7 steps to IoT data security

As Internet of things invades the enterprise, companies need to revamp their approach to protecting data

7 steps to IoT data security

As Internet of Things invades the enterprise, companies need to revamp their approach to protecting data because the old ways aren’t going to get the job done. Not in a world of 25 billion or more IoT devices connected to the Internet by 2020, as Gartner predicts.

So, what are the new challenges that IoT will present?

Basil Hashem, VMware

Basil Hashem, VMware

The biggest change IoT brings is a new scale to an organization's data protection strategy, both in terms of diversity of devices and volume of data that is generated, according to Basil Hashem, senior director of mobile strategy at VMware.

Nick Howell, technology evangelist for Cohesity, a converged storage solution provider, adds, “From a data protection perspective specifically, the more data you have, backup windows and second tertiary storage requirements, processes tend to grow exponentially. You get the hockey stick effect, and the continued sprawl of silos intended to handle this individually just can't be tolerated. New approaches have to be taken with the sheer amount of data.”

Jaspreet Singh, Druva

Jaspreet Singh, Druva

Jaspreet Singh, founder and CEO of Druva, a converged data protection provider, points out that not only will there be more data, it will be more dispersed. Consider the difference between having enterprise data living in one place -- your data center -- and having data flowing in from IoT devices located anywhere and everywhere.

“Data protection becomes more challenging because the vast majority of these devices and the networks they use to communicate are not under the control of enterprise IT. This is because IoT devices are often associated with operational technology (OT) like machinery, aircraft engines, within an automobile, etc. and continuously generate information about various device and environmental parameters (temperature, pressure, torque, etc.),” adds Hashem.

Clemens Vasters, Microsoft

Clemens Vasters, Microsoft

That leads into the next challenge. “The biggest change that comes with the current Internet of Things wave is greater awareness of the existence of (often insular) operational technology systems. This new awareness often sparks the desire to integrate these systems with existing enterprise software for greater transparency, more efficient workflows and innovative approaches to business enabled by these new integration bridges,” says Clemens Vasters, principal architect for Azure IoT at Microsoft.

So, what should enterprises do to prepare for IoT?

1. Develop a strategy

When addressing IoT for enterprises that don’t have a data protection strategy, Microsoft’s Vasters recommends creating one that defines the principles and rules for how corporate data is handled, secured and safeguarded against loss, even under catastrophic circumstances.

The corporation doesn’t need to own and immediately control all places where data lives. But companies do need to know who holds that data, whether the operator policies are compatible and ensure that clear liability rules exist for noncompliance.

2. Assess risk

“I think it all comes down to starting with a risk assessment and risk analysis. I think that's the first piece of advice if I was sitting down with someone,” Marc Blackmer, product marketing manager, Industry Solutions, Security Business Group, Cisco, advises. Blackmer also recommends developing an asset catalog. He then recommends understanding the data flow model both within your applications and between your applications, along with any third-party integrations.

“So, part of the complexity we're talking about is the fact that there are a myriad of third parties talking to each other,” Blackmer says. “And that becomes very unruly and causes organizations to throw their hands up in the air.”

3. The human factor

Mark Hammond, senior manager, security practice, Cisco, recommends that companies take a number of steps, including conducting risk assessments, understanding and cataloging the data that you do have, minimizing sensitive data, then following best practices for data hygiene and security controls.

“And probably on top of that adding the complexity of all these interacting systems is obviously the human factor as well,” Hammond says. “So the policies and procedures that get attached to that, it's probably the other biggest change that folks are going to have to deal with.”

4. Think about procurement

Vasters says enterprises should consider whether to expand IT procurement policies to all networked digital assets. It’s common for corporate IT to require baseline security capabilities in all equipment, and to mandate that all software vendors address any detected security vulnerabilities promptly throughout the support life cycle.

5. Protect endpoints

Druva’s Singh advises looking at endpoints as your first line of defense as you onboard more IoT devices. He also advises making the information life cycle part of your decision-making process when you choose IoT management applications and devices as part of your enterprise strategy.

6. Break down silos

Howell says, “There are a massive amount of data protection silos happening out there and consolidating all of those into a single unified platform that can be dedicated to the management of this massive tier of secondary storage is key.”

Howell further recommends consolidation because too many companies are losing track of data at rest onsite, offsite and in the cloud. Companies need to make a complete overhead view of all of that data; including age and location in order to understand what you're truly working with.

“Just by virtue of getting yourself organized onto a centralized platform, you're going to eliminate the need for a lot of these silos that you've been using over the last 10 to 15 years if not longer,” Howell offered. “So there's going to be a massive cost saving associated as well. I think that's going to be required to offset the storage costs needed to house all of the data that the IoT era is going to generate.”

7.      Address identity and encryption

Trent Telford, CEO of Covata, a secure enterprise-grade file storage and sharing solution provider, says, “Understand identity from a device perspective, not from a personal human perspective. Because all identity actually means is `do I want to trust a thing or a person’, so you've got to get your head around identity. That's a job for the enterprise because now every endpoint in a way is like the human you allow to log into your network, because now you're allowing a sensor or an endpoint.”

You’ll also need to address how you’ll roll out the encryption or the management of all your keys according to Telford. Key management is going to become difficult to manage and will grow as a problem.

Kelly is a freelance writer. He can be reached at wtkelly@gmail.com.

This story, "7 steps to IoT data security" was originally published by Network World.

Copyright © 2015 IDG Communications, Inc.