If you work in the enterprise IT market, there is a word you are hearing all of the time. It’s IoT or Internet of Things. It’s an all-encompassing term to describe devices that are connected to the network that are not end-user devices. IoT devices in the enterprise could be commercial HVAC controllers (think Ecobee, but for commercial heating and air), commercial camera and DVR systems (an enterprise-grade version of something like Arlo), water fountain filter sensors, or connected paper towel dispensers that alert someone when they are close to being empty. All of these products look great on paper, but I am concerned about the security of the devices, their ability to be managed, and their ability to be upgraded.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
Security of IoT devices
One of the major issues with IoT security is that devices are built and maintained by companies who aren’t networking natives. When I say networking natives, I mean companies who live, eat, and breath the IT world. A lot of the companies making IoT sensors are companies that generally don’t deal with the IT infrastructure normally. This means they probably don’t play as well with policies and procedures that most IT departments have set in place.
In my experience working with IoT devices, I’ve found they will often ping IP addresses that I didn’t approve, and they will be pinged by IP addresses from other countries. I think what happens is since the companies developing these products aren’t “networking natives”, they are sub-contracting the networking aspect out vs. building something in-house. They aren’t aware of what the products are doing (nor do I think they care). IT departments end up having to build additional security policies around these devices.
IoT devices and the ability to be managed
One of the big issues I am seeing with IoT is there is no standard platform in the enterprise. There is no Alexa or HomeKit. There is no centralized solution that you could build on top of as an IT manager. What happens is that you plug these devices into the network (or connect to Wi-Fi), and then you have to manage them individually. You have to keep track of separate IP addresses, user names, and passwords. What we need is a centralized web dashboard that allows an IT manager to monitor, configure, and track all IoT devices. As the number of devices continues to grow (I suspect that we will soon have more IoT than end-user devices), this will be a must.
IoT devices and upgradeability
Software vulnerability discovery isn’t an if, but rather a when. We live in a hyper-connected world, and a vulnerability in one device can have a ripple effect elsewhere. Especially for enterprise networks, a single vulnerability in a device can open up an entire network.
If a security flaw is discovered in a product, is an IoT vendor prepared to patch the problem? Do they even have staff available who can change the code? Do they have the ability to remotely upgrade the device? This problem goes back to the security and manageability of these devices. If we are going to put devices on our network with mission-critical devices, there must be a plan for handling security problems by addressing how and when they will be upgraded in the future.
Wrap-up on IoT security
I am a big fan of the premise of the internet of things device category. I love what it’s enabled me to do at home by automating my lighting and with saving energy by cutting HVAC usage. I do believe it’ll have a great future in the enterprise, but we need a company to come along and build out a platform to handle security and management aspects instead of each device living off on its own.