Balancing IoT Benefits and Locked-down Security
Agency teams incorporate security into the fabric of their networks.
The federal government has invested billions of dollars on Internet of Things (IoT) technologies over the past few years, but it may be compromising its security posture for better information. Certainly being able to share and access the information derived from connected sensors is vital to the protection of the United States and instrumental to military success. However, connected devices present enticing targets, as evidenced by the 2016 Mirai Botnet attack, which originated through vulnerable IoT devices.
It’s imperative that the Defense Department finds a balance between the convenience and benefits of IoT and maintaining a strong security posture. The question is, how?
Incorporate Security Into the Network Itself
Agency teams should begin by incorporating security into the very fabric of their networks instead of simply implementing security measures at the device level. Administrators should consolidate policy management, visibility and reporting across all private, public and physical networks. They should deploy tools that allow them to easily manage the security of all applications and connected devices that reside on these networks, and automate network security as much as possible.
The growing use of software-defined networking solutions has made this more feasible. Software-defined versions of traditional hardware solutions, such as routers, switches or firewalls, can now be used as active participants in threat deterrence efforts. Each of these elements can be used to provide alerts regarding potential threats and dynamically enforce predefined security protocols to respond to intrusions and mitigate their effects.
Deploying these separate resources as a unified force against intrusions not only secures the perimeter but also protects the network from the inside out, effectively fortifying agencies against both external and internal threats. Remember, it is not just devices being used by connected warfighters that must be considered, but also the mobile devices and other connected assets that agency employees may be using to do their jobs.
Continue the Dialog Between Vendors and Government Representatives
In addition to the actions taken by internal teams, the federal government itself has begun taking some important initial steps to help agencies achieve a better IoT security balance. Earlier this year, members of Congress introduced the Internet of Things Cybersecurity Act of 2017. The legislation calls for all devices purchased by the U.S. government to meet minimum, predefined security standards. Vendors must remain in compliance with these standards to continue to effectively sell to the government.
However, government officials and agency teams should also continue to work with vendors to improve policies and ensure legislation is not just about having stricter security regulations. Stricter security regulations will not impede hackers, but they will adversely impact device manufacturers. They will become more consumed with the need for constant device upkeep through software updates or full hardware “rip and replace” refreshes.
Do Not Compromise on Security
From a security perspective, the Defense Department’s continued investment in IoT can be looked at in two very different ways. On the one hand, connected sensors can provide agency teams and military personnel with valuable information that can be used to protect our national interests. Conversely, those sensors widen the attack surface by providing hackers with more access points that they can exploit.
Since it’s apparent that IoT is here to stay, finding the ideal balance between its security benefits and drawbacks is vitally important. Continued dialog between industry vendors and government officials is fundamental to this effort, but the actions of agency administrators are just as important. They must ensure that security is not something that is simply layered on top of existing network equipment. Instead, it must become an integral part of their network architectures. That strategy is key to gaining the full benefit of the IoT without compromising on security.
David Mihelcic is federal chief technology and strategy officer for Juniper Networks.