The internet today barely resembles the one from 15 years ago that gave birth to browsers, online research and Cyber Monday, and it continues to change on a daily basis.
Devices that people carry and connect to the cloud are the difference. No longer just a collection of servers connected to workstations and laptops, today's internet serves bandwidth to smart phones, intelligent light bulbs, HVAC systems and sensors, and that's just the average office.
Now imagine wireless door locks, motion detectors, fire alarms, and other elements of the 'smart office.' Intelligence about the state of your building goes up, but certainly at the expense of introducing new and stealthy ways to access your wired and wireless networks and resources.
How can Chief Information Security Officers (CISOs) strike the right balance between access and security for today’s emerging 'smart office’? Starting with a well thought through plan usually yields the best results.
Start by Understanding Device Diversity
First and foremost, identify devices according to their type and role – and then make sure they never stray from those network duties.
While that's a simple approach philosophically, executing it can be a daunting challenge when you consider the number and variety of devices that comprise the Internet of Things (IoT). You now have to worry about what’s connected on the inside and to the outside world via the internet.
Managing this level of diversity demands a solution that ‘fingerprints’ devices as they join the network and then instantly sets policy for their use. When new lighting is installed in the fourth-floor server room, the solution not only makes note of the change but also enforces a rule that only allows the new lighting to communicate with the lighting management system that’s responsible for turning lights on and off, and when.
Manage the Unknown
While it is important to identify all the devices that belong in your network, identifying something that shouldn’t be on the network can be even more important. Unknown devices should be accounted for and automatically flagged for review against the corporate security policy, and later the network administrator. Managing the unknown in a complex and diverse network is the most important step a CISO can take in the IoT era – and thanks to recent breaches at larger box stores, we know all too well what happens when network admins lack the tools to identify outliers.
In that case, an attacker compromised a retailer’s HVAC systems to create a staging area for opening connections to the retailer's point of sale terminals, which were then injected with malware that hijacked credit card information and exfiltrated it to an external server.
Why Point Security Doesn't Work for IoT
Preventing the next big retail breach means having a platform that's not just good at identifying devices and setting policy – you'll also want one that acts as an integration point.
Think of it like a parking garage. Even if some employees drive motorcycles while others prefer cars and oversized trucks, the garage is made to provide space for everyone. An enriched policy solution built to handle IoT devices acts similarly by leveraging the APIs of other systems on the network for collecting, analyzing, and automatically acting on data via an embedded policy engine.
That way, IoT devices found to be doing more than they were made to, like a HVAC system attempting to access a point of sale terminal, is instantly blocked and taken off the network. Policy management solutions can provide a default level of security by preventing outliers before they occur.
Machine Learning Will Lead Us into the Future
CISOs we talk to fear they haven't yet seen the worst, and 'smart offices’ may be more vulnerable than others because of how deeply connected to the internet they’ve become.
They imagine the malicious attacker who slips code into the turnstile system that reads the badge data of everyone who arrives at the office. Just that one breach alone can open the door to blackmail or corporate espionage, and they're right.
While simpler and faster ways of identifying devices and miscreants are in the works thanks to machine learning, we have a ways to go. We're studying attack patterns and techniques and looking for even the slightest tremors in how IoT’s act that might indicate a breach. While this sort of behavioral analysis is of limited use right now because IoT-infused networks are so new, we expect the data will age well. Knowledge will make us more secure.
In the meantime, we can stay vigilant knowing that smart, carefully integrated and automated solutions – rather than just humans – can keep most ‘smart offices’ safe without unfairly restricting network access to the everyday employees who need it.