A decade ago, when the practice of Bring Your Own Device (BYOD) became popular it raised significant security concerns. Now those concerns have largely passed as we’ve become comfortable with employees using their own smart devices. In its place, another security risk is coming to the fore: shadow IoT.
Research shows that shadow IoT is one of the major security threats to any large enterprise. Shadow IoT refers to any internet of things (IoT) devices or sensors in active use within an enterprise of which the IT department has no knowledge. This is significant considering that in a global survey, one-third of respondents had more than 1000 shadow IoT devices connected to their network every day. Another showed that 100% of respondents had rogue consumer devices on their network, and over 90% had discovered previously undetected IoT wireless networks.
The lack of visibility of shadow IoT devices makes them an easy target for hackers, who are quickly focusing on this weakness as a point of entry into corporate networks. In fact, IoT-related attacks multiplied six-fold between 2017 and 2018. And consumer IoT devices are very rarely designed with security in mind. As more IoT devices are attached to the corporate network, the hidden surface area for cyber attacks grows rapidly.
Are we really at threat from our toaster?
IoT devices are increasingly being seen as a means to find a backdoor onto the corporate network. As shadow devices are invisible to IT, it’s entirely possible that a breach could go unnoticed for days or even months.
In one case that is strange but true, hackers broke into the IoT-enabled thermostat in a casino’s fish tank and used this entry point to gain access to the corporate network and steal the casino’s database of wealthy customers. Every consumer IoT device connected to your network offers the same vulnerabilities.
It’s not just that security isn’t baked into the devices – the real issue is just how easy it is for a potential attacker to identify the device. Many vulnerable IoT devices are easily discovered online by search engines specifically created for connected devices, such as Shodan.
The lessons of BYOD for shadow IoT
In many ways, concerns over shadow IoT has parallels to the development of BYOD. When people began to use their personal smartphones and mobile devices, enterprise IT departments were unprepared. Some of the solutions developed to meet the security requirements of BYOD can be applied to handling shadow IoT:
- With BYOD, it was clear that the personal devices couldn’t be provisioned by the IT department. Instead, employees and contract staff had to be able to register their own devices for the IT department to verify. This requires what we refer to as an ‘outside in’ model of identity management where we move beyond ensuring access to internal systems for employees. You need to enable provisioning – sometime self-provisioning – of identities to individuals and things outside of but connected to the company network.
Adaptive, context-based security
- When mobile users connected to the corporate network regularly, simple user name and password authentication was no longer enough. BYOD moved towards contextual and adaptive user authentication. When evaluating authenticity, the security systems take into account contextual information such as GPS locations, IP addresses and even biometrics. This context-aware approach means you are able to identify abnormal logins or unusual and aberrant endpoint activity. New IoT platforms are emerging that provide adaptive security features that have been successful in the mobile world.
Continuous, real-time monitoring
- Continuous monitoring has become a feature of BYOD. Any IT manager knows that staff are often unaware of company security policies and others are willing to flout them if they think that this will help them do their work. The situation is worse for IoT because people may think that their consumer device doesn’t fall under the security policy. IT departments still need to identify what the device is, what it’s used for and who’s using it. You need the capability to conduct continuous checks of connected devices and networks, and proactively search for unknown devices on the enterprise network.
The role of the identity-driven IoT platform
Mobile management systems have helped secure the BYOD world, and an identity-driven IoT platform can do the same for shadow IoT. An IoT platform has the ability to create and manage a single, central identity or digital twin for everyone and thing that can be synchronized across devices, applications and resources. New devices connecting to the network are immediately identified and, if authentication can’t be established, isolated. You have an end-to-end identity infrastructure that manages access, relationships and lifecycle for every person, system and thing connected to your enterprise infrastructure.
To learn more about how an identity-driven IoT platform can help tackle shadow IoT within your organization, get the Identity of Things Explained guide to learn about the identity problem with IoT and how a strong Identity of Things (IDoT) foundation identifies and manages IoT connections to solve it.
The guide introduces IDoT and reveals how to add identity to IoT with chapters on:
- The core capabilities of an identity-driven IoT platform
- The Top 10 tips to consider when deploy identity management in IoT
- Selecting the right provider for IDoT