Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What is the security impact of enterprise IoT?

Software management at the device level is key to mitigating security risks in the enterprise when IoT arrives.

The Internet of Things (IoT) is the notion that most data traffic will ultimately involve machine–to-machine (M2M) communications, often of a telemetric nature.  The character of such traffic is low-bandwidth and bursty: That is, asynchronous and occurring at random intervals.  Market experts agree that such traffic is inevitable and will enable many new functions, both in the enterprise as well as the consumer space. 

Enterprise IoT traffic fueled by consumer use

IoT traffic will be introduced initially into the enterprise network by way of consumer applications.  As eHealth and fitness applications enter the consumer space, people will want their applications to operate at work and at home.  Consequently, such applications will increasingly transmit status telemetry data from employee-owned personal devices through the enterprise network, and ultimately to remote service providers. The problem with such traffic is that it is impossible to know if it represents a benign personal application or a Trojan horse capturing and transmitting critical company data.  Both have similar communication profiles and are intermittent; blocking them can be problematic.

Of course, it is likely that enterprises themselves will adopt IoT technology to provide useful telemetry on everything from utility and security monitoring to process control and business intelligence. This traffic, although better controlled, will still be unpredictable. As a result, it will be largely ignored by existing security applications and protocols.

Existing security standards should help

Does such IoT data pose a major threat to existing enterprise security?  Although one might be tempted to say "yes," the fact of the matter is that good security hygiene elsewhere is likely to ensure IoT does not pose an unacceptable risk to existing applications. In fact, enterprise IoT telemetry can be defined in an IPv6 overlay, completely avoiding the IPv4 primary networks that mostly characterize today's enterprise networks.

What is more problematic is the security of IoT data itself.  This is fundamentally an exercise in securing devices and their communications with other devices or applications.  While this is not simple, ensuring telemetric devices are identifiable and incorporate only software that can be identified as trusted is essential.  Utilities for managing software at the device level exist and are available from a number of vendors.  While these won't be listed here, interested readers are encouraged to drop me an email to obtain additional information.

Fundamentally, the key to IoT and security is to ensure enterprise implementations are not adopted without IT involvement and active participations.  By ensuring security is a requirement before deployment, many security issues can be avoided.

Bottom line? Don't be worried, but be prepared.  IoT can enable important new business functionality and is worth the risk.IT can play a key role in identifying and reducing that risk.

This was last published in January 2015

Dig Deeper on Network Security Best Practices and Products