“Those same devices (desktops, laptops, smartphones, routers, etc.) also access other open networks and who knows from where a ‘bad actor’ can inject a piece of malware into the device? Soon, the same piece of malware can be injected into the enterprise network," cautioned Partha Narasimhan, chief technology officer of networking firm Aruba Networks Inc.—a unit of Hewlett Packard Enterprise Co.—in a recent interview in New Delhi.
Enterprise network security has evolved from just a “perimeter solution" in the wake of the BYOD and IoT trends, Narasimhan insisted. “Wi-Fi broke that physical perimeter paradigm, because signals tend to leak outside the building," he explained. “Equipment like security cameras and home routers continue to have default or factory settings that can open up the threat surface," Narasimhan pointed out.
Many companies currently use mobile device management (MDM) solutions, which separate and secure business-critical data on employees’ personal mobiles, to address their security needs. However, these can protect companies “only to some extent", according to Narasimhan, because of the complexities associated with how much control users would allow the company on their devices and whether the required security policies can be enforced.
According to Narasimhan, today’s security issues can be solved through the use of big data analytics and machine learning (ML)—a subset of artificial intelligence (AI). These technologies, he opined, can help chief information officers (CIOs) and chief information security officers (CISOs) reduce the number of “false alerts" in security logs by looking at data in a context and analysing it from multiple angles. “ML algorithms can learn a user’s behaviour over time and do not have to be taught about what is acceptable user behaviour," he said.
Additionally, said Narsimhan, there are tech tools available to derive insights from data held in routers, switches and other networking equipment. “We have been focusing a lot on leveraging the network as a sensor and analysing the data that comes out of the infrastructure," he said, insisting that this can help CIOs and CISOs address the challenges of complexity and security resulting from the BYOD and IoT trends.
Analysing network data has multiple benefits, he said, including “user experience" management. “The user expectation is that the network is always there and whenever this expectation is not met, the network is said to be ‘broken’ but there can be different issues," he said. According to him, it can be a Wi-Fi issue, a device problem or even something to do with the physical building where the user is located.
Identifying and fixing these issues is important to keep a company’s network in good shape and meet the future needs of users, according to Narasimhan. He said that using advanced network analytics tools, it is now possible to identify the problem and “proactively alert" the network administrators that if they don’t do something about it for, say, another six months, they are going to “hit a wall".
Tech tools can also enable CIOs and CISOs spot anomalies for potential security threats. Also, data from the network can also give companies an indication of how well they are utilizing the physical space.
Industry experts concur that the growing connectivity of devices is indeed multiplying the security risks for companies. Jaspreet Singh, partner, information security at consulting firm EY, opines that in a connected scenario--in the upcoming smart cities, for instance—even a small slip-up in security can lead to chaos or catastrophic situations. “Imagine that you are driving in your car and the navigation system is connected to the traffic signalling system which, in turn, is connected to the traffic police and other civic authorities. So, even a minor glitch in the signalling system can lead to chaos on the roads." On their part, he said, companies need to assess the security risks across the entire network and put in customized solutions that best fit their individual needs.
By 2020, more than 25% of identified attacks in enterprises will involve the IoT, although the IoT will account for less than 10% of IT security budgets, according to research firm Gartner Inc. IoT, according to a Gartner e-book titled Leading the IoT (gtnr.it/2E2WlLu), “will expand rapidly and extensively, continually surfacing novel and unforeseen opportunities and threats", calling for a “new type of CIO, a ‘CIO of everything’, who can radically adapt their vision, decision making and capabilities to orchestrate an IoT world".
Besides, the complex nature of IoT and lack of standards can also be a hindrance to effective security. Dilip Sarangan, IoT research director at Frost and Sullivan, a research firm, recently said (bit.ly/2mzCxXV), because the responsibility for IoT security is diffused across device manufacturers, network providers, software developers and many others, it is difficult for the industry to make progress on all-encompassing standards.
Narasimhan acknowledged the existence of these issues and said companies need to be cognizant of the growing security risks and work towards mitigating them. “My advice would be to use a combination of solutions that gives them visibility into as well as control over their networks," he said. On the question of accountability in IoT, he concluded, “In a perfect world, everybody would play their part in being secure but that is not the reality."