Overall, no single, homogeneous security technology can protect all IT assets including IoT edge processing, IoT platform middleware, back-end systems and data, Contu says. “A multi-faceted security approach is required to address expanded digital and physical risks,” he says.
At the endpoint, different approaches can be used, from embedding security features within chip architecture to deploying software agents to perform different security controls, Contu says. Gateways will provide valuable help in a complex architecture such as IoT ecosystems that are difficult to secure as a result of heterogeneous devices and identity profiles.
“Gateways will be deployed to align and handle specific IoT domains, managing a specific set of devices with similar trust requirements, and therefore the domains can be shaped using principles of a common trust model,” Contu says. “Federation of trust models allows interoperability between different domains and the devices that use different trust models.”
Key technologies in IoT security will likely be machine learning and artificial intelligence, says James Beeson, CISO and IT risk leader at financial services firm GE Capital Americas.
“As billions of additional devices get connected to the Internet, it will become impossible to manually deal with the number of alerts and/or unknown assets and events,” Beeson says. “The technologies need to be able to deal will mass quantities of data and quickly make decisions.”
Even before considering technology, organizations have to implement strong security policies and procedures, DiDio says. “If you don’t have a policy or a plan in place, you’ve got real problems,” she says.
Then, organizations should buy and install the appropriate security tools and software packages that are right for their business. “And they must stay up to date with the latest patches and fixes,” DiDio says. “Many companies experience problems because they fail to upgrade and apply patches and find their devices and applications wide open and vulnerable.”
Security in IoT environments is not static, but a moving target. “You have to constantly reassess and monitor your security and security policies and procedures and enforce them to stay abreast of the external threats posed by hackers and the internal threats posed by your own employees—deliberate or careless,” DiDio says. “Corporations can never declare victory. Complacency is your worst enemy.”
Sign up for Computerworld eNewsletters.