By: Fredric Paul
Not so long ago, the phrase “consumerization of IT” was on everyone’s lips. Whole publications and conferences (remember CITE, for Consumerization of IT in the Enterprise?) were created to chronicle the trend of corporations relying on products and services originally created for consumers — which was often easier to use and of higher quality than its business-oriented competitors.
Well, no one talks much about the consumerization of IT anymore… not because the trend went away, but because consumer tech has now permeated every aspect of business technology. Today, it’s just how things work — and if you ask me, that’s a good thing.
The consumerization of enterprise IoT
But now, in 2018, a variation of the concept is returning in the world of IoT, and it’s raising many of the same concerns around reliability and, especially, security.
It turns out that in addition to the “enterprise grade” Internet of Things (IoT) devices they buy, corporate IT teams also have to deal with “consumer-grade” devices that may enter the company via a variety of channels, from non-IT company purchases to staff members bringing them in on their own. Examples include smart TVs, thermostats, smart speakers, fitness trackers, video cameras … basically anything connected to the company network that isn’t a computer, a phone, or router.
Not surprisingly, these devices often lack the comprehensive security features more commonly found on IoT products designed for enterprise use.
Worse, perhaps, IT teams may not even be aware that these devices are being connected to their networks, much less be able to plan for their security.
Online Trust Alliance IoT device checklist
To help enterprises cope with these new vulnerabilities, the Online Trust Alliance, now an Internet Society initiative, has developed a checklist for dealing with these “consumerization of IoT” devices in enterprise environments.
Many have a simple or non-existent user interface, default (or hardcoded) passwords, open hardware and software ports, limited local password protection, lack the ability to be updated, “phone home” frequently, collect more data than expected and use insecure backend services.
The consequences of using these devices range from unauthorized access to other enterprise systems, to surveillance via audio, video and data, to use of those devices to attack other connected devices or services.
According to the OTA, enterprises must “fully consider the possible risks introduced by these devices, understand that IoT devices are likely more vulnerable than traditional IT devices, educate users on IoT device risks, and strike a balance between controlling IoT devices vs. creating “shadow IoT.” (That’s another buzz phrase that you don’t hear as much about these days.)
Key IoT security checklist items
Doing all that is hardly trivial, so while you can download a PDF of the entire checklist here, it’s worth calling out some of the key best practices. In addition to fairly obvious ones, such as products with hard-coded passwords, the checklist includes more-substantive advice:
- Relegate IoT devices to a “separate, firewalled, monitored network,” just as you would in guest networks. “This allows you to restrict incoming traffic, prevent crossover to your core network, and profile traffic to identify anomalies.”
- Turn off stuff that’s not being used. That may seem obvious, but the checklist also recommends the “physical blocking/covering of ports, cameras, and microphones.”
- Ensure that people can’t physically access these IoT devices to reset the passwords, etc.
- Enable encryption whenever possible, and consider allowing only devices that support encryption to connect to your networks. If that’s not possible, “consider using a VPN or other means to limit data exposure.”
- Keep firmware and software updated (via automatic updates or monthly checks). Avoid products that cannot be updated, follow the lifecycle of all devices, and remove them from service when they are no longer updatable or secure.
IoT security continues to evolve, and checking off every item on the OTA list won’t provide complete protection. But these are straightforward best practices that can help mitigate the risk. Ignore them at your peril.