From Toasters to Cars – Security in the Age of IoT
IoT Needs Security Everywhere
These smart devices not only can send and retrieve data via a company's networks — or a consumer's home LAN — IoT units can sometimes even transmit without touching a network via their own antennae. Given the data access most have — including in some cases the control of microphones and cameras — they represent a massive security risk.
IoT devices are part of an exponential increase in vulnerable endpoints because the nature of these devices means that they are continually creating new “holes” in our cyber defenses, where sensitive data can leak. Twenty years ago, for example, there was no data leak potential coming from mechanical deadbolts or a kitchen appliance. That’s no longer true.
This vastly increased threat surface is problematic because it makes the task of monitoring relevant activity far more difficult. On top of all the other advantages for threat actors is the simple fact that many of these devices legitimately need to communicate with their owners or manufacturers, sometimes continuously, whether for software patches or to access updated operational data.
An IoT thermostat, for example, might need constant feeds about outside temperatures, as well as the temperature at various points in the building. With hundreds of temperature data updates on a given day, it's entirely feasible to hide a malicious executable in one of them.
In the corporate enterprise world, CISOs are increasingly limited by budget restrictions, and by a global shortage of sufficiently skilled security personnel — particularly security analysts — with experience in the latest IoT threats. Add to that the fact that departments outside of IT and security (such as maintenance or facilities) might think nothing of adding new IoT devices without notifying or getting permission from IT/security. This has much the same effect as when employees circumvent security protocols — often by way of untested cloud environments — in order to get their jobs done. This further complicates matters for CISOs, who can't protect devices that they don’t know about.
That said, if a sufficiently strong security layer from a trusted source is placed atop all these IoT devices, it could negate these security and privacy problems. Such a security layer would not only need to employ robust authentication to make sure that data transfers go only to authorized entities, but it would also need to track and control all means of communications from IoT devices, both to prevent a thief from using stolen credentials, and to stop an authorized person from misusing their level of access.
Zero Trust Network Access and IoT
Just as IoT poses radically new and insidious security threats, an effective response requires an equally powerful and radical rethinking of security methodologies. Zero trust network access (ZTNA), a security approach not deployed often enough, should no longer be considered optional, given the threat of virtually infinite endpoints in the age of IoT.
Perimeter defenses, where a system checks credentials initially upon entry, and then grants or denies full privileges and access for the duration of a session, won't work anymore. In this IoT age, the only viable approach is continuous authentication, where initial access is approved but the system constantly watches what the user does and continues to check if the user is indeed authorized. This can include very specific behavioral authentications such as, "are they hitting the keys with the speed typical of this user?” On a mobile device, it could be, “is the phone being held at the usual angle, or are the keys being pressed with typical force?"
It also includes behavioral actions such as, "Are the users accessing the folders they typically access? Are they downloading far more data than usual? Is the session far longer than typical? Is the day/hour of access or location suspect?"
Artificial intelligence (AI) approaches, such as machine learning (ML), also have a critical role to play. That is because IoT devices can collectively generate an avalanche of interactions simultaneously, far too many actions for human analysts to track. If the consumer or business has any hope of detecting an ill-intentioned action in time to prevent critical data from being stolen, the speed and automation that ML offers are essential.
Enterprises also need to reduce security stack complexity, which in turn will increase efficiency and improve the ROI (return on investment) and TCO (total cost of ownership) that CISOs can report to their CFOs.
This new security approach must be tailored to how individual businesses and people work today — with IoT, cloud, and data shifting rapidly to various mobile devices — rather than a “bolt-on” approach where new defenses are deployed on top of old ones. Deploying incremental improvements that increase security only slightly can result in opening new cracks and holes where data can leak or be stolen.
Human-Proofing Security
BlackBerry’s approach to ZTNA delivers the protections needed today, while reducing authentication friction, thereby boosting productivity. Employees should feel as though they are trusted automatically, as well as their devices, applications, and systems, with extensive, robust, and continuous authentication happening behind the scenes. That's how higher authentication can be delivered while reducing friction. BlackBerry® solutions provide robust security and collaboration that simplify processes to bolster productivity and mobility, while protecting a company's reputation.