Shining a Light to Overcome the Internet of Thing’s Security Complexities

Jozsef Bagota/Shutterstock.com

Because the IoT is relatively new, it brings unfamiliar complexities for federal IT professionals.

Matt Hartley oversees civilian federal programs at ForeScout Technologies Inc.

It feels like a bygone era but a few years ago IT systems were remarkably confined. Federal PCs and servers fulfilled narrow purposes and there was little impetus to dramatically change cybersecurity strategies that focused on controlling perimeters or layering ever more security on desktops.

The leap from those days to the rapid deployment of the internet of things across government is remarkable. The old school perimeter-focused approach to security began to show its age in the face of mobile, cloud and bring-your-own-device trends. Yet, the impact of those smartphones and tablets pales in comparison to how the internet of things is changing IT assets and cyber risk imperatives.

Because the IoT is relatively new, it brings unfamiliar complexities for federal IT professionals. Nearly nine in 10 agencies consider the security of IoT devices as “essential” for executing their mission. However, 58 percent describe themselves as—at best—only “somewhat” confident in their ability to protect these devices, if not “not very” or “not at all” confident, according to research from the Government Business Council, the research arm of Nextgov’s parent company.

One initiative aiming to measure and mitigate IoT risks to civilian federal agencies is the Homeland Security Department’s Continuous Diagnostics and Mitigation program. Launched in 2013, CDM provides the capabilities and tools to secure networks, enables agencies to automate searches for known cyber flaws and identifies the most critical risks for agencies to address first. The CDM program is the government’s bid to move from a periodic, compliance-based security posture to continuous assessment and mitigation of risks to federal civilian IT networks. While not intended to solely address IoT risks exclusively, CDM may ultimately achieve this goal because it focuses on three core concepts regardless of the IoT or security technologies at hand.

First, Know What’s on the Network

IoT worries are fueled by uncertainty, so CDM began by “shining a light” to discover a true, real-time view of devices connected to federal networks. According to Homeland Security, one of the CDM program’s key successes is its discovery—on average—of 44 percent more connected assets across agencies than what organizations originally reported. As the time-proven adage goes, “you cannot protect what you cannot see,” and Homeland Security and all agencies likely know that any remaining visibility gaps in their network represent a serious risk to their enterprise. Indeed, complete and continuous visibility is the nucleus of phase one in the CDM effort.      

Next, Know What is Happening on the Network

Which devices are coming and going? A continuous foundation in visibility makes it easier to sort out employee laptops from iPhones, badge-scanners, office equipment or security cameras. By classifying connected “things,” you can you study what they do—or, more tellingly, what they are supposed to do, versus what looks unauthorized or malicious. What purpose do the devices serve? What kind of traffic do they create? Which users do they support? Answering these questions lets departments identify IoT assets performing the most critical functions.

Mitigate the Risk in Real-Time

When agencies have continuous visibility and classification capabilities they are empowered to mitigate risk in real-time, such as restricting or isolating certain devices from wider traffic, or cordoning-off certain risky devices altogether.

Helpfully, Homeland Security provided agencies CDM tools that automate risk mitigation based on policy, enabling security teams to establish scalable rules reflecting their respective missions and risk tolerances. However, enforcing IoT policies—as with rules governing PCs or employees—is only possible when you have real-time insight overall the total assets and workforce. The ability to identify, measure and mitigate risk at machine speed will ultimately be the true measure of CDM’s success and the potential for this exists once visibility and classification are fully achieved in the next phase, called CDM DEFEND.  

Having worked with federal cybersecurity teams for years, what I find most striking about the IoT stakes facing government is the pivotal space of time that initiatives like CDM have to shape and control a connected future like nothing we have seen since the dawn of the web. When I talk with federal CIOs, it is telling that none of them plan to buy appreciably more laptops in 2018 – but every one of them believes they will have greater multitudes of IoT gear in their departments.

The pace of technology is always disruptive, but the IoT’s shockwave can also help government modernize technology, improve citizen service and even become more secure in the process. The principles of CDM are a good reminder for .gov and the Fortune 500 alike that security can coexist with change and innovation as long as you continually shine the light, study what it reveals—and act.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.