The explosion of connected devices including Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) is transforming businesses and improving efficiencies. However, the rise of these connected devices now introduce new challenges to governance, risk and compliance.
There’s a good reason for this.
These connected devices are not designed with security in mind, often run vulnerable and outdated operating systems, and cannot support endpoint security agents. The ability of connected devices like IoT to send and receive data, and connect to the Internet mean that they can be attractive avenue for threat actors to infiltrate the network. Finally, more increased interconnectedness means that rapid response and automated remediation is required to quickly shut down lateral movement of threats from device to device.
Here are some considerations for governance, risk and compliance of connected devices:
- Know what devices are actually on the network
You can’t secure what you don’t know about. Therefore, it is vital to gain visibility into every connected device on your network. This includes IT, IoT, IoMT or OT devices. It includes ephemeral assets that may go offline at any time and then reappear in a new physical and network location. High-fidelity information is critical to truly understand and classify these devices for example, make, model, operating system, location, applications and more.
Are there mission-critical devices? Are there vulnerable devices? Understand the risk profile for these devices, from manufacturing recalls, medical device advisories and vulnerabilities to devices that are running outdated device operating systems.
The one caveat with the discovery process is that it must be via a passive approach so that it does not impact the operations of these sensitive IoT devices.
- Identify risks and baseline behaviors
Once you know what devices you have, you need to know what risks it is bringing to the network. Risks can range from vulnerabilities, exploits and recalls to weak passwords and certificates.
In addition, you also want to understand device behavior patterns. Mapping communications patterns and base lining device behavior is crucial to identifying anomalous behaviors such as a rogue or infected device communicating to a bad domain. This can be accomplished using AI and machine learning, as devices have very deterministic communications patterns based on their functions.
- Bring Devices with orphaned users into compliance
In the Ordr Rise of the Machine report that profiled risks and adoption of about 12 million connected devices across more than 500 deployments, 55% of deployments found that they had devices with orphaned users. Devices with orphaned users are devices with users that have left an organization or changed roles within an organization. Devices with orphan accounts retain the same rights as when they were associated with an active user, and therefore may be a gateway to privilege escalation and lateral movement. Therefore, as part of a robust GRC strategy, security teams need to ensure that all devices are being utilized only by current users and those with appropriate privileged access.
- Consider Zero Trust policies
With all devices accounted for, identified and categorized, and risks and communications patterns understood, IT and security teams can architect the appropriate Zero Trust policies based on the appropriate level of trust and least privilege access. The concept of “trust” for connected devices should be determined based on the following attributes such as what the device is, what operating system it is running, its compliance status, where it is connecting from and whether it is behaving as expected.
Both macro and flow-based micro-segmentation policies are critical to enable Zero Trust, for example a broad-based policy to prevent consumer IoT devices like Alexas from accessing the corporate network, to monitoring and segment mini-cluster “cells” of IT, IoT and Operational Technology devices for a specific function within manufacturing.
Using the security guidelines above, organizations can embrace connected devices while ensuring that they address compliance requirements and govern risks appropriately.