In a recent blog, we explored five must-haves to reduce security risks associated with IoT endpoints. These include: data encryption, access control, continuous monitoring, quality network partners and secure foundation. In this installment, I will dig a little deeper and share best practices for each to reduce the possibility of a breach.
Best Practice 1, Build with IoT Security In Mind:
As you are building an IoT application, weave security into every aspect of its design. Assign at least one member from the development team to be focused on security, and, if possible, have that person complete an industry standard security certification. Also, establish protocols for internal security and regular testing; and update future guidelines based off of those findings.
Best Practice 2, Encrypt Data:
To sufficiently protect data in motion, it is critical to employ a site-to-site VPN tunnel from the IoT operator to the back-end server’s network. Doing so enables encrypted data transmission across the most vulnerable segment of the network path. That said, even under the assumption that the VPN tunnel is between two trusted networks, it is still important to use controls for strong authentication on the data should a device or the channel be compromised.
Best Practice 3, Lock Down Access Control:
Understanding who has access to your data or systems is not always as easy as it seems. Employees leave the company, are promoted, or transfer to other divisions. So it is critical to make sure privileges are as up-to-date as possible to avoid unintentional access. Further, IoT devices should be designed with internal components, allowing wireless connectivity to be protected. Ensure that devices with removable SIM cards are not easily accessible. If you use over-the-air application updates, implement a preventative mechanism such as code-signing to protect your devices from unauthorized updates.
Best Practice 4, Monitor Continuously:
When a breach occurs, time is of the essence. As soon as something goes wrong, you should know about it – every minute that passes can be costly. Make sure that back-end applications have the ability to log abnormalities. Partnering with an IoT operator that provides alerting tools for fraud detection and prevention can give you more rapid insight into potential problems, however your internal teams should also be monitoring your data logs and creating automatic alerts for signs of compromise.
Best Practice 5, Vet Network Partners Thoroughly:
It is important to be diligent when selecting network providers. You are only as secure as they are, and you should be asking them about proficiencies in each of the following areas:
- Intrusion Prevention Systems (IPS)
- DDoS defense systems
- Security patch and update processes
- Firewall models
- Incident response