8 Best Practices for IoT Data Security
The data streaming from connected devices can be revealing. A person’s physical location, the amount of fuel used by a car, the amount of medicine dispensed by an infusion pump, the images from a security camera—or many other telltale details.
The volume of data captured from Internet of Things (IoT) devices is growing at a breathtaking pace. And while a single piece of data from a connected device may have little value on its own, when taken in aggregate, it can represent a goldmine of corporate and personal data.
Data can be used in many ways—to increase manufacturing efficiency, control the lights and temperature in an office building, or make a personalized offer as a shopper walks into a store. But at the same time, thieves can steal personal health data to commit insurance fraud. Streetlights can be dimmed to provide cover for a crime. Big data from IoT can be used for mass surveillance, track what people do in their homes and at work, sold without permission, or potentially be used as evidence in a murder case.
Best Practices for Data Privacy
Data security and privacy practices for IoT are evolving. The industry is debating whether IoT data privacy is substantially different than on the rest of the Internet. Individual expectations regarding privacy, personalization and the use of personal data is often a moving target. Perceptions may differ based on whether they believe they are getting value in exchange for their data. Sentiments may also vary based on whether the connected device is used at home, at work or in public.
Here are best practices to consider when establishing data privacy and security policies for your IoT deployment.
- Assess the risks for IoT data security and privacy in your IoT system. Understand to what extent your IoT use case requires data privacy, and how data privacy can be maintained while information can still be collected and analyzed. Understand what types of data will be collected by connected devices, applications and cloud systems. If the data includes personally identifiable information (PII), the data may need to be stored in an anonymous form or be encrypted.
Define how the data will be used within your organization, how your business partners and channels can use the data, and how to let your consumer or enterprise customers choose how data will be used.
Examine your data collection practices to impose reasonable limits on collection and retention of customer or sensitive data. Is the data collected being used to improve user experience or to upsell and cross-sell offers? Is it being sold to other companies for their own use?
- Inform customers about data use. Misusing or abusing collected data will tarnish a company’s brand and erode customer confidence. Provide customers with the ability to make informed choices about how their data will be used and disclosed, especially in consumer markets.
- Assess the risk of data loss or theft. Consider what happens when a device is compromised, lost or stolen. A smartphone with a mobile health app has far greater risk than an environmental sensor if the device is lost or stolen. If the device is lost or stolen, will it create serious risk?
Most IoT data is stored in the cloud, but depending on the sensitivity, you may want to store the data in private data centers. Do your due diligence with your cloud provider about security. When your use a public cloud provider, you simply can’t be in control of all of the security measures, such as separation between tenants the screening of the cloud provider’s staff.
- Securely onboard connected devices. Attackers know that connected devices are the weak link in the IoT chain. Control network access for all of your endpoints, whether IoT or traditional devices. Use automated onboarding techniques to reduce deployment time and avoid the complexities of existing authentication methods. Encrypt the data in transit, too. In practice, data is often transmitted with little or no protection.
- Consider the security of mobile and web applications. When people interact with an IoT system, it’s often through a mobile app or web interface. Make sure the software is designed and built securely, and is not vulnerable to attacks like cross-site scripting or SQL injection.
- Continuously monitor connected devices for unusual activity. You need the ability to discover every network-connected device in real time, gain visibility into what the devices are doing and where they are located, and control their access to the network based on their behavior. If a device begins to behave suspiciously, then it should be automatically quarantined or denied access to the network.
- Determine which regulations and laws apply. Most countries don’t have laws yet that specifically cover privacy for IoT, but general privacy laws apply. If you are in a highly-regulated industry, such as healthcare, finance or energy, make sure that your IoT business practices meet your specific regulatory requirements. And keep in mind that while the regulatory climate in the U.S. is changing, which could directly impact future regulations for connected vehicles, medical devices and other IoT systems, maintaining data security and privacy is in the best interest of your brand.
IoT is in its relative infancy, and how organizations handle the privacy and security of this information will determine their success, and whether regulatory agencies decide to get involved. Contact firstname.lastname@example.org to learn more about how we can help you with your enterprise IoT security needs.
Topics: Enterprise IoT Security