The emerging model of the Internet of Things (IoT) is rapidly changing the way organisations think about IT security – but IoT's unique characteristics are also likely to send ripples through conventional security architectures by forcing a fundamental rethink about how corporate data is managed and protected.
That rethink began years ago, when the idea of allowing employees to bring their own mobile devices into corporate networks put an end to the idea that corporate information security was a product of how well businesses controlled what devices connected to their networks. The explosion of bring your own device (BYOD) policies quickly put an end to that: these days, IT security managers need to expect any kind of device to be connected at any time, in a broad range of ways.
BYOD “has really shifted the discussion within IT from 'can we trust external devices?' to 'what can we trust them for?',” explains Matt Hyne, director of the Citrix Technology Office and member of the Citrix CTO Council.
“People are bringing their own devices – and this increasingly includes IoT devices – and it has moved beyond a BYOD mentality to the point where it's BYO anything. People are bringing in whatever they need to be more productive at work.”
As a superset of the BYOD trend, IoT is uniquely positioned to shape discussions about network and data security moving into the future. Because devices can no longer be trusted or blocked based on their own characteristics, in the future security will be based not on the hope of interoperable, cross-platform security features – but around unified computing architectures that focus on controlling data access based on corporate policies.
Under lock and key
Designers of smartphones and tablet computers have recently realised one aspect of this new architecture, using heavily secured 'sandbox' designs that can be managed centrally by IT-security staff.
This approach allows data-protection policies to be enforced within 'data enclaves' on mobile devices while preventing the data inside them leaking out – and work regardless of the applications installed outside the sandbox. In this way, sensitive intellectual property can be more reliably made available to employees where and when it's needed – without compromising the protection of that data.
Yet sandboxing is only one step towards a future where data can be effectively secured and controlled regardless of where it is stored. While the use of data enclaves “might be OK if an enterprise enclave can be established and maintained on the device all through its lifecycle,” says Kurt Roemer, chief security strategist with Citrix.
Achieving and maintaining that level of control, he warns, is still difficult. “You need to get the point of having very clear metrics around what needs to be protected, and focusing your efforts on what matters. Some of the data out there is very difficult to call back once it gets breached.”
Data enclaves protect corporate data from leaking off of mobile devices, but many organisations are already taking the concept to its next logical step by preventing data from being sent to the remote device in the first place.
Many companies are making this happen by turning to a well-established application delivery model that traces its roots back to early efforts to simplify overly-complex client/server computing architectures.
Thin-client frameworks, which run large numbers of virtual computer desktops on a centralised computing cluster and delivers them to distant employees' home or office desktops, have long been effective at enabling centralised, secure computing environments accessible from smartphones, tablets, and other devices.
Whereas this approach used to be primarily about remote access, its extension to a broad range of devices has turned it into what Roemer calls a 'pixel air gap firewall'. “We've got the ability to use virtualisation to centralise and secure access,” Roemer explains.
“We're only providing pixels to the end display. Because the data never hits the endpoint – it's only being displayed there – people can't bulk exfiltrate the data by downloading it to the endpoint, the way they've been able to do for years.”
Sandboxing and thin-client access may have provided ways to better control the flow of data within and outside of an organisation's network, but it is less relevant in the IoT context because IoT devices are not generally designed as general-purpose computers in the way that a smartphone or tablet is. They cannot, therefore, be used as thin clients through conventional means.
The limited form factors of IoT devices have already pushed their developers into a broad range of workarounds – providing configuration and management through in-built Wi-Fi connections, for example, or using Bluetooth to synchronise the devices with nearby smartphones that serve as control points and gateways to the broader Internet.
Such security mechanisms are still developing, however, and often lack the rigour necessary to meet compliance and governance requirements within larger organisations. Worse still, research suggests that inexpensive, often single-use IoT devices are being created using a broad range of security approaches of which many consumers are unaware – or, in a worryingly large number of cases, with no security at all.
These early experiences, Hyne says, highlight the need for BYOD and IoT to be rolled into new security and application paradigms that focus on building and enforcing tight controls around corporate data.
“We're going to be talking about billions of IoT devices coming online every year,” he explains, “and you're going to have devices from vendors from anywhere. Providing an end-to-end solution in this environment is particularly difficult, which is why we don't want a high-touch endpoint.”
Instead, he says, organisations need to take a 'defence-in-depth' approach built around providing flow points between these many devices: “You must make sure you have adequate security at those flow points.”
Equally important in ensuring a secure future will be the use of identity-management services, which have rapidly evolved from simple user-id-and-password combinations to far-reaching frameworks that manage access credentials between a broad range of users and devices.
“With the emergence of SaaS applications and personal devices that are now accessing these applications,” says Hyne, “the ability for the local IT administrator to control everything is reducing, and a lot of the control over the information is being pushed outside the organisation. Being able to tie those behaviours together to provide a security layer and security map is very important.”
With cloud now well entrenched within Australian businesses, vendors are making real progress in extending identity frameworks across hosted and onsite applications to build unified, secure and flexible computing environments that more equally support onsite, cloud-hosted, remote-desktop, IoT and other access paradigms.
The key to making it all work together in the future, Roemer says, is a fundamental mindshift away from focusing on the security capabilities of any one particular device – and instead focusing on protecting data, and controlling access to data, at every step of its lifecycle.
“You can't have full trust in any model anymore,” he explains. “This is an ongoing process and will continue to be an ongoing process. For every policy and hole that we find a solution for, another one opens up.”
“There will always be vulnerabilities and there will always be mistakes made. What's important is being able to mitigate against those, and to have an acceptable level of risk. Once your data is out there, it's out there forever.”