Blogs

Compliance in an IoT World

By David Tremont posted 02-14-2019 09:50

  

Hello again, it has been a while since we talked to all of you about IoT and the challenges it brings to bear for our already burdensome security defenses we put in place to protect clients and firm data.

Today we are going to look at the compliance side of IoT and some high level information on what needs to be done and where the future lies for complying to all these network connected devices.  As we discussed these are not your typical Server, workstation, laptop printer, phones but a vast array of devices we may not give a second thought.

I am talking about Assistants, wearables, security cameras, bio-metric devices, sensors, lion, tigers and bears, Oh my!  Yes it does get a bit overwhelming and for this Security Director I really wonder if this is something we can all get a handle on in respect to protecting our networks.

I do not want to bore you with a lot of opinion on this subject but I do want to let you know what is coming down the road and some interesting things I have found on regulations and compliance for these devices, and then steer you towards some organizations such as the International Telecommunication Union (ITU) and the IoT Security Foundation and NIST that have published guidelines and opinions related to IoT Compliancy.

We know that IoT deployments a can consist of smart sensors, control systems, web and cloud services and a slew of hardware and services to satisfy the business use cases.  IoT devices connected to the cloud are what they were intended for to connect to everything and everything to anything.  Just think about that for a minute as it relates to compliance, that is a huge undertaking to monitor and protect. Comply with regulatory standards for data privacy , etc., etc. 

Here is a statement I ran across; "IoT threatens to generate massive amounts of input data from sources that are globally distributed. Transferring the entirety of that data to a single location for processing will not be technically and economically viable. The recent trend to centralize applications to reduce costs and increase security is incompatible with the IoT. Organizations will be forced to aggregate data in multiple distributed mini data centers where initial processing can occur. Relevant data will then be forwarded to a central site for additional processing."

Source: http://www.gartner.com/newsroom/id/2684616

Think of that statement for a moment.  It really means different types of IoT data are going to be stored in many places and in many data centers for processing because each vendor has its own way of processing and storing data based on the IoT devices being used.   So we need to ensure our risks at each of these vendors for these devices are minimized by requiring 3rd party audits just as your clients require audits pertaining to their data and where it is stored and how it is handled. Oh, and do not forget the device itself stores data, whether it be cameras locally storing data on a SD Card or door access devices that store card numbers or associate people with a finger print or retina scan. 

Some interesting developments have taken place in recent months that may simplify regulatory changes in IoT.  One possible development is data analytics for Regulatory compliance to adopt machine learning and AI to accelerate the evolving changes and reducing the time to comply.

It would seem that AI is better at developing code to adhere to regulatory compliance in IoT device and applications than developers.  Who would have thought machines making the rules for machines.  The plain fact that the rapid evolving nature of IoT is really causing a log jam for regulatory compliance guidelines that are simply getting more complicated each and every day as new and enhanced IoT devices are manufactured. 

From a security perspective it is an interesting to understand the implementation for many new points of connectivity and data types.  What happens as this evolves is attack surface is greatly enhanced and therefore compliance becomes a must have to reduce those attack vectors and understand the cost of mitigating these threats.  Gartner has indicated that IoT security spending will double in the next three years. (https://techcircle.vccircle.com/2018/03/21/global-spend-on-iot-security-will-reach-1-5-bn-in-2018-gartner

This information can be quite daunting and a bit scary but can give you food for thought when moving forward to implement IoT devices.  Undoubtedly there are many on your network right now, wearables, card readers, bio-metrics devices, temperature sensors, etc. 

The main idea in this piece is to point you in the right direction so that you have the tools you need to design, implement and protect your data using IoT devices. 

Just remember treat these devices just like a PC or laptop with client or firm data.  Protect the access and know where this data is being processed and make sure those vendors are in compliance as I stated previously.  Audit your vendors and make sure that data is safe and they are adhering to best practices related to storing and processing data.  Look at retention times on some of this data, do you really need to keep door access data for more than 30 days?  When performing your risk assessments make sure IoT devices are on that list and at a minimum make sure your security procedures and policies apply to that data and device(s) just as all other devices.

Use common sense.   Knowing what is on your network is sometimes the biggest task.  Take an inventory of  the devices that your users have and create policies where users cannot introduce new devices into the network without prior disclosure and approval.

If you are looking for regulatory guidelines look at:

 ITU-T Y.4000 of the International Telecommunication Union (ITU),

https://www.itu.int/rec/T-REC-Y.2060-201206-I

IoT Security Foundation is probably a good place for guidelines for regulatory compliance and standards.

https://www.iotsecurityfoundation.org/best-practice-guidelines/

NIST initiatives in IoT


#Security
#InformationGovernanceorCompliance
0 comments
45 views

Permalink