How to control access to IoT data
Controlling access to data generated by the Internet of Things (IoT) can be difficult. Bellow we’ll see the Experts telling how to organize such control in compliance with security requirements. As more and more scenarios develop and emerge, IoT generates unprecedented and growing volumes of data. According to IDC, by 2025 there will be over 41.6 billion IoT devices generating almost 80 ZB of data. This is why efficient and secure access control is very important for companies.
First of all, organizations should take care of the correct configuration of IoT devices and their secure connection to corporate networks.
According to Gary Richardson, managing director of new technologies at 6point6, a dynamic authorization process that protects data from access by unauthorized personnel can be helpful.
Imperfectly configured IoT devices can easily open paths for hackers to infiltrate a company database or create the possibility of data leakage. The advantage of some IoT systems is that they are designed with a number of security considerations in mind, including basic communication protocols, network architecture and hierarchy.
According to Richardson, companies need fine-tuned access control to protect data coming from IoT devices. One way to achieve this is through dynamic authorization, which provides attribute-based access control (ABAC). This model allows companies to securely share IoT data across the organization, allowing only authorized users to access sensitive data under certain conditions. “Companies must ensure that networks to which IoT devices are connected are isolated, secure and that data is encrypted during transmission and at rest” he said.
Keep an eye on the device’s behavior
Richardson explained how possible anomalies in IoT actions can signal that certain actions need to be taken.
“Companies must also determine the behavior and actions that connected devices are allowed to take within a given environment and then install appropriate controls without disrupting processes” he said. Virtual networks or network segments can impose restrictions or resource requirements on IoT devices. So, context-sensitive access control for the entire network is the best way to allow actions and behavior at the connection level, as well at the command and data transfer levels. Anomalies and actions that do not match the expected behavior will be identified and corrective action can be taken.
In addition to monitoring activity and access, it is useful to create an action plan to eliminate data redundancy.
“Organizations should try to ensure that data is received, collected and sent at the same time, which will improve data transfer efficiency,” said Andy Simpson-Peary, chief technology officer at Cyberfort Group. It’s easier to ensure information security by following a data-minimization strategy. Creating a leveled defense around the IoT network will also increase access control. With this strategy, data on the network is encrypted and protected at every stage, at transmission or at the receiving. The idea is to use different encryption mechanisms at each stage, making the data a moving target.
Visibility and segmentation
Security is not the only aspect to consider when controlling access to IoT data. There are also problems with visibility. And if your security is compromised, you should have an emergency backup plan.
According to Rob McNutt, chief technology officer at Forescout, the solution is to segment the network. “Organizations need full visibility and control over all the devices on their networks and should segment their networks accordingly” he said. It’s impossible to protect data coming from devices that we can’t see. Without full visibility of all the devices on the network and their activity, we can’t allow just authorized users and devices to access our data. If the device is really hacked, network segmentation can prevent villains from moving around the network illegally while gaining access to data they shouldn’t have.