Steps to Prepare for IoT and Edge Computing

By Paul Parker, SolarWinds Federal & National Government Chief Technologist

Wary that the Internet of Things (IoT) could be used to introduce unwanted and unchecked security risks into government networks, senators last year created the IoT Cybersecurity Improvement Act of 2017, legislation that placed minimum security standards around IoT devices sold to and purchased by government agencies.

IoT and Edge: Hype vs. Reality

It’s good that provocative and important questions are being asked now, before edge computing and IoT truly take hold within the federal government. As it is, we are still at the start of their respective hype cycles, with true adoption hampered by security concerns.

Agencies are still grappling with BYOD security, let alone IoT or edge computing. The recent controversy surrounding fitness app Strava, which inadvertently revealed the location of classified military bases, made it abundantly clear that there is still much work to be done. Agencies are still trying to get past these fundamental hurdles before fully embracing IoT.

Agencies are still very much in the exploratory phase with edge computing. As such, it is unlikely we will see widespread adoption of these types of solutions over the next year.

Fortifying Current and Future Networks

Still, agencies are laying the infrastructure for these technologies and need to implement strategies to help ensure that their networks and data are protected. As such, there are several things IT professionals can do now to better fortify current and future operations.

  • Have a clear view of everything happening on your networks. If the IT team does not have the ability to accurately track and manage IP addresses and conflicts, domain names, user devices, and more, they will not be able to know if or when a bad actor is exploiting their networks. You must be able to tie events on the network directly back to specific users or events. This strategy also helps in evaluating the new devices on the network to confirm they are operating properly and securely.

  • Use trusted vendors. The IoT Cybersecurity Act of 2017 requires that vendors notify their customers of “known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher” or when a vendor becomes aware of a potential issue during the lifecycle of their contract.

  • Find the positive in potential intrusions. Intrusions can help IT pros evaluate and refine remediation strategies, and automated network security solutions can learn from the breach to offer protection for the future.

There’s every indication that IoT and edge computing will prove to be more evolutionary than revolutionary in 2018. Most agencies will likely continue to be cautious with these technologies, as the first consideration must be how IoT and edge computing devices will be managed and secured.

But the more agencies learn about these technologies, the more they will ultimately be adopted. Agencies must begin preparing for that day. The best way to do that is to implement strategies that can help them solidify network security today while laying the groundwork for tomorrow.

Find the full article on SIGNAL.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates.  All other trademarks are the property of their respective owners.

Parents
  • We've implemented Cisco ISE for our NAC to do just that, and we're constantly modifying it.  We have one full-time Network Analyst who does nothing else, and we need a second full timer to help him.

    MAC address control is only the tip of the iceberg, and while it's a good start, the way Cisco has it laid out for easy and quick deployment, it only categorizes the first six MAC addresses and ties them to a vendor.  That security has a big hole in it when the vendor sells/builds more than just your own private equipment.

    The problem with Cisco's easy deployment this way is that if you have all HP PC's & printers & TC's, and you allow all HP-registered MAC's on your network, someone with their own HP Laptop can plug in and not be kept out. 

    Then it means tying more deeply into other things.  Having all 12 MAC address characters is only a start, since folks have long known how to spoof MAC addresses.  You need to install certificates unique to your organization and have ISE watch for them, or hide special strings in the devices' registries and use them as pass keys into your network.  Or more.

    Worse, not all devices can accept registry strings or certificates.  And those device often are mandatory for my health care environment.

    No, IoT needs to be shut down, not given in to.  Giving in simply allows the tail to continue wagging the dog.  Bad ideas need to be ignored, or they'll continue and grow.

    Telling a vendor "we're not going to purchase your products anymore because they're insecure, they use IoT solutions that compromise our patients' safety and security" is the only way vendors will change their ways.  Just compromising your security so users can use these convenient products only leads to a compromised network and future problems.

    @Jfrazier is right.  Just say no.

Comment
  • We've implemented Cisco ISE for our NAC to do just that, and we're constantly modifying it.  We have one full-time Network Analyst who does nothing else, and we need a second full timer to help him.

    MAC address control is only the tip of the iceberg, and while it's a good start, the way Cisco has it laid out for easy and quick deployment, it only categorizes the first six MAC addresses and ties them to a vendor.  That security has a big hole in it when the vendor sells/builds more than just your own private equipment.

    The problem with Cisco's easy deployment this way is that if you have all HP PC's & printers & TC's, and you allow all HP-registered MAC's on your network, someone with their own HP Laptop can plug in and not be kept out. 

    Then it means tying more deeply into other things.  Having all 12 MAC address characters is only a start, since folks have long known how to spoof MAC addresses.  You need to install certificates unique to your organization and have ISE watch for them, or hide special strings in the devices' registries and use them as pass keys into your network.  Or more.

    Worse, not all devices can accept registry strings or certificates.  And those device often are mandatory for my health care environment.

    No, IoT needs to be shut down, not given in to.  Giving in simply allows the tail to continue wagging the dog.  Bad ideas need to be ignored, or they'll continue and grow.

    Telling a vendor "we're not going to purchase your products anymore because they're insecure, they use IoT solutions that compromise our patients' safety and security" is the only way vendors will change their ways.  Just compromising your security so users can use these convenient products only leads to a compromised network and future problems.

    @Jfrazier is right.  Just say no.

Children
No Data
Thwack - Symbolize TM, R, and C