When discussing IoT, partners need to put security on the front burner.
That's the word from David Carter, director of technical solutions at Encore Technology Group, a Greenville, S.C.-based provider of data center, networking, and security services.
"We do experience a grotesque lack of capabilities when it comes to securing IoT," said Carter, while speaking before an audience of solution providers at The NexGen 2017 Conference and Expo in Los Angeles.
Carter said that his company uses a four-step process for securing IoT. Those four steps are to secure the thing, which includes the sensors; secure the data from those things; secure the access of the data from those things; and then prove that the first three steps were done as promised.
"When we assess customer infrastructures, we start with the things, then move to the data, then the infrastructure, and then we verify it all," he said.
The biggest issue with securing the connected devices is how difficult it is to control what users bring to the office, Carter said.
It is already impossible to know what components are in users' laptops and smart devices, and it will be even less easy to know as the number of devices explodes, he said. "There are more IoT devices today than there are people on the planet," he said.
Also, businesses assume they know what kind of data is created by the devices they use, but that is often a false assumption, Carter said. He cited the example of a device designed to be connected to the network via cable but also has an RF transmitter inside that the user may not know about. "It is important to make sure the actual data created and broadcast by devices is what you want it to be," he said.
Businesses will need to implement end-to-end encryption of the data, and encrypt the data before it is stored, Carter said.
It is also important to define what systems can access which devices and what data, Carter said.
"In some cases, a thing, and all the systems it accesses, are not touched by a human being except for when they are installed," he said. "We need to think critically about how data is move from one place to another."
Proving the IoT devices and data are secure is also the hardest part to do, Carter said.
"Some people don't care if data leaks out," he said. "The securing of these systems is broken because we look more about the functions than the security. But we have to think about how the products are made, and how they are being secured. It's hard to create an IT system that can be independently verified."
Security presents a lot of challenges, and opportunities, to the channel, said Dave Seibert, chief information officer at IT Innovators, an Irvine, Calif.-based MSP. Most MSPs have ignored IoT, but they don't realize just how many devices are connected to their networks, Seibert told CRN.
"So we have to care," he said. "If there's an issue with an IoT device, it could impact our uptime and our resiliency. And if there are problems, we have to fix them, but the tools to do so are limited."
Seibert cited as an example Internet-connected lighting with wireless control. "That takes up a lot of IP addresses," he said. "Users may then come in with a laptop and find they cannot connect to the Internet. They may call the IT department and say the network is down, but the network really isn't down."
Or, Seibert said, think of someone plugging in a $60 Raspberry Pi board without realizing it uses the same IP address as a mission-critical device like a firewall.
The billions of devices being connected far outweigh what most businesses can manage, especially in smaller companies, Seibert said. "We're not ready for IoT," he said. "But IoT is not waiting for us."