View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

5 ways to adapt your mobile security strategy for IoT

Consumer devices and network segmentation are just two elements to a mobile security strategy fit for the IoT era.

By Hannah Williams

Ready or not, the IoT wave is already breaking on enterprise shores. While smart, connected devices mean increased automation and digitisation, they also translate into new challenges that will require companies to shift their approach to security. Already, malware infecting common consumer IoT devices has led to a botnet of nearly half a million endpoints, with millions of devices still vulnerable to attack. Existing mobile security strategies can be extended to prepare for the new challenges presented by IoT. This approach not only addresses immediate concerns but can also provide a security blueprint to protect companies as they look to scale IoT adoption in the future.


Mobile provides a roadmap to IoT

While smartphones and tablets are well understood within organisations, it has been proven that employees with anytime, anywhere access to corporate data and applications are more productive. The Internet of Things takes this to the extreme, allowing small, inexpensive computers to automatically gather data from the physical world and, in some cases, take actions into the physical world as well. Many of the lessons learned about securing mobile can be brought forward into IoT deployments as well.

Trust is critical for any mobile deployment. In the mobile world, trust centres around ensuring that only an authorised user, running an authorised application, working on an authorised device can interact with enterprise data stores whether they’re on premises or in the cloud. With IoT, the “user” and “application” often becomes the device itself – the key common bond here is trust. Only devices provisioned by IT should be able to get access to enterprise data to protect both the integrity of the devices as well as the resources that devices connect to.5 ways to adapt your mobile security strategy for IoT

A common mechanism for establishing this trust is through the use of digital certificates, which can easily identify embedded devices both to a mobile management platform as well as the networks and enterprise resources the devices connect to. Certificates also ensure end-to-end session trust between the device and enterprise resources, so if a network session is compromised, the attacker cannot use it to infiltrate enterprise systems.

Of course, OS trust is also critical. Enterprises must ensure that security patches are in place (if such updates can be applied) and common attack vectors like default usernames and passwords are disabled or at a minimum, changed. Monitoring for suspicious behaviour such as sharp increases in network traffic can also help understand whether a compromise has occurred. If compromised devices are found, they should be quarantined from enterprise resources immediately to limit the scope of an attack.


Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Leverage existing platforms for trials

Of course, the use of IoT devices in enterprises is both widespread and yet still nascent. It’s widespread in the sense that many systems such as building management or industrial automation are already network connected and vertically integrated. However, more customised applications built by IT on the back of IoT platforms are new. Luckily, there are several enterprise-class platforms that IT can build from, such as Windows 10 or Android, which can scale down from smartphone form factors to more IoT appropriate form factors. The advantage is that these platforms come with many tools for management security built in, which eases prototyping, rather than having to start from scratch.


Network segmentation is a must

Enterprises need to understand that IoT devices will sit outside the corporate network and then reach into corporate datastores. With unfettered access to the corporate network, this can pose a serious risk to sensitive systems inside the organisation. Enterprises need to examine exactly which data and application stores IoT devices will access and ensure that the network is segmented to prevent IoT devices from compromising other systems.

5 ways to adapt your mobile security strategy for IoT 2

IoT extends IT security into the physical world

Another aspect of IoT that’s different is that often devices can take action into the physical world the live in, such as adjusting temperatures, closing doors, or other actions. Enterprises will need to consider the liability of their devices interacting with the physical world and develop compensating controls accordingly.

Beware the consumer devices

Many end users may want to bring their own IoT devices, such as wearables, into the enterprise. However, the enterprise management capabilities for wearable devices are nascent and thus they may not be appropriate for corporate applications. If wearables are required to handle sensitive data for the enterprise, organisations will need to evaluate the embedded security features of their applications until broader security and management frameworks are developed.

Ready or not, IoT is here. How enterprises choose to approach these technologies today will determine whether the next five years’ of IoT headlines are stories of transformation or destruction. The good news is many enterprises already have the mobile foundation in place to start heading in the right direction.

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.