software defined workplace pushes the enterprise to become more virtual than they are today, more users, devices, services and information will exist outside the traditional corporate boundary. And the data exchanged between these points can be very personal and localized. This will serve to further accelerate the consumerization of IT and again will force IT to rethink how they manage identity, trust and boundaries (both physical and network boundaries).
New Challenges in Securing IoT Ecosystems
With securing devices and data exchanges, the aforementioned challenges related to scale and locality. It is easy to think about scale and locality as a problem strictly related to quantity. I.e., if I have more devices, services and data outside of traditional boundaries, than I will have new challenges. But you also need to think about scale in terms of where those devices sit within your organizational structure. The Internet of Things represents an opportunity to unify aspects of operational security, physical security and IT security. That opportunity also represents a new challenge as many organizations traditionally keep these functions separated. As the IoT touch points start to cover all aspects of the organization, this increased threat surface and it will take a unified approach to risk to stay on top of it all.
Securing this IoT ecosystem will not be just about devices and data, but it will be increasingly about people as well. Privacy frameworks in the IoT enabled, software defined workplace will need to be thought through as the touch points for personal data increase. How privacy and security policies intersect with identity management and managing trust will also be a new challenge.
This blog post serves mostly to identify many of the challenges at a conceptual level. With that context, I will pass the torch to some of our security experts within Citrix to drill in a bit deeper. In future blog posts we will discuss some of the options available to the enterprise, as well as discuss several different evolutionary paths emerging for IoT that may shake up traditional security models. So stay tuned as we continue on the path of discussing how the Internet of Things and the Software Defined Workplace will impact the Enterprise.
Good Reads on the IoT and Security:
- Curious on encrypting your Citrix Octoblu payload? Here’s how:
- Five ways to prepare for IoT security risks
- Some things to think of regarding IoT security in your organization
- Some examples on how IoT is changing enterprise security
- Security challenges with IoT will can come from the unexpected, just look at this DoS attack on a smart home
- Wearables will find a place in the Enterprise
- Much of the IoT hype is missing the point according to Tim O’Reilly, the IoT will be more about revolutionizing systems and not introducing new gadgets.
- A more humorous take on if we should be kicking robots
- Interested in sharing your opinions on IoT in the Workplace? Please take a look at this Citrix survey.
- Interested in learning more? Stay tuned for more blog entries in this series and consider registering for our upcoming IoT and Security webinar.