Make IT work

Business need drives software development; that’s why concepts like agile and extreme programming have become so popular; they allow development effort to be targeted towards what will really deliver business benefit.

And that’s great if you’re working on powerful servers, with mature platforms, using frameworks that have been developed and refined over years – you know that the security is already there from all that prior experience, even if the product is only at the ‘make it work’ stage.

But when we’re looking at IoT devices, with their small processing footprint, and myriad operating systems, there’s not always a lot of room for security, and the development focus tends to go on what customers pay for – functionality. At the moment, it’s enough that you can switch the light on with your phone.

The software running on many IoT devices right now certainly ‘works’, but is it ‘right’? What if others can switch your light on with their phones? As enterprise IT professionals implementing new technologies, these are the kinds of questions we’re more interested in. What risks are introduced by installing these devices in our infrastructure? And how do we handle those risks?

There are many different technologies in use in the world of IoT right now and in some cases IT departments may find they are simply not involved in an IoT implementation in their business. Hence, we need to arm ourselves with a practical, constructive approach to deal with common risk factors.

Are there standards we can make use of?
While international standards for an organisational approach to information security such as ISO27001 have been around for a good number of years now, a similar software-level standard has been more difficult to get in place. ISO 27034 (application security) may go some way to meeting this need but is currently incomplete.

Looking specifically at IoT devices, there are numerous frameworks and platforms to assist with interoperability – Apple’s HomeKit is probably the most well-known but this is targeted at the consumer market rather than business; all the usual players like Amazon, Google, IBM and Microsoft provide IoT integration frameworks; there are also many open source options.

Managing the risks
Many of us in IT won’t come near to the internal workings of IoT devices. But we’ve all got a duty to ensure we manage the risks facing our businesses, and make sure we, the manufacturers and vendors, don’t just ‘make it work’, we all ‘make it secure’.