How to Secure the Enterprise of Things

eWEEK DATA POINTS: Hello, EoT. As highly connected, virtual organizations boost productivity, they also increase cyber-risk. Find out how the modern enterprise is changing–and how to best protect the network amid these shifts.

Blue-car2

The enterprise and the IT powering it are boosting productivity to new levels. While we used to have manual processes for accounting, sales and front office jobs, now that can be completed through new technologies and devices, such as connected sensors for process control or stock keeping, point of sale systems and access control.

However, this environment is also creating a much larger and more diverse attack surface full of poorly managed and unmanageable devices interacting with the network that requires increased oversight. 

The modern enterprise is an “enterprise of things,” full of connected devices that not only communicate information but also control how the physical world interacts with technology systems. While the past few decades have been dominated by thousands of exploits and data breaches, these newly connected devices are now deeply interconnecting our digital world with the physical, drastically expanding the potential for exposure, impact and physical harm. This is especially true in light of organizations’ accelerating efforts to institute more virtual work environments and modernizing processes so that hands-on operators can be remote instead.

More than ever in our remote world, IT and security leaders must adjust and improve their cyber-risk-mitigation playbooks and institute proactive EoT security measures. In this eWEEK Data Points article, Forescout Technologies Chief Technology Officer Robert McNutt weighs in on both statistical breakdowns of the enterprise of things, along with best practices to safeguard it. Forescout, whose software previously scanned network endpoints externally, now makes client software that checks out machines as they try to join networks.

Data Point No. 1: Projections indicate massive IoT deployments and unmanaged devices.

By 2030, the number of global IoT-connected devices are projected to more than double to 50 billion compared to 22 billion last year, according to Statista.com. A growing percentage of these devices are unmanaged, meaning they are being connected to corporate networks without prior authorization from IT or security teams. About 37% of the IT spend this year is attributed to unmanaged devices, according to IDC—up 29% in 2019. 

In addition to workers, there are numerous contractors, partners and customers also accessing the company data center or cloud from wherever they happen to be. For many of these devices, the security solutions we’ve used in the past won’t be enough. Most device-based security comes in the form of a software agent that is limited to Windows or Mac, which will not be available to the growing number of unmanaged devices running alternative operating systems. As it stands today, fewer than 48% (and falling) of devices observed by Forescout customers are capable of utilizing an agent-based security option such as antivirus and will need alternate protections. 

Data Point No. 2: Total visibility and automation will minimize risk.

The reality is the average organization has many more devices than estimated, and you cannot secure what you can’t see or understand. Without visibility and context over the entire EoT ecosystem, you are unlikely to meet key security objectives, such as maintaining compliance, reducing the attack surface and containing breach impact. Understanding what needs to be protected and how it needs to operate is necessary to implement holistic control across the enterprise; however, organizations need to determine which tools will establish that full, real-time awareness of what is “out there”—from IT to OT to the cloud. 

Data Point No. 3: Zero Trust restores complete control.

Security teams should always assume the network is a battleground for invading external and internal threats—if they are not there already. Zero Trust principles help restore control over this type of environment by adhering to the tenets of “never trust, always verify.” Organizations following Zero Trust apply granular controls to all connected things as well as the person operating that thing (if any) and enforce least privileged policies to restrict those things and those people to solely the access they need to perform their roles/tasks. 

Zero Trust is not something you buy from one specific vendor, but rather it’s an effort in concert across all layers of the network and co-orchestrated through policy enforcers. This can be accomplished by making investments in a context-based, multilayer architecture to address a broad diversity of device types, regardless of where they try to connect. 

Data Point No. 4: An extreme measure—or an increasingly commonplace one?

We first started hearing about Zero Trust principles about 15 years ago with network access control. However, it has since evolved to more shades of gray in decision-making while still following the simple premise of making decisions about an entity’s access to resources based on specific criteria. In recent years, it is becoming more common for organizations to begin incorporating it into their security strategies. In fact, nearly 50% of organizations during the past year have been researching various Zero Trust technologies for implementation. It is likely we will see that figure grow over the next few years. 

Data Point No. 5: Sometimes self-defense is not an option.

As we see the physical world coming online, we begin to encounter systems that are so critical they can’t be taken offline to be upgraded or patched, like critical manufacturing components, health-care devices or utility sensors. The effects of downtime on these technology systems quickly cross over into the physical world, perhaps taking down water or power utilities, manufacturing capabilities, or the ability to deliver health care. 

When it comes to these environments, the option of the device defending itself with software patches or antivirus agents is out of the question. Organizations must rely on a virtual bodyguard to protect these coveted systems, putting a greater emphasis on compensating controls as previously used tools become less effective in maintaining the desired posture. Doing so puts the enterprise in that optimal position to embrace an active defense approach with their Enterprise of Things.

If you have a suggestion for an eWEEK Data Points article, email [email protected].