It’s been said that nothing worthwhile is achieved without effort and a certain amount of risk. The internet of things is most definitely worthwhile and is already the focus of quite a bit of effort, but what about the risks?
All data is at risk these days, not just from hackers and natural disasters, but mechanical failure, human error and sometimes from normal enterprise processes. By extending the data footprint to billions of devices around the planet, however, the number of threat vectors increases dramatically, to the point that conventional security measures such as firewalls are too expensive and too unwieldy to provide adequate protection.
What is the enterprise to do? The first step is to identify the new ways in which the IoT exposes critical assets to risk, and then devise innovative solutions to at least narrow the risk, if not eliminate it altogether. But be forewarned: not all risks are technological in nature, so not all of the solutions will be either.
Here, then, are some of the leading causes of risk, and the means to counter them:
The IoT brings with it a wide variety of blind spots that conventional security measures cannot address, says Tim Erlin, senior director of IT security and risk strategy at software developer TripWire. Devices can be assessed for proper security configurations before enterprise resources accept any data, but this is easier said than done. According to a recent company survey, only 30 percent of respondents said they were prepared for security risks in the IoT, while only 34 percent say they can accurately track the number of devices on their networks, let alone the security tools they employ.
Meanwhile, the number of connected devices represents a potentially major escalation in the frequency and intensity of distributed denial-of-service (DDoS) and other types of attacks that harness the power of multiple IP addresses to flood host systems. While emerging IoT infrastructure should provide the dynamic scale needed to accommodate huge increases in traffic, this has yet to be tested in production environments – and the number of connected devices today is only a fraction of what it will be in a few short years.
The sheer complexity of the IoT is said to be both a blessing and a curse. On the one hand, it is a technological marvel that represents the new height of human ingenuity, but on the other, it relies on a host of advanced technologies that might not always work exactly as they are supposed to.
One facet of the IoT that is still largely untried is the concept of edge or “fog” computing, in which small, mostly unmanned data centers are networked across regions to provide faster turnaround for data requests. To function properly, these edge systems will have to communicate with numerous devices in its coverage area as well as with other edge systems and with centralized processing centers known as data lakes. Naturally, this requires some fairly sophisticated networking, plus a great deal of coordination between the analytics taking place out on the edge and those in the central data lake, which by itself will contain some of the most advanced analytics technologies ever devised.
With all of this cutting-edge technology working in real time, it will probably be quite a while before we see an error-free IoT.
As mentioned above, the IoT creates more than just technological risk; it creates legal risk. According to solicitor Sarah Hall, of U.K. firm Wright Hassall LLP, the IoT affects a number of legal underpinnings surrounding data protection, data sovereignty, product liability and a host of other areas. This makes it difficult to determine what laws, or whose, will apply in a given dispute. Should a driverless car get into an accident, for example, who is liable? The passenger? The owner of the vehicle? The manufacturer? The person who coded the software? Without a clear understanding of how the law will be applied to the IoT, which will only come about through lengthy court processes, the enterprise is open to increasing levels of legal and financial risk as the scale of operations expands.
It’s Not All Bad
All of this may give the impression that only a madman would embark on an IoT strategy, but the fact is that the same technology that introduces risk can also be used to lessen it.
It’s a given that IoT workflows will be so numerous and move so quickly that human operators cannot hope to keep pace with them. That means automation and orchestration will have to play a prominent role in IoT deployments, and increasingly, those solutions are turning to artificial intelligence and cognitive computing to bolster security, availability, data recovery and other functions. As Radware’s Carl Herberger noted to TechRadar recently, today’s machine learning platforms not only react and respond to threats instantaneously, even proactively, they also adapt themselves to changing attack vectors as they gather more information on normal and abnormal data operations. This will be crucial as the enterprise faces increasingly automated, bot-driven, malware in the IoT.
There is also a growing swell of increasingly sophisticated device management, encryption, access control and other solutions that should make distributed architectures as safe as practicable without inhibiting data and service functionality. A prime example is blockchain, the automated ledger solution originally implemented in digital currency bitcoin, but is now finding its way into a host of applications in which data integrity is paramount.
There is no such thing as a no-risk venture, so the enterprise will have to weigh carefully the risk vs. reward that accompanies every step in the development of IoT infrastructure. And chances are that if any service or application presents too much risk for one organization, it isn’t likely to be implemented by anyone else until its concerns are addressed.
In the end, the IoT will only be as risky as the enterprise industry as a whole allows it to be.