With the continued expansion of the Internet of Things (IoT), we must be aware of the associated cyber risk. Any time that we expand our security boundary, like cloud and certainly IoT, we have to understand all of the potential risks. I am not advocating the avoidance of cloud or IOT, although we should probably go into the architecture with both eyes wide open.
The core element of designing an effective cybersecurity strategy is founded on a set of consistent security standards that are inherited to support specific business or organizational outcomes. Typically, security standards are grouped to provide security policies. The NIST cyber standards and grouping of cyber standards into the risk management framework (RMF) the cybersecurity framework (CSF), DFARS, FedRAMP become our security policies.
BEST PRACTICE: Use a set of consistent security standards, inherit those standards to individual policies, provide flexibility to the implementation of the security standards within the policies, and you'll find an excellent foundation for your cybersecurity strategy.
What is the impact of cloud, mobility, smart devices and IoT technologies?
All of these technologies and others not mentioned, tend to extend our security boundary. Security policy and cyber standards include hardware, software, operating systems, process and human capital required to execute a business or organizational outcome. For example, an organization typically will have a security policy for email, internal filesharing, external filesharing, online applications, and many others. As we developed the security policy, we naturally define our security boundary. For many organizations, the security boundary extends from the "inside ports" of the firewall and includes everything within their environment. As we adopt IoT, the security boundary is extended.
Many organizations implement IoT solutions within an isolated or segmented part of their network environment. The IoT devices report into a gateway; hence the perception is that the gateway provides adequate security to protect the organizations' other information technology resources from the risk within the IoT environment. I am not implying that IoT gateways lack security, although the gateway now becomes part of our security boundary.
Too many organizations excuse or accept the potential risk found within the IoT gateway.
When incorporating any technology that extends the security boundary, we must clearly understand our security standards and policies to accurately visualize potential risk to our environment. The sophistication of IoT devices will continue to increase as the popularity of the technology increases within our society. We have see this trend time and time again with new technology adoption. When thinking about the introduction of mobile technologies, the days of the pager or even the blackberry (non-smart phone) presented risk. Although, as society began to adopt mobile technology to the state we are in as of 2019, the threat to our environments increased exponentially as the devices became smarter and more capable.
SOLUTION: The solution to this problem: establish a cyber strategy that incorporates cyber standards and policies.
You will never understand the real cyber health of your environment without first developing your cyber plans. As new technologies continue to add functionality, with a solid cyber strategy we can quickly ascertain and mitigate risk.
For more information feel free to ask questions at firstname.lastname@example.org