Over the past few weeks, I’ve blogged about the importance of having a holistic security strategy for the Internet of Things (IoT). Now is the time to really amp up security and privacy by design at the endpoint device level. Everyone has a role to play.
We know that enterprises are struggling to secure their networks. Immediately, the network can provide device segmentation and isolation to help customers manage the risk of vulnerability, whether it be in IoT or traditional IT. But in addition to what we can do now, we must embark upon a holistic approach to this problem. Customers must demand more of their technology vendors. Manufacturers should establish and adhere to baseline security requirements. Developers should be trained to design with security and privacy in mind. Even venture capitalists should play a role by asking hard questions about security, privacy and data protection before funding start up projects. As an industry, we need to form a common vocabulary that will enable buyers to compare products side-by-side from a security point of view. Similarly to nutritional labels for food, without common terms, comparisons are extremely difficult.
Cisco has a role to play too. We are working on standards that will enable manufacturers to describe communications an IoT device is supposed to have. We are also working on standards to improve how a device can be brought online through a secure zero-touch approach. These are both examples that focus on scale, as a core problem of securely managing a network full of IoT devices, while acknowledging that the ‘things’ themselves will never completely protect themselves. It is this balance – where the network enables secure, efficient IoT adoption – is where Cisco is focused.
This is how we need to view the world of IoT moving forward.
But what about IoT devices already deployed? According to Gartner, 8.4 billion connected “things” will be in use this year, a 31% increase from last year. Even if we dramatically upgrade the security capabilities of future devices moving forward, that does not help the billions of devices currently on the market protect themselves against attack or against being used as a vector of attack. How do we protect ourselves? To help compensate for the lack of device security, we can leverage the network as a sensor and a tool to identify malicious traffic and enforce access policy.
It all starts with awareness. Network visibility – or telemetry – helps us understand the day-to-day behavior of the network. It’s crucial to have an understanding of the baseline traffic on your network to help pinpoint when traffic is out of the ordinary. And, when things are out of the ordinary, the network can enforce security policies to allow the right users and devices to get the right access, as well as containing the impact of a potential attack.
This is why it’s important to keep your infrastructure up to date against the current level of cyber risk and upgrade when it no longer has the capabilities needed to be resilient. Outdated components and software provide an opportunity for attackers to breach networks – such as the recent WannaCry ransomware example, increasing risks for unpatched machines as well as some legacy operating systems that are at end of support. The costs of ignoring the problem of aging infrastructure can be devastating – potentially, in the form of a lost data, revenue, customers and their trust.
Some view security as a hindrance to the IoT. This is simply not true. It’s more than risk mitigation, it is actually a growth enabler. It’s about giving your business the agility to go where it needs to, quickly, because you are comfortable with the level of security.
More to come regarding the standards we are working on to help secure the IoT….be sure to watch this space for details. Until then, be sure to visit the Trust Center for the latest news and resources.