Understanding and Addressing IoT Devices’ Unique Security Challenges

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Wayne Dorris of Axis Communications addresses the unique challenges of understanding and securing IoT devices.

Most people would be surprised to learn how often they interact with the Internet of Things (IoT). Connected devices are a part of everyday life, and even everyday consumers might have a dozen of them scattered across their homes, vehicles, and pockets. Devices like smartphones, video doorbells, smart home devices, digital locks, smart devices, and more all need to connect to the internet to function, making them part of the increasingly vast digital ecosystem that makes up the Internet of Things.

This isn’t news to those of us in the security industry, but it does help serve to illustrate how ubiquitous these devices have become. And if everyday consumers are using an overwhelming number of IoT devices, the number being used by businesses can be truly astronomical. In the security space alone, surveillance cameras, smart sensors, speakers, microphones, access control stations, biometric scanners, and dozens of other devices are being deployed by organizations in every industry—and that’s before considering devices like laptops, phones, routers, servers, and others that allow businesses to operate effectively. But despite their convenience, each device connected to a network represents a potential vulnerability, making protecting IoT devices a priority for today’s businesses.

Keeping Devices Secure Amid Evolving Business Needs

The way businesses use IoT devices has shifted over the past five or so years. Today’s devices gather vast amounts of data, and organizations are increasingly looking to use that data in ways that go beyond security. It isn’t enough to spot a trespasser or potential shoplifter anymore—today’s surveillance devices can, for example, tell a retailer when customers are most likely to visit the store, how they move once they are inside, which items or displays they seek out, and more. This can help businesses schedule staff more efficiently, improve store layouts, and identify ways to increase sales. Devices once limited to security are now generating critical business intelligence.

This is great news for many businesses, but their desire to put these new devices to use has often outstripped their ability to protect them. IoT devices often exist outside of what is traditionally considered the “network perimeter.” This means that protecting them requires steps that go beyond firewalls, antivirus software, and other basic security measures. IT and security departments need to create a different type of assessment and security baseline based explicitly on IoT and its unique vulnerabilities.

This can help them evaluate how much risk a given device actually carries, and what can be done about it—especially as more and more devices are tied into other systems to generate business intelligence and other insights. Organizations should also conduct vulnerability scans on a regular basis. To be most effective, they should seek out specialized tools designed for IoT, as many traditional scanners may not be calibrated for IoT devices and are more likely to register false positives. These regular assessments can help keep surprises to a minimum.

Working with Manufacturers and Developers

Securing these devices isn’t just about implementing the right tools and policies. It’s also about working with responsible manufacturers and developers and asking them the right questions before committing to a purchase. Unfortunately, because of the unique challenges posed by IoT, even IT professionals may not always know the right questions to ask. For instance, most devices on the business side come with Active Directory (AD) and certificate integration, leading many to expect the same from IoT devices. But today’s businesses might have thousands—even tens of thousands— of IoT devices in use, and direct AD integration for that many endpoint devices would make access management a nightmare for administrators. Likewise, multifactor authentication (MFA) has become a widely used security solution, but adding MFA to every camera would result in an unmanageable number of MFA notifications to manage for each device. IoT requires different solutions.

So, what are the right questions to ask? When working with manufacturers and developers, it can be helpful to ask broad questions rather than specific ones. Instead of asking whether a manufacturer complies with a specific set of regulations, ask what measures they take to protect their devices. Instead of asking “yes or no” questions about a device’s capabilities, ask what it is capable of and how to integrate it effectively. At every turn, customers should give manufacturers and developers the opportunity to provide more information. Organizations may find that when they lay out their goals and let manufacturers fill in the blanks with solutions and insight, the result is a more effective, efficient, and secure IoT deployment.

Recognizing the Unique Challenges of IoT Devices

As IoT devices become increasingly common, it is critical for organizations to understand that they cannot be treated like any other device. Working with trusted manufacturers and developers to choose devices that offer both adequate protection and easy integration with existing systems is critical, and understanding how to manage those devices internally can make a significant difference not just from a security perspective, but from a workflow perspective as well. Connected devices aren’t going anywhere, but today’s organizations don’t need to sacrifice security for convenience. They can have both.